Hijack removal instructions

From Spamwiki

[edit] Introduction

Over the course of several years we have monitored numerous server hijack exploits, targetting numerous operating systems and platforms -- Including UNIX and Linux servers.

Where possible, we will describe step-by-step instructions for removal of these hijacks.

[edit] Discount Pharmacy Hijack Removal Instructions

The following is an example from the removal of a "Discount Pharmacy" hack:

Discount Pharmacy websites are hosted using hijacked Windows Server 2000 or Windows Server 2003 servers. The exploit is described in the Discount Pharmacy entry in this Wiki.

Here is how to remove it:

1. Use the freeware program "CurrPorts" to determine which process is using the port (8088)

  http://www.nirsoft.net/utils/cports.html

2. Use task manager to end process on the ndis.exe process that you found using this program. (Process may be named differently.)

3. Delete the directories that contained the exe.

  C:\windows\i386\drivers And C:\windows\i386_1\drivers.

[May not be named the same on all infections]

4. Rerun the CurrPorts app to confirm that ports are no longer in use, and verify in a browser that the fake site is no longer accessible.

This does not address the removal / reformatting of the large-scale, hidden file system which this exploit creates, but it does stop the Discount Pharmacy website from being served out.

Retrieved from "http://spamtrackers.eu/wiki/index.php/Hijack_removal_instructions"

Hijack removal instructions

From Spamwiki

[edit] Introduction

[edit] Discount Pharmacy Hijack Removal Instructions

Views

Personal tools

Navigation

local wikis

Search

Toolbox