NOD 32 found Win32/IRC.SdBot.C

Discussion in 'malware problems & news' started by jennyb, Apr 19, 2003.

Thread Status:
Not open for further replies.
  1. jennyb

    jennyb Guest

    now deleted, but the problems still remain.
    don't know how it got it via NOD32 and Zone Alarm Pro, but I only ran NOD32 after searching for a solution to another problem, and seeing trojans mentioned as a possible cause.
    The original problem (still remaining) is that computer now takes up to 5 minutes to load personal settings (Windows XP Pro). Seems the trojan has left hooks in rundll32.exe and possibly Explorer.exe.
    Other than a clean reinstall of Windows, is there anything else I can try?
    all suggestions gratefully received,
    thanks
    jennyb
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
  3. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi jennyb!

    Personally I would install a trojan scanner and scan the whole harddisk. You can choose one of the following:

    http://tds.diamondcs.com.au/
    http://www.agnitum.com/products/tauscan/

    Both tools have a good detection rate and are certainly very helpful. I suggest that you use one of them in future. You don't have a very good defense against trojans if you use "just" a firewall and a AV-software.

    Try it out and let us know if it helped!

    Best regards!

    Patrice
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Patrice,

    No offense in any way, but:

    ..does not hold for Tauscan; it can be easily fooled, as confirmed by the author to us over a year ago. Agnitum has to build a new Tauscan from scratch to join the "real" competition again.

    regards.

    paul
     
  5. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Forum Admin!

    No problem, you are certainly right!! I'm just using TDS-3 and I'm very happy with it! But I don't want to push everyone into it... That's why I always put another trojan scanner as well.

    Some people think, TDS-3 is very complex and not easy enough to understand. Let's say they aren't 100% wrong...

    Best regards!

    Patrice
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    "paul" will do ;)

    That's a valid point no doubt ;) - there are far better alternatives though then Tauscan, which easily can be fooled; TrojanHunter for example.

    Well, anyone can point their browser to the very simple instructions over on the TDS3 site: it's actually quite simple - provided one wants to use the main part from TDS3. For more detailled instructions, FanJ has very comprehensive sticky posts over on the TDS forum on this board. (Useful) bells and whistles do need a learning curve: agreed ;)

    Nice having you aboard,

    regards.

    paul
     
  7. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    See also this thread: http://www.wilderssecurity.com/showthread.php?t=8547

    Could be coincidence... You never know.



    Technodrome
     
  8. jennyb

    jennyb Guest

    thanks everyone. to reply to each of you ...

    Pieter_Arntz - yes I do have XP CD - but why repair IE6? isn't the problem more deep-seated that?

    Patrice - found the link to http://tds.diamondcs.com.au/ elsewhere on this site and have downloaded and run. It says no sign of any trojans now, but since writing, I have discovered that ZoneAlarm seems to have been it's target, as once I uninstalled it, the problem disappeared. However, even a reinstall brought the problem back. I have contacted ZoneLabs for full details of registry entries, so I can
    do a complete uninstall, as possibly some remnant files are corrupt?

    Also, my system restore was disabled (at least as long as ZoneAlarm was installed ... it seems to be working OK now) but all my restore points were lost and I was unable to even create a new restore point while it was installed.

    Technodrome - I haven't installed XP SP 1, after reading all the negative press it got, I decided to give it a miss.

    Now I guess I will have to wait and see what turns up from ZoneLabs and if a complete registry wipe can set things to rights. I feel pretty exposed :eek: without my firewall!

    jennyb
     
  9. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi jennyb!

    There's always the possibility to put a router in front of your computer(s). Then you don't feel pretty exposed again. The software firewall you can still use for outbound connections. It's worth thinking about this solution!

    Best regards!

    Patrice
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi jennyb,

    IE6 is so deeply embedded in Windows XP that repairing it usually replaces all critical Windows files.
    After reading your other post, I would advise you to install SP1 (XP and IE), because doing so would not just repair the files, but replace them with newer, safer ones.

    Regards,

    Pieter
     
  11. jennyb

    jennyb Guest

    well, I played my ace last night and still the problem remains ... I restored my backup of C Drive with Drive Image.
    wouldn't that be the same as repairing XP Pieter?
    I must sound pretty paranoid about installing SP1 I guess, and from where I stand currently, I doubt much worse can happen eh?
    However I feel certain that the problem still resides somewhere in the ZoneAlarm installation, but until I get a response from ZoneLabs about registry entries ....
    Is it possible that even though the trojan has been deleted, it can leave something that can rewrite a file or corrupt a file? Sorry, if this is a dumb question, but I'm clueless when it comes to trojans o_O
    I have downloaded instructions from microsoft on How to Perform an In-Place Upgrade (Reinstallation) of Windows XP ... will this have the same affect as the IE6 repair? or am I making more work for myself?
    the router sounds great Patrice ... but $$$s I don't have at the moment :oops:
    thanks for all your input ... I would like to get to the bottom of this thing, if only for the sake of understanding more about trojans, etc.
    jennyb
     
  12. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi jennyb!

    If you got problems with your registry, try out this nice little tool once (you can either download Registry Cleaner or PowerTools):

    http://www.vtoy.fi/jv16/shtml/software.shtml

    This tool helped me a lot to fix some registries. Perhaps it's helping you in your case as well!

    If you have deleted the trojan with TDS-3, I'm pretty sure that there's no file left, which rewrites something into the registry. But if you are not sure, open TDS-3 and press the shortcut Ctrl-O. Then let us know all the processes which are running on your computer. Like that we can help you!

    Last but not least, a router costs 40$ - 100$... I don't think that's much money if I think of the additional security it brings. Keep it in mind, it's worth investing this money.

    Best regards!

    Patrice
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    What you did is restore your drive to a prvious state when it was working properly.
    Reinstallations often work fine, but sometimes make a bigger mess then what you´re trying to solve.
    I still think getting up-to-date with M$ service packs and patches is your best shot.

    Regards,

    Pieter
     
  14. jennyb

    jennyb Guest

    well, thanks for that info ... downloading the jv16 tool, as I type this, Patrice.
    things went from bad to worse after my last posting, ended up doing a complete reinstall of XP and am just back online now to update everything.
    I intended running SP1 right away before I install any further programs, so it can create the least problems - if any!
    re cost of routers, here in Australia, everything costs quite a bit more than the US ... however, I should get a good one for $150 or so ... need to do some more research first.
    thanks to y'all for your help
    jenny :-*
     
  15. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi jennyb!

    Well 150$ is a bit expensive... I got a really good one and I'm very happy with it:

    Linksys BEFSR41

    We tested it thoroughly and we weren't able to get through... That's a good sign. Start from this product, there are other "newer" routers in the product line of Linksys. So go for them if you want.

    Best regards!

    Patrice

    P.S. If you need further info about what is important when buying a router let us know!
     
Loading...
Thread Status:
Not open for further replies.