Trojan Found help

Hi

I am the person who said his boss had the IRC/Flood virus

He got back today and I installed TD3 and ran a full scan. It found the following files.

ddos.rat.sdbot
Hidewindow Trojan Tool.d
Hidewindow Trojan Tool.d

I deleted the files and then ran a quick scan and it did not find anything. Is there anything else I should do?

He approved buying the registered version so I will install it latter.

 

Hi Billy, welcome back!
Your boss should practise a bit more safe security but ok, you have now TDS, i would make sure to have the whole threepack, i mean TDS / WG / PE and the new AutoStartViewer and when it comes the additional AGuard too which will protect the registry from modifications and additions (the follow up for RegProtection)

TDS for the moment on highest sensitivity in scanning, and the registered version enables to install the exec protection which will disable malicious functions from executing at all; WG offers an extra layer for all kind of scripts and worms on the system and from websites, while it enables to look into files in the safe mode without actually executing them, so if you know from the description for instance which files such a worm or trojan drops to disable those from executing at all (i mean the worm can be named Worm, but the executable file maybe yy.exe then you add that yy.exe to the blocked list),
PE shows you in one quick view if there are any suspicious outside connections and by which application and which packets you can look into and can block, you can block all sending and receiving of traffic without breaking the internet connection, and it has several other very handy utilities.
The AutostartViewer enables you to see what is all starting and has possible auto-update functions which you like to disable as much as possible, and what might not belong on your system at all.

This is all for the trojans, worms, scripts, registry, any malicious code.

Of course i suppose he uses a firewall? Email scanning? And a very good anti-virus? For instance NOD32 is a specialist for AV which runs marvelous beside TDS and the others, or you might like to look in the anti-virus forums over here where people tell about their favorites and why; a good alternative for instance might be KAV, while others say to get the swiss version of that (AVP), so something for the viruses is necessary too.
For the email scanning NOD32 has that included, it is high on the wishlist for TDS4, several others have it included too.

If your boss is a lot on mIRC get in the DCS free tools also the Mirclean which is a very fast small scanner for mIRC worms and has a little innocent testfile included.

The nice thing about WG is it runs all in the background withoing resources, it only jumps up when needed.


I am not sure about his modem, if that for instance would have router capacities included, and which is not my field, but others know that part in other areas in the forums.

Euhmmm i did not mention spyware cleaners like SpybotS&D and adaware (i use them both) and in the JavaCool forums are several very fine tools for spyware protection and browser hijack protection etc. If it is a business computer these are really musts in fact all i mentioned and there are a few more tools to look into.

So you are really on a very good way starting with the trojans and worms with the TDS / WG / PE and building on from there with a clean system.
Glad you found the nasties!

You might like to go for an extra online scan too in between, like http://housecall.antivirus.com and www.bitdefender.com or www.pandasoftware.com
I use them all once in a while and am aware of possible false positives there so i never let them autoclean, always look into possible finds myself.

It looks much but once installed or habit it is not so much and pure routine, as several things run in the background, and with the new tools in the build for the TDS4 family you will have a very strong defence at hand.

Please let me know how it goes!

 

Hi Billy,

This indicates the presence of a GT Bot style trojan dropper. These are VERY varied, and can use any number of files and settings. You may still have the dropper there, which installed the files so perhaps the startup entries would help us..

http://www.tomcoyote.org/hjt/

I would recommend you run Hijack This! and show us the output.. if we can find a dropper then you may be getting infected again when you reboot. Its very important to ensure that if this is an NT 2000 or XP machine that the ADMIN accounts have strong passwords !

 

He left again so I cannot run the program until he returns. How do I use Hijack this? He had no password on the admin account so before I ran TDS3 I added a strong password. What did this trojan do? How can I be sure it is gone forever without formating his hard drive?