Link to home
Start Free TrialLog in
Avatar of meottis
meottis

asked on

Cannot remove backdoor.hupigon and hacktool.freezer from SBS 2003

I need assistance with removing malware from a clients server. They are running MS SBS 2003 SP2 and unfortunately were only scanning Exchange for virus activity and the server has become infected with a number of trojans and backdoors. I have used RootKitRevealer and AutoRuns to identify the problems and Spyware Detector from MaxSecure has cleaned most of them. Two infections keep reappearing, backdoor.hupigon and hacktool.freezer. Does anyone know how these can be manually cleaned from the server?
Avatar of greenhacks
greenhacks
Flag of India image
havent studdied them, but try to look for a file which should be system hidden in windows folders or its sub folders. delete them, if they are locked then download and install unlocker.exe and delete it with it.
Then delete entries from windows startup/services. then ofcourse scan machine again.

http://www.spywaredb.com/remove-backdoor-hupigon-b/
http://www.spywarelib.com/spywares/HackTool/freezer_c/

delete the hacktool first as thats the blood sucking parent.

Avatar of greenhacks
greenhacks
Flag of India image
Oh yes, disconnect internal lan, because it might be possible some other desktop machine might be infected which can reinfect server again if there is not good antivirus installed. Yes you have to check the desktop as well for infections. i know its a pain.
ASKER CERTIFIED SOLUTION
Avatar of phototropic
phototropic
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dave Howe
Dave Howe
Flag of United Kingdom of Great Britain and Northern Ireland image
As a generic - often I find I need to boot into a completely clean OS to remove the offending binaries - their autorun and autorestart protection is just too good, and renames/restarts the attacker when you kill and/or delete it.

That isn't as hard as it sounds though - you just start with a working XP machine (and the install media for it) that has a cd burner, then visit the Bart PEBuilder site ( http://www.nu2.nu/pebuilder/ ) which will allow you to build a bootable CD. Booting this CD in your SBS server will allow you to remove "can't be deleted" files cleanly when nothing else can.