Backdoor.HackDefender

Secure Home | Search | About

Lost Password?

Microsoft Antivirus Discussions

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Backdoor.HackDefender

=?Utf-8?B?R2Vyb25pbW8=?=

07-14-2005

RE: Backdoor.HackDefender

=?Utf-8?B?S2lyd...

07-15-2005

RE: Backdoor.HackDefender

Malke

07-15-2005

RE: Backdoor.HackDefender

=?Utf-8?B?R2Vyb...

07-15-2005

Re: Backdoor.HackDefender

Bigbruva

07-15-2005

Re: Backdoor.HackDefender

=?Utf-8?B?R2Vyb...

08-10-2005

Posted by =?Utf-8?B?R2Vyb25pbW8=?= on July 14, 2005, 10:56 pm

If you were Registered and logged in, you could reply and use other advanced thread options

I am constantly being reinfected with the above "threat" It is found in the
C:\WINDOWS\system32\drivers\sysdrvr.sys file. Would the suggestions (David
Lipman) for the Backdoor.sdbot (7/5/05) question take care of my problem as
well?

I have tried virus scans in safe mode and normal mode. It seems to be
deleted but comes back.

Thanks for your help.

Posted by =?Utf-8?B?S2lydGFsIExhbGxh?= on July 15, 2005, 5:30 am

If you were Registered and logged in, you could reply and use other advanced thread options

I presume you are using Windows XP? I would advise you killing the system
hive in the recovery console. Please see steps below:

Steps:

1.        Start the computer from the Windows XP CD-ROM.
a.        Press the key specified to enter your BIOS. In most cases you need to
press Del to enter the BIOS setup. You should see a message on startup, right
in the beginning, which says something like “press <key> to enter setup”.
E.g. Press Del to enter setup.
b.        Go into either the Boot section, if you have one, or the 2nd option
(should be something like “BIOS features setup” or “Advanced BIOS
features”).
c.        Change to boot sequence (should show as “boot sequence” or first boot
device; 2nd boot device; 3rd boot device; etc.) so that CD-ROM is first.
d.        Exit saving changes.
e.        When prompted to “Press any key to boot from CD”, press Enter.
2.        At the "Welcome to Setup" screen, press R to repair a Windows XP
installation by using the Recovery Console.
3.        Type the number that corresponds to the Windows installation that you
want to repair, and then press ENTER. For example, type "1" (without the
quotation marks), and then press Enter.
4.        When you are prompted for a password, type the local Administrator
password, and then press ENTER. (If you are not prompted for a password, skip
to the next step.)
5.        Type "cd system32" (without the quotation marks), and then press ENTER.
6.        Type "cd config" (without the quotation marks), and then press ENTER.

The command prompt will be similar to the following (where <Windows> is the
folder in which Windows is installed):

        C:\<Windows>\System32\Config>

7.        Type "rename system system.old" (without the quotation marks), and then
press ENTER.
8.        Type "copy c:\windows\repair\system" (without the quotation marks), and
then press ENTER.

You receive the following message:

1 file(s) copied.

9.        Type "exit" (without the quotation marks) to quit the Recovery Console,
and then start Windows as usual.

Regards,
Kit

"Geronimo" wrote:

> I am constantly being reinfected with the above "threat" It is found in the

> C:\WINDOWS\system32\drivers\sysdrvr.sys file. Would the suggestions (David

> Lipman) for the Backdoor.sdbot (7/5/05) question take care of my problem as

> well?

> I have tried virus scans in safe mode and normal mode. It seems to be

> deleted but comes back.

> Thanks for your help.

Posted by Malke on July 15, 2005, 9:29 am

If you were Registered and logged in, you could reply and use other advanced thread options

Kirtal Lalla wrote:

> I presume you are using Windows XP? I would advise you killing the

> system hive in the recovery console. Please see steps below:

> Steps:

> 1. Start the computer from the Windows XP CD-ROM.

> a. Press the key specified to enter your BIOS. In most cases you need

> to press Del to enter the BIOS setup. You should see a message on

> startup, right in the beginning, which says something like “press

(snip interesting but unnecessary method)

> "Geronimo" wrote:

>> I am constantly being reinfected with the above "threat" It is found

>> in the C:\WINDOWS\system32\drivers\sysdrvr.sys file. Would the

>> suggestions (David

>> Lipman) for the Backdoor.sdbot (7/5/05) question take care of my

>> problem as well?

>> I have tried virus scans in safe mode and normal mode. It seems to be

>> deleted but comes back.

>> Thanks for your help.

I'm not sure why Mr. Lalla would have you go through all of those steps.
Here is a link explaining how to check if you have HackerDefender and
how to get rid of it:

http://www.wilderssecurity.com/archive/index.php/t-35528.html

Once you've done that, you should do the normal malware removal steps
described here:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

This includes scanning with a current version antivirus using updated
definitions in Safe Mode, which should take care of the Backdoor.sdbot.
In your case, I would definitely be thorough and run HijackThis and
post your log at *one* of the forums to which there are links at my
site above.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Posted by =?Utf-8?B?R2Vyb25pbW8=?= on July 15, 2005, 11:07 am

If you were Registered and logged in, you could reply and use other advanced thread options

Thanks, I will try these and report back.

