Backdoor.HackDefender

[daygowop]

ok guys i need ur help. at work one of our servers has a virus, symantec picked it up but fails to clean and quarantine it. The virus name is Backdoor.HackDefender and is located C:\WINNT\system32\syslog.exe

http://www.symantec.com/security_response/writeup.jsp?docid=2003-031213-3328-99&tabid=3

I have tried this alrdy, but there is no registry key where they specify. by the way, im working with windows server 2000.

Someone please help me!

 

[edifier]

It is actually a 'Rootkit'. Here are instructions and a removal tool.

F-secure Blacklight http://www.f-secure.com/v-descs/hacdef.shtml

 

[daygowop]

I will let my boss know about that one. thanks!

anyone else have any suggestions?

 

[edifier]

This utility will just disable the Rootkit to allow removal. Norton is not very good at removal so i would use one or both of these free online scanners.

http://support.f-secure.com/enu/home/ols.shtml

http://www.pandasoftware.com/produc...5D4-4DA2-B310-B1DBEC2971F2}&NRCACHEHINT=Guest

 

[daygowop]

ok thanks i will giv it a go tomorrow. thanks!

 

[daygowop]

ok, i am confused and my boss is not helping me because he is busy, do u think u can explain what this rootkit stuff is? and maybe help me understand what to do if f-secure finds syslog.exe? because it is telling me to rename it or something?????

obviously u can tell im confused. Please help me!

 

[daygowop]

ok now i have been reading a lot of articles that tell me to just delete syslog.exe.

http://www.liutilities.com/products/wintaskspro/processlibrary/syslog/
http://www.spywaredb.com/remove-dlp/

 

[cell4me]

ok now i have been reading a lot of articles that tell me to just delete syslog.exe.

The problem is additional files may exist on the infected system all in the system 32folder, (syslog.exe.) is created because of the virus.

This is a real nasty...To detect it, try the following program: http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

To clean it your best bet would be to connect your disk as a slave drive to another machine and try removing all the files that were found by RootkitRevealer.

 

[daygowop]

ok im gonna giv it a shot a second time, ill let u kno my results. thanks guys!

 

[daygowop]

Well, the syslog.exe is gone and f-secure worked. i must thank you guys one last time for your help and efforts. The server is back-up and running. This is why I love CF!

 

[edifier]

Excellent.

Sometimes the cleaning works the first time around, other times a few other tools are needed. Glad your back in business.Thanks for letting us know.