ert64.sys , haxdoor , cert32.sys , avpx32.dll , avpx32.dll , avpx64.dll , avpx32.sys
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\avpx32.dll
C:\WINDOWS\SYSTEM32\avpx32.dll
C:\WINDOWS\SYSTEM32\avpx64.dll
C:\WINDOWS\SYSTEM32\avpx32.sys
C:\WINDOWS\SYSTEM32\avpx64.sys
C:\WINDOWS\SYSTEM32\klogini.dll
C:\WINDOWS\SYSTEM32\p3.ini
C:\WINDOWS\SYSTEM32\qy.sys
C:\WINDOWS\SYSTEM32\qz.dll
C:\WINDOWS\SYSTEM32\qz.sys
C:\WINDOWS\SYSTEM32\cert32.dll
C:\WINDOWS\SYSTEM32\cert32.sys
C:\WINDOWS\SYSTEM32\cert64.sys
•
Haxfix
•
Avenger
drivers to unload:
cert64
cert32
registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_CERT64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cert64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\cert64.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_CERT32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cert32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\cert32.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\cert32.sys
Files to delete:
C:\WINDOWS\SYSTEM32\avpx32.dll
C:\WINDOWS\SYSTEM32\avpx64.dll
C:\WINDOWS\SYSTEM32\avpx32.sys
C:\WINDOWS\SYSTEM32\avpx64.sys
C:\WINDOWS\SYSTEM32\klogini.dll
C:\WINDOWS\SYSTEM32\p3.ini
C:\WINDOWS\SYSTEM32\qy.sys
C:\WINDOWS\SYSTEM32\qz.dll
C:\WINDOWS\SYSTEM32\qz.sys
C:\WINDOWS\SYSTEM32\cert32.dll
C:\WINDOWS\SYSTEM32\cert32.sys
C:\WINDOWS\SYSTEM32\cert64.sys
|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpx32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpx64
# %System%\redir2.a3d
# %System%\fltr.a3d
# %System%\p3.ini
# %System%\avpx32.dll (35349 bytes)
# %System%\qz.dll (35349 bytes)
"secureUID" = "[RANDOM NUMBER]"
"secureTIME" = "[DAY:MONTH]"
"DllName" = "avpx32.dll"
"Startup" = "MmMapView3"
"Impersonate"
"Asynchronous "
"MaxWait "
Steals information by opening the URL cache file (History.IE5\index.dat), and looking for the following strings:
* ebay.com
* paypal.c
* e-gold.c
Counter-Box.de