"Malke" wrote:

> Kirtal Lalla wrote:

> > I presume you are using Windows XP? I would advise you killing the

> > system hive in the recovery console. Please see steps below:

> >

> > Steps:

> >

> > 1. Start the computer from the Windows XP CD-ROM.

> > a. Press the key specified to enter your BIOS. In most cases you need

> > to press Del to enter the BIOS setup. You should see a message on

> > startup, right in the beginning, which says something like “press

> (snip interesting but unnecessary method)

> > "Geronimo" wrote:

> >

> >> I am constantly being reinfected with the above "threat" It is found

> >> in the C:\WINDOWS\system32\drivers\sysdrvr.sys file. Would the

> >> suggestions (David

> >> Lipman) for the Backdoor.sdbot (7/5/05) question take care of my

> >> problem as well?

> >>

> >> I have tried virus scans in safe mode and normal mode. It seems to be

> >> deleted but comes back.

> >>

> >> Thanks for your help.

> I'm not sure why Mr. Lalla would have you go through all of those steps.

> Here is a link explaining how to check if you have HackerDefender and

> how to get rid of it:

> http://www.wilderssecurity.com/archive/index.php/t-35528.html

> Once you've done that, you should do the normal malware removal steps

> described here:

> http://www.elephantboycomputers.com/page2.html#Removing_Malware

> This includes scanning with a current version antivirus using updated

> definitions in Safe Mode, which should take care of the Backdoor.sdbot.

> In your case, I would definitely be thorough and run HijackThis and

> post your log at *one* of the forums to which there are links at my

> site above.

> Malke

> --

> Elephant Boy Computers

> www.elephantboycomputers.com

> "Don't Panic!"

> MS-MVP Windows - Shell/User

Posted by Bigbruva on July 15, 2005, 6:00 pm

If you were Registered and logged in, you could reply and use other advanced thread options

I would have to recommend that you consider a complete reinstall of the OS
as you have no way of knowing what has been done to your computer by the
tools delivered with this rootkit. However presuming that is not possible
you should at least follow the steps here to remove the rootkit
http://bagpuss.swan.ac.uk/comms/hxdef.htm

Then change all Admin passwords as soon as you have cleaned it out and do a
complete review of the security measures you have in place like:

1) Getting the latest System Updates
2) Checking your firewall
3) Disabling unused or unknown user accounts
4) Update your Antivirus software

I hope that helps and good luck

BB

> Thanks, I will try these and report back.

> "Malke" wrote:

>> Kirtal Lalla wrote:

>> > I presume you are using Windows XP? I would advise you killing the

>> > system hive in the recovery console. Please see steps below:

>> >

>> > Steps:

>> >

>> > 1. Start the computer from the Windows XP CD-ROM.

>> > a. Press the key specified to enter your BIOS. In most cases you

>> > need

>> > to press Del to enter the BIOS setup. You should see a message on

>> > startup, right in the beginning, which says something like "press

>> (snip interesting but unnecessary method)

>> > "Geronimo" wrote:

>> >

>> >> I am constantly being reinfected with the above "threat" It is found

>> >> in the C:\WINDOWS\system32\drivers\sysdrvr.sys file. Would the

>> >> suggestions (David

>> >> Lipman) for the Backdoor.sdbot (7/5/05) question take care of my

>> >> problem as well?

>> >>

>> >> I have tried virus scans in safe mode and normal mode. It seems to be

>> >> deleted but comes back.

>> >>

>> >> Thanks for your help.

>> I'm not sure why Mr. Lalla would have you go through all of those steps.

>> Here is a link explaining how to check if you have HackerDefender and

>> how to get rid of it:

>> http://www.wilderssecurity.com/archive/index.php/t-35528.html

>> Once you've done that, you should do the normal malware removal steps

>> described here:

>> http://www.elephantboycomputers.com/page2.html#Removing_Malware

>> This includes scanning with a current version antivirus using updated

>> definitions in Safe Mode, which should take care of the Backdoor.sdbot.

>> In your case, I would definitely be thorough and run HijackThis and

>> post your log at *one* of the forums to which there are links at my

>> site above.

>> Malke

>> --

>> Elephant Boy Computers

>> www.elephantboycomputers.com

>> "Don't Panic!"

>> MS-MVP Windows - Shell/User

Similar Threads	Posted
W32/Backdoor.KPI	May 25, 2006, 7:22 pm
Need help with backdoor.prorat	October 20, 2005, 6:13 am
backdoor.trojan	April 25, 2006, 1:43 pm
Anybody got a fix for BackDoor.Generic3.LRT?	October 27, 2006, 11:44 pm
w32\backdoor.aaol	January 27, 2007, 11:21 am
Backdoor.Delf.aki	February 22, 2007, 1:27 am
Backdoor Trojan?	March 2, 2007, 11:12 am
irc backdoor trojan	May 9, 2008, 8:28 am
i can't remove BACKDOOR.SDBOT HELP!	July 5, 2005, 9:12 am
backdoor:win/sdboot!569c	January 7, 2006, 2:29 pm

The site map in XML format XML site map