Help with multiple Trojan attacks

Discussion in 'Trojan Defence Suite' started by Martinf, Apr 8, 2003.

Thread Status:
Not open for further replies.
  1. Martinf

    Martinf Registered Member

    Joined:
    Apr 8, 2003
    Posts:
    3
    i guess my question is am I clean what should I do now. I am running windows 2K.

    In feb 2003 I got the following message from NAV:
    I did run norton AV in safe mode thinking that would protect me but i had problems starting up and shuting down. I moved and was off line for a few weeks. I got another message from NAV:
    things went rather whacky. I noticed some odd start up and got help from DSL reports removng the following from the satrtup file-

    An bad explorer.exe in the printers folder and scvhost.exe- I removed all references from the registry too.

    I decided (after searching) to add TDS to my system. It is up and running now. My scans are clean, should I do anything else to make sure the virus is removed??


    My questions are as followed-

    1 am I free of trojans?

    2- I found STDE9.exe file I deleted it is that OKo_O

    3- I suspect alot of this had to due with a bad older router I have a bettter router with NAT and Firewall (D-Link 614+). Why did I suddenly getting so many attacks? I have a dynamic ISP was it the old Prestige 314 router.

    Thanks for your help in advance
    Martin
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Martin,

    If any of these still exist, please zip and email these files in, submit@diamondcs.com.au

    TDS would detect the SDBot trojan in memory if it existed, you can kill it quick - open the Process List (CTRL O) right click it and choose Kill Process and Delete File.

    Make sure you have the latest databases for TDS, and you should be clean of SDBot. A good way to verify this is to try the demo of Port Explorer, and send in a dump of what is listening - click FILE > Save Table and send that to us too :)
     
  3. Martinf

    Martinf Registered Member

    Joined:
    Apr 8, 2003
    Posts:
    3
    Gavin Will do tomorrow pm it is late in t he US and I am going to sleep and I have all three files two quarnteened one deleated.

    Martin
     
  4. Martinf

    Martinf Registered Member

    Joined:
    Apr 8, 2003
    Posts:
    3
    Gavin,

    I sent you all three I was wrong about STDE9.exe NAV didn't detect it as a trojan. I have it in my garbage bin ready to delete. Let me know if it is a trojan or a system file.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Martinf,
    Does TDS say anything about them and did you send in that STDE9.exe (zipped) to Gavin too for examination?
    If it's a system file, you should be able to get a fresh one from your install cd-rom i suppose?
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I'll post back in a moment, from my first quick inspection I would say yes its a trojan, but i'll look closer now :)

    Also, i saw this exact filename referenced in a BAT file owned by IRC trojan ZCrew, (mIRC and Serv-U based backdoor) Do you by any chance have a weak or non existent ADMIN pass ? Set one if so, even if you dont require that password to login..

    Yep, its a variant of SDBot, as expected. Adding detection now (it should be detected once installed already, both by trace detection and in memory)
     
Thread Status:
Not open for further replies.