Trojan?

wolfhawk · Post by **wolfhawk** » Tue Oct 14, 2003 11:19 pm

I have a problem. I have XP home edition. I use AVG grisoft anti-virus. It pops up and tells me I have a trojan called Downloader.Istbar.B in my C:\System Volume Information\_restore{bunch of numbers}.exe. The system I got did not come with restore disc. Supposibly all info is partitioned on the hard drive. Try a restore and no dice, restore will not function. None of the online virus and trojan scanners can locate a trojan on the system. I tried to open the file and it tells me access is denied...???

Anyone have any ideas? Any help would be GREATLY appreciated...

SICMF · Post by **SICMF** » Wed Oct 15, 2003 12:24 am

Go to disk cleanup and click on the More Options tab, Then click clean old system restore points. That will delete all the old restore points and hopefully including the BS one.

wolfhawk · Post by **wolfhawk** » Wed Oct 15, 2003 1:40 am

Thanks Paradox, I'll give it a shot...

RAAF453_Shep · Post by **RAAF453_Shep** » Wed Oct 15, 2003 1:46 am

Great answer.... I helped him try alot of different things... including , just what you recommended... and we checked at TrendMicro, read the details..... and that left us wondering, but the results are the same.. he did a Reg backup , has system restore off... and we'll run thru all of it , with fresh brains tomorrow. ( Wolfe is a good friend of mine ) and I want to help him resolve this.... seems a new low threat threshold trojan... but anything of this type is bad.
we scanned his REG but didnt see the listed reports from Trend....
Thanks Paradox..... more info as we try again later

Cheers !....

SICMF · Post by **SICMF** » Wed Oct 15, 2003 2:02 am

Is this Win XP? If so and you can find the file in question try this.
Open a Command Prompt window and leave it open. Then Close all programs. Click Start->Run and type "taskmgr" Then go to the processes tab and end process on "explorer.exe". Leave the Task Manager open. Then go back to the Command Prompt window and change to the directory where the "Access Denied" file is located. At the command prompt type DEL <filename> where <filename> is the file you want to delete. Go back to the Task Manager, click File->New Task and type "explorer.exe to restart the GUI.

Might work.

Croc · Post by **Croc** » Wed Oct 15, 2003 3:43 pm

http://es.trendmicro-europe.com/enterpr ... J_ISTBAR.A

There are urther instructions for ME & XP on the page.

Read also http://us.mcafee.com/virusInfo/default. ... s_k=100729

Try Adaware for automatic removal.

Croc.

parse27 · Post by **parse27** » Wed Oct 15, 2003 4:06 pm

Originally posted by Croc
...Try Adaware for automatic removal...

maybe spybot-search&destroy could help too

parse27 · Post by **parse27** » Wed Oct 15, 2003 4:11 pm

i did a google search and came up with the links below.

http://forums.zonelabs.com/zonelabs/board/message?board.id=access&message.id=3940
http://www.doxdesk.com/parasite/ISTbar.html

Croc · Post by **Croc** » Wed Oct 15, 2003 4:22 pm

Originally posted by parse27
maybe spybot-search&destroy could help too

Absotively.

SpyBot is great. Either should do the job.
Google shows more if you just put "Istbar.B" in the search.
The ZoneLabs one is a link to a single comment in their forum.

Croc.

parse27 · Post by **parse27** » Wed Oct 15, 2003 4:35 pm

Originally posted by Croc
...Google shows more if you just put "Istbar.B" in the search...

yep, did just that and had to edit my post

thing is, i wonder if a solution for one variant would work just as well for another. wolfhawk's variant seems to be new coz it seems like it hasn't shown up that much on forums and the like..

SICMF · Post by **SICMF** » Wed Oct 15, 2003 4:37 pm

They have already tried the programs and the aVG solution. Thing is it won't go away.

RAAF453_Shep · Post by **RAAF453_Shep** » Thu Oct 16, 2003 1:15 am

What we did..... was disable the system restore.... and the pop up from AVG stopped..... we removed all the restore points.... and did a Reg back up file. also we used the TrendMicro analisis report as a guide, and searched the REG for the lines... not there... ( hence the back up file ). The scans with AVG and all online trojan tools show clean now..... and no new pop up's.
I recommended a change for his system... Sygate FW... and seems all is ok so far.
Will update as we discover more.. if anything. @ TrendMicro , it showed the first report was on 10/12 and the report was as of 10/14 .

Croc · Post by **Croc** » Thu Oct 16, 2003 4:20 pm

All fixed then. Great to see.

It could well have been a new variant that was still able to be identified by AVG.

Most/All the AV companies say to disable System Restore when something happens. Worth remembering.

So AdAware and Spybot missed this too?

Croc.

wolfhawk · Post by **wolfhawk** » Thu Oct 16, 2003 8:52 pm

Hi ya Croc..Thanks for your input..all of ya'll. But yes, adaware, and spybot plus the trojan hunters online all missed it. It was in my C:\System Volume Information\_restore.exe file. AVG peged it, but couldn't remove it. One of the trojan hunters said something about not being able to search in that folder, access was denied. No one can get into it, I think it is that way from the manufacturer. But, Shep walked me through some stuff and we shut restore off. I will use registry for any reformatting or restoring I need to do from now on. But again, thanks for all ya'll's help!

Wolfhawk

SG Broadband Community

Trojan?

Trojan?

re:Trojan