|
Posted by =?Utf-8?B?R2Vyb25pbW8=?= on August 10, 2005, 10:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
All of your suggestions sounded workable, but in trying to learn more, I
learned of F-Secure's Blacklight Root Kit Eliminator (beta). In using it I
found files listed by Sophos as belonging toTroj/HacDef-AA. Six of the nine
listed files were on my machine. Before using it, I made sure everything was
backed up, also did a system restore. Cleaned the files from the system,
rebooted into safemode, scanned with Symantec Antivius and found two files in
System Restore, and they were quaranteened. I rebooted, did a download of the
latest Micorsoft Updates (now that the system was suposedly clean), which
included a Malicious Software Removal Tool. It found nothing so I did set
another system restore point. On previous downloads of earlier MSR tools this
virus was always found, but not eliminated. I will watch this computer
carefully (it is on a network) to make sure it stays clean.
Thanks to all of you for your help.
Geronimo
"Bigbruva" wrote:
> I would have to recommend that you consider a complete reinstall of the OS
> as you have no way of knowing what has been done to your computer by the
> tools delivered with this rootkit. However presuming that is not possible
> you should at least follow the steps here to remove the rootkit
> http://bagpuss.swan.ac.uk/comms/hxdef.htm
>
> Then change all Admin passwords as soon as you have cleaned it out and do a
> complete review of the security measures you have in place like:
>
> 1) Getting the latest System Updates
> 2) Checking your firewall
> 3) Disabling unused or unknown user accounts
> 4) Update your Antivirus software
>
> I hope that helps and good luck
>
> BB
>
>
> > Thanks, I will try these and report back.
> >
> > "Malke" wrote:
> >
> >> Kirtal Lalla wrote:
> >>
> >> > I presume you are using Windows XP? I would advise you killing the
> >> > system hive in the recovery console. Please see steps below:
> >> >
> >> > Steps:
> >> >
> >> > 1. Start the computer from the Windows XP CD-ROM.
> >> > a. Press the key specified to enter your BIOS. In most cases you
> >> > need
> >> > to press Del to enter the BIOS setup. You should see a message on
> >> > startup, right in the beginning, which says something like "press
> >>
> >> (snip interesting but unnecessary method)
> >>
> >> > "Geronimo" wrote:
> >> >
> >> >> I am constantly being reinfected with the above "threat" It is found
> >> >> in the C:\WINDOWS\system32\drivers\sysdrvr.sys file. Would the
> >> >> suggestions (David
> >> >> Lipman) for the Backdoor.sdbot (7/5/05) question take care of my
> >> >> problem as well?
> >> >>
> >> >> I have tried virus scans in safe mode and normal mode. It seems to be
> >> >> deleted but comes back.
> >> >>
> >> >> Thanks for your help.
> >>
> >> I'm not sure why Mr. Lalla would have you go through all of those steps.
> >> Here is a link explaining how to check if you have HackerDefender and
> >> how to get rid of it:
> >>
> >> http://www.wilderssecurity.com/archive/index.php/t-35528.html
> >>
> >> Once you've done that, you should do the normal malware removal steps
> >> described here:
> >>
> >> http://www.elephantboycomputers.com/page2.html#Removing_Malware
> >>
> >> This includes scanning with a current version antivirus using updated
> >> definitions in Safe Mode, which should take care of the Backdoor.sdbot.
> >> In your case, I would definitely be thorough and run HijackThis and
> >> post your log at *one* of the forums to which there are links at my
> >> site above.
> >>
> >> Malke
> >> --
> >> Elephant Boy Computers
> >> www.elephantboycomputers.com
> >> "Don't Panic!"
> >> MS-MVP Windows - Shell/User
> >>
>
>
>
| 
XML site map