Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: MikeBCda on December 14, 2003, 06:11:00 PM
-
Hi gang,
Finally got my first personal experience with a non-email virus last night, and 4-home was right there to catch it in the act. I was downloading a web page when avast's warning kicked in, and it's probably safe to assume that's where it came from.
I forget the specific virus, or the particular file, but it was an EXE in the Windows\Temp directory. My first reaction of course was to "repair", but I was told it was unavailable in the VRDB. So considering its location, I gambled and then chose delete-permanently. Ran a fresh disk scan afterwards which looked clean.
It was only this morning I discovered the rest of the "goodies" it had left behind. My first hint was when I started IE and it immediately loaded a strange page, rather than my usual blank "home" page. Aha, a hijacker at work!
So I dropped back offline, reset the home page, and let Ad-Aware do its thing -- it found quite a few "malware" items which I let it delete. Then JV-16's registry cleaner which turned up a couple of references to that EXE, and I trashed those too.
One more avast scan, thorough this time to be certain, and then I generated a fresh VRDB.
So proper cleanup really needs a triple-barrel response -- avast, of course, plus adware scanner, plus registry cleaner. That's been said many times here in different forums, but I'll definitely add my confirmation to that now.
Best to all,
Mike
-
Do you have the Home or Pro version of avast?
What was the virus name?
-
Hi igor,
My goodness, need new glasses? :D In the first couple of paragraphs I'd said I was using 4-home, and that I hadn't made a note of the specific virus or EXE that it hit, only remembered that it was in Windows\Temp.
It was the combination of its location in Temp, plus apparently too new for the most recent VRDB (and no recent installs I could recall), that led me to guess I could safely delete it.
I'll go back and check the Report file, if the specific info's useful to you.
Best,
Mike
-
OK, I guess I'm doing too many things simultaneously. Glasses may be handy, too :)
I'm just wondering how the virus may have gotten active (to create the registry entries etc.) when avast! detected it...
-
Hi again igor,
Ok, I'm back (you don't get rid of me THAT easy ;D )
The file was istsvc.exe. And if I'm reading the report file entry correctly (this is on same line, following the file name), the virus was identified as Win32:Istdnldr [UPX].
Too bad this info didn't go into the Log too, that's a heck of a lot easier to access than the Report.
I haven't yet done a search online (here plus wherever else, probably Trend) for the file or the virus, I'll be interested to see what's said about it.
Best,
Mike
-
i can find no entry in the trend virus database on this virus. of corse it probally under a diffrent name. i would like to add that I always add a step and scan with trend afterward to get a 2nd opinion.
http://housecall.trendmicro.com (http://housecall.trendmicro.com) best ONLINE scanner out there 8)
-
Im back and I found it its from symantec they call it adware.istbar
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html (http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html)
Adware.Istbar is an adware component, which does one or more of the following:
Installs an Internet Explorer toolbar
Acts as a Home page and search hijacker
Pops up advertisements, often pornographic in nature
-
Hi I was hopping you found a way to remove istsvc.exe. I delete the foulder and now avast can't find it and thier is still now programs in the add and remove panel
-
You know that 99% of this can be prevented by a good hosts file, right? For peace of mind, you just have to have a good hosts file. =) Try this one, its updated weekly with new threats:
http://www.mvps.org/winhelp2002/hosts.htm
Second item I recommend is Javacools Spyware Blaster. Innoculates your box against about 3000 various web based malicious items. Updated monthly, and does NOT run resident, just run it, cure, and exit it. Rinse and repeat once a month for fun.
http://www.javacoolsoftware.com/spywareblaster.html
Of course, a good popup blocking web browser tops all of that off. I use MYIE2 and love it. Some people like Mozilla, which I couldn't stand. All preference.
Thats it! I haven't seen a single peice of adware/spyware or highjacker on my machine in 4 months of HEAVY surfing. A small bit of prevention goes a LONG way to reducing your risk of infection from various things surfing around.
PS: Im curious as to why you'd get infected if Avast picked it up, it shouldn't have executed. ???
-
Mozilla is by far the best browser available right now. I prefer Ad-Aware 6, and for Registry Cleaning I use uh Bug Destroy or something like that. It kind of sucks, any suggestions for a good one?
-
You don't even need a adware/spyware program if you follow my instructions above, what part are you missing here? =) Once again, point to anyone else you know that hasn't seen spyware/adware in 4 months? My system works, in practice, and principle. Try it, and see. No need for all these fancy adware scanners and crap, no need at all.
As for Mozilla, it was OK, but felt like a rather stripped down version of MYIE2 for me. But I guess its preference.
-
I love the program (Spyware Blaster) but it says that I don't have Mozilla/Firefox installed, which I do. I was wondering if you've had any experience with this. If you don't, I'll email the creator.
-
Posted by: Staind Posted on: Today at 10:05:51pm
I love the program (Spyware Blaster) but it says that I don't have Mozilla/Firefox installed, which I do. I was wondering if you've had any experience with this. If you don't, I'll email the creator.
Heres some info on your question.
http://www.wilderssecurity.com/showthread.php?t=37305
-
Yeap, answered my question. Thanks a lot.