Author Topic: My turn for a testimonial  (Read 5507 times)

0 Members and 1 Guest are viewing this topic.

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2248
My turn for a testimonial
« on: December 14, 2003, 06:11:00 PM »
Hi gang,

Finally got my first personal experience with a non-email virus last night, and 4-home was right there to catch it in the act.  I was downloading a web page when avast's warning kicked in, and it's probably safe to assume that's where it came from.

I forget the specific virus, or the particular file, but it was an EXE in the Windows\Temp directory.  My first reaction of course was to "repair", but I was told it was unavailable in the VRDB.  So considering its location, I gambled and then chose delete-permanently.  Ran a fresh disk scan afterwards which looked clean.

It was only this morning I discovered the rest of the "goodies" it had left behind.  My first hint was when I started IE and it immediately loaded a strange page, rather than my usual blank "home" page.  Aha, a hijacker at work!

So I dropped back offline, reset the home page, and let Ad-Aware do its thing -- it found quite a few "malware" items which I let it delete.  Then JV-16's registry cleaner which turned up a couple of references to that EXE, and I trashed those too.

One more avast scan, thorough this time to be certain, and then I generated a fresh VRDB.

So proper cleanup really needs a triple-barrel response -- avast, of course, plus adware scanner, plus registry cleaner.  That's been said many times here in different forums, but I'll definitely add my confirmation to that now.

Best to all,
Mike
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11811
    • AVAST Software
Re:My turn for a testimonial
« Reply #1 on: December 14, 2003, 06:58:47 PM »
Do you have the Home or Pro version of avast?
What was the virus name?

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2248
Re:My turn for a testimonial
« Reply #2 on: December 14, 2003, 07:21:14 PM »
Hi igor,

My goodness, need new glasses? :D  In the first couple of paragraphs I'd said I was using 4-home, and that I hadn't made a note of the specific virus or EXE that it hit, only remembered that it was in Windows\Temp.

It was the combination of its location in Temp, plus apparently too new for the most recent VRDB (and no recent installs I could recall), that led me to guess I could safely delete it.

I'll go back and check the Report file, if the specific info's useful to you.

Best,
Mike
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11811
    • AVAST Software
Re:My turn for a testimonial
« Reply #3 on: December 14, 2003, 07:27:07 PM »
OK, I guess I'm doing too many things simultaneously. Glasses may be handy, too :)

I'm just wondering how the virus may have gotten active (to create the registry entries etc.) when avast! detected it...

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2248
Re:My turn for a testimonial
« Reply #4 on: December 14, 2003, 07:42:27 PM »
Hi again igor,

Ok, I'm back (you don't get rid of me THAT easy  ;D )

The file was istsvc.exe.  And if I'm reading the report file entry correctly (this is on same line, following the file name), the virus was identified as Win32:Istdnldr [UPX].

Too bad this info didn't go into the Log too, that's a heck of a lot easier to access than the Report.

I haven't yet done a search online (here plus wherever else, probably Trend) for the file or the virus, I'll be interested to see what's said about it.

Best,
Mike
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline .: Mac :.

  • Avast √úberevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:My turn for a testimonial
« Reply #5 on: December 14, 2003, 08:19:37 PM »
i can find no entry in the trend virus database on this virus. of corse it probally under a diffrent name.  i would like to add that I always add a step and scan with trend afterward to get a 2nd opinion.
http://housecall.trendmicro.com best ONLINE scanner out there  8)
"People who are really serious about software should make their own hardware." - Alan Kay

Offline .: Mac :.

  • Avast √úberevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:My turn for a testimonial
« Reply #6 on: December 14, 2003, 08:22:55 PM »
Im back and I found it its from symantec they call it adware.istbar

http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

Quote
Adware.Istbar is an adware component, which does one or more of the following:


Installs an Internet Explorer toolbar
Acts as a Home page and search hijacker
Pops up advertisements, often pornographic in nature
« Last Edit: December 14, 2003, 08:24:36 PM by MacLover2000 »
"People who are really serious about software should make their own hardware." - Alan Kay

eddyk31

  • Guest
Re:My turn for a testimonial
« Reply #7 on: June 08, 2004, 02:10:06 AM »
Hi I was hopping you found a way to remove istsvc.exe. I delete the foulder and now avast can't find it and thier is still now programs in the add and remove panel

Kobra

  • Guest
Re:My turn for a testimonial
« Reply #8 on: June 08, 2004, 03:20:52 AM »
You know that 99% of this can be prevented by a good hosts file, right? For peace of mind, you just have to have a good hosts file. =)  Try this one, its updated weekly with new threats:

http://www.mvps.org/winhelp2002/hosts.htm

Second item I recommend is Javacools Spyware Blaster.  Innoculates your box against about 3000 various web based malicious items. Updated monthly, and does NOT run resident, just run it, cure, and exit it.  Rinse and repeat once a month for fun.

http://www.javacoolsoftware.com/spywareblaster.html

Of course, a good popup blocking web browser tops all of that off. I use MYIE2 and love it.  Some people like Mozilla, which I couldn't stand. All preference.

Thats it!  I haven't seen a single peice of adware/spyware or highjacker on my machine in 4 months of HEAVY surfing.  A small bit of prevention goes a LONG way to reducing your risk of infection from various things surfing around.

PS: Im curious as to why you'd get infected if Avast picked it up, it shouldn't have executed.  ???
« Last Edit: June 08, 2004, 03:22:34 AM by Kobra »

Staind

  • Guest
Re:My turn for a testimonial
« Reply #9 on: June 08, 2004, 03:36:56 AM »
Mozilla is by far the best browser available right now.  I prefer Ad-Aware 6, and for Registry Cleaning I use uh Bug Destroy or something like that.  It kind of sucks, any suggestions for a good one?

Kobra

  • Guest
Re:My turn for a testimonial
« Reply #10 on: June 08, 2004, 03:56:06 AM »
You don't even need a adware/spyware program if you follow my instructions above, what part are you missing here?  =)  Once again, point to anyone else you know that hasn't seen spyware/adware in 4 months?  My system works, in practice, and principle.    Try it, and see.  No need for all these fancy adware scanners and crap, no need at all.

As for Mozilla, it was OK, but felt like a rather stripped down version of MYIE2 for me.  But I guess its preference.

Staind

  • Guest
Re:My turn for a testimonial
« Reply #11 on: June 26, 2004, 04:05:51 AM »
I love the program (Spyware Blaster) but it says that I don't have Mozilla/Firefox installed, which I do. I was wondering if you've had any experience with this.  If you don't, I'll email the creator.

cousindave

  • Guest
Re:My turn for a testimonial
« Reply #12 on: June 26, 2004, 04:45:50 AM »
Quote
Posted by: Staind  Posted on: Today at 10:05:51pm  
I love the program (Spyware Blaster) but it says that I don't have Mozilla/Firefox installed, which I do. I was wondering if you've had any experience with this.  If you don't, I'll email the creator.  
Heres some info on your question.
http://www.wilderssecurity.com/showthread.php?t=37305

Staind

  • Guest
Re:My turn for a testimonial
« Reply #13 on: June 26, 2004, 05:44:45 AM »
Yeap, answered my question. Thanks a lot.