Help with multiple Trojan attacks

i guess my question is am I clean what should I do now. I am running windows 2K.

In feb 2003 I got the following message from NAV:

I did run norton AV in safe mode thinking that would protect me but i had problems starting up and shuting down. I moved and was off line for a few weeks. I got another message from NAV:

things went rather whacky. I noticed some odd start up and got help from DSL reports removng the following from the satrtup file-

An bad explorer.exe in the printers folder and scvhost.exe- I removed all references from the registry too.

I decided (after searching) to add TDS to my system. It is up and running now. My scans are clean, should I do anything else to make sure the virus is removed??


My questions are as followed-

1 am I free of trojans?

2- I found STDE9.exe file I deleted it is that OK

3- I suspect alot of this had to due with a bad older router I have a bettter router with NAT and Firewall (D-Link 614+). Why did I suddenly getting so many attacks? I have a dynamic ISP was it the old Prestige 314 router.

Thanks for your help in advance
Martin

 

Hi Martin,

If any of these still exist, please zip and email these files in, submit@diamondcs.com.au

TDS would detect the SDBot trojan in memory if it existed, you can kill it quick - open the Process List (CTRL O) right click it and choose Kill Process and Delete File.

Make sure you have the latest databases for TDS, and you should be clean of SDBot. A good way to verify this is to try the demo of Port Explorer, and send in a dump of what is listening - click FILE > Save Table and send that to us too

 

Gavin Will do tomorrow pm it is late in t he US and I am going to sleep and I have all three files two quarnteened one deleated.

Martin

 

Gavin,

I sent you all three I was wrong about STDE9.exe NAV didn't detect it as a trojan. I have it in my garbage bin ready to delete. Let me know if it is a trojan or a system file.

 

Hi Martinf,
Does TDS say anything about them and did you send in that STDE9.exe (zipped) to Gavin too for examination?
If it's a system file, you should be able to get a fresh one from your install cd-rom i suppose?

 

I'll post back in a moment, from my first quick inspection I would say yes its a trojan, but i'll look closer now

Also, i saw this exact filename referenced in a BAT file owned by IRC trojan ZCrew, (mIRC and Serv-U based backdoor) Do you by any chance have a weak or non existent ADMIN pass ? Set one if so, even if you dont require that password to login..

Yep, its a variant of SDBot, as expected. Adding detection now (it should be detected once installed already, both by trace detection and in memory)