Nasty Backdoor

[5150]

I have a nasty trojan called backdoor.Hacdef.C. I have run CWShredder, Hi-Jack This, Ad-Aware, and AVG av and it still reinstalls itself in the following location :

C:\WINNT\System 32\dllcache\rsts.sys

It is detected by AVG everytime (and is deleted) but upon reboot it shows back up again. I have gone through the registry and can't seem to find anything. I have run the repair function and that did nothing. I am running Win 2 K with SP 3. There is a version of this by Hacker Defender but this seems to be a variant. Any ideas? All help is always greatly appreciated.

 

[sleipnir214]

It sounds to me like one of that family of worms that exploits buffer overflows in network services to execute arbitrary code -- namely, remotely writing itself to you filesystem.

I had this problem with a worm Sophos is calling "W32/Forbot-BH". The file "windnsd.exe" will appear on W2K And WXP machines in c:\{windows install directory}\system32 without any user intervention. Patching W2K systems to SP4 plus all post-SP4 hotfixes and WXP systems to SP1 plus all post SP-1 hotfixes (or SP2) stopped the worm from getting on machines in my network.

I recommend you patch your system.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[diogenes10]

http://www.emsisoft.com/en/software/free/

You could try the a2 trojan remover.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Sympology]

As an interim,this may work.
Run AV and remove C:\WINNT\System 32\dllcache\rsts.sys

Then create a txt file, rename it to above and drop into the location. Then make it read only.
It may work, it may not.

Stu..

Only the truly stupid believe they know everything.
Stu.. 2004