Backdoor.HackDefender

daygowop · 08-28-2006, 10:26 PM

ok guys i need ur help. at work one of our servers has a virus, symantec picked it up but fails to clean and quarantine it. The virus name is Backdoor.HackDefender and is located C:\WINNT\system32\syslog.exe

http://www.symantec.com/security_res...328-99&tabid=3

I have tried this alrdy, but there is no registry key where they specify. by the way, im working with windows server 2000.

Someone please help me!

edifier · 08-29-2006, 03:27 AM

It is actually a 'Rootkit'. Here are instructions and a removal tool.

F-secure Blacklight http://www.f-secure.com/v-descs/hacdef.shtml

daygowop · 08-29-2006, 03:39 AM

I will let my boss know about that one. thanks!

anyone else have any suggestions?

edifier · 08-29-2006, 03:57 AM

This utility will just disable the Rootkit to allow removal. Norton is not very good at removal so i would use one or both of these free online scanners.

http://support.f-secure.com/enu/home/ols.shtml

http://www.pandasoftware.com/product...ACHEHINT=Guest

daygowop · 08-30-2006, 05:53 AM

ok thanks i will giv it a go tomorrow. thanks!

daygowop · 08-30-2006, 09:38 PM

ok, i am confused and my boss is not helping me because he is busy, do u think u can explain what this rootkit stuff is? and maybe help me understand what to do if f-secure finds syslog.exe? because it is telling me to rename it or something?????

obviously u can tell im confused. Please help me!

daygowop · 08-30-2006, 09:53 PM

ok now i have been reading a lot of articles that tell me to just delete syslog.exe.

http://www.liutilities.com/products/...ibrary/syslog/
http://www.spywaredb.com/remove-dlp/

cell4me · 08-31-2006, 06:07 AM

Quote:

Originally Posted by daygowop

ok now i have been reading a lot of articles that tell me to just delete syslog.exe.

The problem is additional files may exist on the infected system all in the system 32folder, (syslog.exe.) is created because of the virus.

This is a real nasty...To detect it, try the following program: http://www.sysinternals.com/ntw2k/fr...itreveal.shtml

To clean it your best bet would be to connect your disk as a slave drive to another machine and try removing all the files that were found by RootkitRevealer.

daygowop · 09-01-2006, 08:43 PM

ok im gonna giv it a shot a second time, ill let u kno my results. thanks guys!

daygowop · 09-01-2006, 09:59 PM

Well, the syslog.exe is gone and f-secure worked. i must thank you guys one last time for your help and efforts. The server is back-up and running. This is why I love CF!

08-28-2006, 10:26 PM	#1 (permalink)
daygowop Silver Member Join Date: Jun 2006 Age: 22 Posts: 202	Backdoor.HackDefender ok guys i need ur help. at work one of our servers has a virus, symantec picked it up but fails to clean and quarantine it. The virus name is Backdoor.HackDefender and is located C:\WINNT\system32\syslog.exe http://www.symantec.com/security_res...328-99&tabid=3 I have tried this alrdy, but there is no registry key where they specify. by the way, im working with windows server 2000. Someone please help me! __________________ got pasta?!

08-29-2006, 03:39 AM	#3 (permalink)
daygowop Silver Member Join Date: Jun 2006 Age: 22 Posts: 202	I will let my boss know about that one. thanks! anyone else have any suggestions? __________________ got pasta?!

08-30-2006, 05:53 AM	#5 (permalink)
daygowop Silver Member Join Date: Jun 2006 Age: 22 Posts: 202	ok thanks i will giv it a go tomorrow. thanks! __________________ got pasta?!

08-30-2006, 09:38 PM	#6 (permalink)
daygowop Silver Member Join Date: Jun 2006 Age: 22 Posts: 202	ok, i am confused and my boss is not helping me because he is busy, do u think u can explain what this rootkit stuff is? and maybe help me understand what to do if f-secure finds syslog.exe? because it is telling me to rename it or something????? obviously u can tell im confused. Please help me! __________________ got pasta?!

08-30-2006, 09:53 PM	#7 (permalink)
daygowop Silver Member Join Date: Jun 2006 Age: 22 Posts: 202	ok now i have been reading a lot of articles that tell me to just delete syslog.exe. http://www.liutilities.com/products/...ibrary/syslog/ http://www.spywaredb.com/remove-dlp/ __________________ got pasta?! Last edited by daygowop; 08-30-2006 at 09:56 PM.

08-29-2006, 03:27 AM	#2 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	It is actually a 'Rootkit'. Here are instructions and a removal tool. F-secure Blacklight http://www.f-secure.com/v-descs/hacdef.shtml

08-29-2006, 03:57 AM	#4 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	This utility will just disable the Rootkit to allow removal. Norton is not very good at removal so i would use one or both of these free online scanners. http://support.f-secure.com/enu/home/ols.shtml http://www.pandasoftware.com/product...ACHEHINT=Guest

09-01-2006, 08:43 PM	#9 (permalink)
daygowop Silver Member Join Date: Jun 2006 Age: 22 Posts: 202	ok im gonna giv it a shot a second time, ill let u kno my results. thanks guys! __________________ got pasta?!

09-01-2006, 09:59 PM	#10 (permalink)
daygowop Silver Member Join Date: Jun 2006 Age: 22 Posts: 202	Well, the syslog.exe is gone and f-secure worked. i must thank you guys one last time for your help and efforts. The server is back-up and running. This is why I love CF! __________________ got pasta?!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode