We help IT Professionals succeed at work.

What are best practice forensics after finding IRC bot

533 Views
Last Modified: 2013-11-29
What are the best practices for followup to a bot removal?  I was called on site to a clients small busines and found a very simple IRC bot installed that launched on startup and made no attempt to conceal itself. I was able to locate it without a great deal of time and effort, it was installed in a folder in System32\ but the ease with which I could find and remove it lead me to ask if there is false sense of security since the system scans show no virus and the system is working as expected. I cleaned a  Storm Worm infected machine about two months ago and that was the most stubborn cleanup that I had seen in many years. With this one I deleted the folder and the registry entries and it was gone, just seemed too easy. The owner told me that he always ckill the applicaiton as soon as he booted up so I want to believe it never got past the immediate IRC logins.

In the properties of the executable the company name was 'GoHack, Inc.'

Bri
Comment
Watch Question

Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
BrianDSyProgrammer/Analyst

Author

Commented:
It's hard to rate any of these as the ultimate solution, since I need to maintain a balance between the users freedom of choice in a small office and budget choices about offline storage. But after removing the registry keys that started the processes and restarting the machine I was able to remove the rest of the malware and run the System Restore function of windows using the boot CD. The first and last solutions are the best for the small business, the second one is an enterprise type solution. Resources in many of the small businesses I go to are stretched to the maximum.

Regards,
Brian
BrianDSyProgrammer/Analyst

Author

Commented:
Thanks for the feedback. My clients happy. I feel like I got the job done. There have been no further issues.

Brian

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.