meottis
asked on
Cannot remove backdoor.hupigon and hacktool.freezer from SBS 2003
I need assistance with removing malware from a clients server. They are running MS SBS 2003 SP2 and unfortunately were only scanning Exchange for virus activity and the server has become infected with a number of trojans and backdoors. I have used RootKitRevealer and AutoRuns to identify the problems and Spyware Detector from MaxSecure has cleaned most of them. Two infections keep reappearing, backdoor.hupigon and hacktool.freezer. Does anyone know how these can be manually cleaned from the server?
Oh yes, disconnect internal lan, because it might be possible some other desktop machine might be infected which can reinfect server again if there is not good antivirus installed. Yes you have to check the desktop as well for infections. i know its a pain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As a generic - often I find I need to boot into a completely clean OS to remove the offending binaries - their autorun and autorestart protection is just too good, and renames/restarts the attacker when you kill and/or delete it.
That isn't as hard as it sounds though - you just start with a working XP machine (and the install media for it) that has a cd burner, then visit the Bart PEBuilder site ( http://www.nu2.nu/pebuilder/ ) which will allow you to build a bootable CD. Booting this CD in your SBS server will allow you to remove "can't be deleted" files cleanly when nothing else can.
That isn't as hard as it sounds though - you just start with a working XP machine (and the install media for it) that has a cd burner, then visit the Bart PEBuilder site ( http://www.nu2.nu/pebuilder/ ) which will allow you to build a bootable CD. Booting this CD in your SBS server will allow you to remove "can't be deleted" files cleanly when nothing else can.
Then delete entries from windows startup/services. then ofcourse scan machine again.
http://www.spywaredb.com/remove-backdoor-hupigon-b/
http://www.spywarelib.com/spywares/HackTool/freezer_c/
delete the hacktool first as thats the blood sucking parent.