Home > Trojan Horse > Trojan Horse Downloader.Istbar.X

Trojan Horse Downloader.Istbar.X

If you downloaded the file don't worry about accidentaly running it, I've applied a small patch to it to make it unrunnable. I'll be checking that out within the week. Buy Home Office Online Store Renew Online Business Find a Partner Contact Us 1-877-218-7353 (M-F 8am - 5pm CST) Small Business Small Business Online Store Renew Online Find a Partner Contact Advertisement GCQGander Thread Starter Joined: Feb 8, 2004 Messages: 12 I keep getting this message irregularly - often at start-up. http://gsdclb.org/trojan-horse/trojan-horse-downloader-istbar-4-ae.php

Similar Threads - Trojan horse Downloader Trojan horse BackDoor.Generic19.AACX barelybroke, May 5, 2016, in forum: Virus & Other Malware Removal Replies: 9 Views: 780 Cookiegal May 11, 2016 In Progress AVG All rights reserved. We use cookies to ensure that we give you the best experience on our website. Anyway, this is the location that it said the virus was found by AVG: c:\system volume information\_restore-{2EDEBFBE-CD64-4AC6-BB82-21229910E44C}/RP56\AOO84659.exe So I go over to the "c:\system volume information\" folder and I can't get

I'm not the one to find out though, I know of more amusing things than looking through 48 KB files just for fun. That's where the terminating import directory entry comes from. Log in or Sign up Tech Support Guy Home Forums > Security & Malware Removal > Virus & Other Malware Removal > Computer problem?

  • AVG was still detecting it, so I looked up where it was at, which was in my C:/Windows/Temp folder, so I deleted it.
  • dvk01, Feb 8, 2004 #2 GCQGander Thread Starter Joined: Feb 8, 2004 Messages: 12 Bingo!
  • Contact Us Careers Newsroom Privacy Support linkedin twitter facebook youtube rss Copyright © 2017 Trend Micro Incorporated.
  • Thx again!
  • But even using that file I wasn't able to find out what two functions (ordinals 823 and 825) do. "??3YAXPAXZ @ 825 NONAME" is a bit too cryptical although I'm positive
  • Thread Status: Not open for further replies.
  • The download happens in chunks of 1024 bytes between the offsets 0x40115E and 0x4011AF.
  • Advertisement Recent Posts Cant turn colours back to...
  • Thanks very much for your assisstance , dvk01.
  • Kristi Logfile of HijackThis v1.97.7 Scan saved at 2:21:29 PM, on 12/7/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe

By continuing to browse, we are assuming that you have no objection in accepting cookies. With all the help you guys have given me, I hope I can help someone else in the future! :yeah: Kristi Quote Report Back to top Posted 12/7/2004 8:38 Who's online This forum has 38,004 registered members. In the hex dump of the headers the NL2BR plugin conflicts with the BBCode plugin.

PeLib was able to handle this behaviour because I had observed it before. Just what does that downloaded file do? Merging MZ header and PE header apparently caught on with the writers of EXE packers over the last time. The header of the file is moderately interesting.

It ends at offset 0x1FA and uses only calls to two trivial functions. cant remember it by heart) click apply and now rerun your antivirus... Telephone: +353 21 730 7300 | Facsimile: +353 21 730 7373. Hopefully this log is pretty clean besides the virus itself.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). It has three responsibilities: To get the name of the temp path of the current user, to call the function that downloads a file from the internet and stores it in McAfee® for Consumer United StatesArgentinaAustraliaBoliviaBrasilCanadaChile中国 (China)ColombiaHrvatskaČeská republikaDanmarkSuomiFranceDeutschlandΕλλάδαMagyarországIndiaישראלItalia日本 (Japan)한국 (Korea)LuxembourgMalaysiaMéxicoNederlandNew ZealandNorgePerúPhilippinesPolskaPortugalРоссияSrbijaSingaporeSlovenskoSouth AfricaEspañaSverigeSchweiz台灣 (Taiwan)TürkiyeالعربيةUnited KingdomVenezuela About McAfee Contact Us Search ProductsCross-Device McAfee Total Protection McAfee LiveSafe McAfee Internet Security McAfee AntiVirus Plus McAfee If the import directory is placed at the end of a section it's easy to get an empty import directory entry "for free".

I had never seen that before. weblink There's apparently absolutely nothing interesting about it. Better luck next time I guess. The last time I saw it was when I had a brief look at .kkrieger, the 96KB small 3D shooter made by .theprodukkt.

The names really are code that's executed. I've searched the C: drive but can't locate it. It's a new virus acquired while DD1 was online over the weekend. navigate here O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Publisher\Office10\OSA.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

Please welcome our newest member, ghars17. It did not detect it by my running a scan, but during the time that Ad-Aware was running its scan. Yes, my password is: Forgot your password?

Advertisements do not imply our endorsement of that product or service.

A flag is returned to the calling function that indicates whether the download was succesful. You've actually already seen it on this page if you looked closely. All rights reserved. Unlike viruses, Trojans do not self-replicate.

I'm nevertheless going to discuss my findings briefly because there are still one or two remarkable things. Please check this Knowledge Base page for more information.Did this description help? You may opt to simply delete the quarantined files. his comment is here The annotated IDA disassembly file can be downloaded here.

just post MrDuck Quote Report Back to top Post a reply Unread posts or replies No unread posts or replies Unread Posts (Read Only Forum) No Unread Posts (Read According to http://virusscan.jotti.org/ all scanners but ClamAV, Fortinet and VBA32 are able to detect it. Contact142691645RiijngoudLambdaCubesporst Links Blogs ADD / XOR / ROL Top Exits www.the-interweb.com (261)www.slideshare.net (101)en.wikipedia.org (92)the-interweb.com (52)www.amazon.com (49)www.offensive-security.com (30)nostarch.com (25)www.zynamics.com (25)github.com (24)www.sabre-security.com (17) Syndicate This Blog RSS 0.91 feed RSS 1.0 feed RSS I would also install 1 or 2 antispyware remove programs eg.

CODE:[email protected]^..........
[email protected]
Apparently the terminating empty import directory entry must only be available when the import directory is initialized after the file was loaded by the Windows PE loader, it's Tell us how we did. Although it doesn't seem to be causing any problems it would be nice to eradicate it. Style Default Style Contact Us Help Home Top RSS Terms and Rules Copyright © TechGuy, Inc.

I wouldn't necessarily recommend to download that file. They are spread manually, often under the premise that they are beneficial or wanted. e.g. %WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000) %PROGRAMFILES% = \Program Files The following files were analyzed: 321b7f529887eafd07fefe6b8ce467df.exe The following files have been added to the system: %TEMP%\11.tmp The following then when you are sure everything is clean reactivate the system restoration if U have probs deleting the files with the antivirus do it yourself!! 2 possibilities: - delete through windows

After a few changes (NumberOfSections, EntryPoint and PhysicalOffset of the first section IIRC) IDA disassembled it correctly. I've had a brief look, it's a UPX packed executable of 21 KB (48 KB unpacked). The problem was that the code of the packer is not located in any section.