avpx32.dll - Backdoor.Haxdoor

cert64.sys , haxdoor , cert32.sys , avpx32.dll , avpx32.dll , avpx64.dll , avpx32.sys

cert64.sys, haxdoor

cert64.sys, haxdoor, cert32.sys, avpx32.dll, avpx32.dll, avpx64.dll, avpx32.sys, avpx64.sys, klogini.dll, p3.ini, qy.sys, qz.dll, qz.sys

O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\avpx32.dll

C:\WINDOWS\SYSTEM32\avpx32.dll
C:\WINDOWS\SYSTEM32\avpx64.dll
C:\WINDOWS\SYSTEM32\avpx32.sys
C:\WINDOWS\SYSTEM32\avpx64.sys
C:\WINDOWS\SYSTEM32\klogini.dll
C:\WINDOWS\SYSTEM32\p3.ini
C:\WINDOWS\SYSTEM32\qy.sys
C:\WINDOWS\SYSTEM32\qz.dll
C:\WINDOWS\SYSTEM32\qz.sys
C:\WINDOWS\SYSTEM32\cert32.dll
C:\WINDOWS\SYSTEM32\cert32.sys
C:\WINDOWS\SYSTEM32\cert64.sys

Haxfix anwenden
http://virus-protect.org/artikel/tools/haxfix.html

Avenger

drivers to unload:
cert64
cert32

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cert64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cert32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\cert32.sys

Files to delete:
C:\WINDOWS\SYSTEM32\avpx32.dll
C:\WINDOWS\SYSTEM32\avpx64.dll
C:\WINDOWS\SYSTEM32\avpx32.sys
C:\WINDOWS\SYSTEM32\avpx64.sys
C:\WINDOWS\SYSTEM32\klogini.dll
C:\WINDOWS\SYSTEM32\p3.ini
C:\WINDOWS\SYSTEM32\qy.sys
C:\WINDOWS\SYSTEM32\qz.dll
C:\WINDOWS\SYSTEM32\qz.sys
C:\WINDOWS\SYSTEM32\cert32.dll
C:\WINDOWS\SYSTEM32\cert32.sys
C:\WINDOWS\SYSTEM32\cert64.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpx32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpx64

# %System%\redir2.a3d
# %System%\fltr.a3d
# %System%\p3.ini

# %System%\avpx32.dll (35349 bytes)
# %System%\qz.dll (35349 bytes)

"secureUID" = "[RANDOM NUMBER]"
"secureTIME" = "[DAY:MONTH]"
"DllName" = "avpx32.dll"
"Startup" = "MmMapView3"
"Impersonate"
"Asynchronous "
"MaxWait "

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.e.html
http://labs.paretologic.com/spyware.aspx?remove=Haxdoor

Steals information by opening the URL cache file (History.IE5\index.dat), and looking for the following strings:

* ebay.com
* paypal.c
* e-gold.c

http://www.sophos.de/virusinfo/analyses/trojhaxdoorah.html

virus-protect.org

cert64.sys , haxdoor , cert32.sys , avpx32.dll , avpx32.dll , avpx64.dll , avpx32.sys

cert64.sys, haxdoor, cert32.sys, avpx32.dll, avpx32.dll, avpx64.dll, avpx32.sys, avpx64.sys, klogini.dll, p3.ini, qy.sys, qz.dll, qz.sys

O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\avpx32.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpx32 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpx64

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpx32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpx64