Jump to content
Tuts 4 You

Potential Trojan - Seeking assistance


Ksbunker

Recommended Posts

In an effort to keep my system safe from hidden modules (i.e. modules that have been manually unlinked from PEB->LDR_MODULE), I coded up a little tool that scans the memory of my process and attempts to identify any dll's that do not resolve using normal toolhelp API. See below (apologies for large image);

malwarespyer.png

This immediately aroused my suspicions, so I checked out the code section of this phantom module. See attachment.

Here's my plea. I'm confident this is some kind of trojan periodically sending off critical information pertaining to my browsing. Suffice to say, this is of gross concern.

How can I permanently delete this omnipresent module.

Regards,

Ksb

NB: If anyone takes the time to analysis the attached code, I would be very eager to hear how it functions.

potential_virus.txt

Link to comment
  • 2 weeks later...

Mind PM-ing me the file? Or just a dump of it?

It seems to me it's identifying certain strings inside the link you are navigating (e.g.: "google." with strstr), then I see some encrypted strings, that do get decrypted in those CALLs.. and I lost interest, since I can't run through it :-P PM PLOX!

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...