Malware Removal Information

Hoofdmenu

Home
Malware info
- Malware - Securitysuites
- Waarom?
Scanners
Infecties
- Archief 0 - E
- Archief F - N
- Archief O - S
- Archief T - Z
- CLB rootkit
- DNS-hijackers
- Haxdoor - Goldun
- Sinowal
- TDL3
- TDL4
- Virut
- Vundo
- Whistler
Tools
- Hijackthis
  - Hijackthis
  - Hijackthis handleiding
- Rootkitscanners
- ComBoFix
- HaxFix
- LSPFix
- Reglooks
- Roguescanfix
- SmitfraudFix
Informatie
Preventie
- De computer is malware vrij
- Infecties voorkomen

HaxFix

Tools

HaxFix is a tool that can be used to remove Haxdoor, Goldun en some SpyBanker Infections.
For the latest updates, have a look at my blog.

Download:
You can download haxfix from my site, or from Bleeping computer.
On both sites you will always find an updated version of the tool.

How to use?
Download haxfix.exe and save it to your desktop.
Double click on haxfix.exe to run it.
A red "dos window" (dos box) will open with this options:

   1. Make logfile
   E. Exit Haxfix

After running option 1, you will get a new menu with all options:

   1. Make logfile
   2. Run auto fix
   3. Run manual fix
   4. Run unknow fix
   U. Uninstall Hafix
   E. Exit Haxfix

Option 1. Make logfile.
When you use haxfix, always make a logfile first.
The logfile is showing all services, safeboot services and notify keys, that are matching with the current haxdoor/goldun variants.
Haxfix checks for known SSDOL keys related to Goldun.
Haxfix checks for known Browser Helper Objects (BHO) related to Goldun of SpyBanker infections.
Haxfix checks if iexplore.exe is infected with a (known) goldunvariant. If so, it looks for a clean alternative in the dllcache or the tempfolder.
Haxfix checks for known goldunvariants that use the appinit key to load. These filenames are randome. Haxfix checks the MD5 checksum.
Haxfix checks for a lot of related haxdoor and goldunfiles. If present haxfix will list them in the logfile. If the file is rootkitfile, haxfix will mark the file as a rootkitfile.
Catchme.exe has been integrated in haxfix since version 4.43.
The logfile produced by Catchme, will be analysed by haxfix for matching haxdoor- or goldunvariants.
The logfile made by option 1, shows you if a known infection is present on you computer.

Option 2. Run auto fix.
Option 2 deletes all haxdoor-notify keys that are found when one, or more then one, matching service/safeboot service is present.
You can use option 2 if the notify keys that are found, are related to haxdoor or goldun.
- If there is a notify key (xxxx) and the letters xxxx are found between the matching services or matching safebootservices, haxfix deletes them
- If there is an unknown notify key or a legit notify key (xxxx) in the logfile, and there are no matching services/safeboot services (xxxx), haxfix will not delete the keys
- If there is an unknown notify key or a legit notify key in the haxdoor-logfile and a matching service, don't run option 2 (auto fix) but use the manual fix (option 3) to add the key(s) manually.
- All known goldunvariants will be deleted with option 2.
- All known SpyBankervariants will be deleted with option 2.
- If ieplore.exe is infected, haxfix can fix this without a reboot.

Option 3. Run manual fix.
This gives you the possibilty to add one, or if necessary more then one haxdoor key.
When you start option 3, you 'll get a message:
echo Insert the haxdoorkey,
and then press Enter:
Insert the haxdoorkey without the numbers. (Ex: avpe, xtpt, fuxx,...)
When this is a valid choice (there is a check for the services/safeboot services), the key will be added to delete.
Next you have the possibilty to add a new key: Yes (press Y) or No (press N)
When do we use option 3?
Use option 3 if there are:
- unknown or legit notify keys with related services in the haxlog.txt file.
- no notify keys are found, but there are haxdoor related services / safeboot services. (be careful, don't add legit ones, because after reboot they are all gone.)
If you use option 3 to delete a haxdoorvariant, and one or more goldun- or SpyBankervariants are present too, all infections will be deleted.

Option 4. Run unknow fix.
The logfile produced by Catchme will be analysed by haxfix for hax- or goldunvariants.
If a match is found, you can delete them by using option 4 - remove unknown.
(this only works with the variants that uses notify and services regkeys.)
Variants that are not recognized by haxfix, but are detected by catchme, can now be deleted with haxfix.

Option U. Uninstall Hafix.
This will remove all files and folders produced by haxfix.

Option E. Exit HaxFix.
Use option E to shut down haxfix.

A few remarks:
If you see this in the logfile: registrysettings failed , use this command: %systemdrive%\haxfix.exe /reset
If you don't get the logfile after reboot, use this command: %systemdrive%\haxfix.exe /after