On impulse I deleted one of the adware infections… I am not sure if it will inevitably come back though. If anyone would know anything 'bout that.
Also, I am curious as to what those system files are and if they pose a threat. They didn’t come up when I scanned them but never the less they are in the chest.
There is little point in deleting a file in the chest shortly after sending it there as a) it can do no harm there and b) you might as well have deleted it in the first place and cut out the middle man, the avast chest.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
I realy do wish Alwil would get rid of this All Chest Files collation of the three sections.
The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
The User Files section is where the user can add files they suspect of being malware but not detected by avast.
The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).
Ooh, thank you very much. That did help clear things up quite a bit.
Though I just recalled that Win32: Goldun-BZ trojan was detected in a previous scan and promptly deleted but it appears it came back. Does that fact change how I should handle things?
Did you click REMOVE? MBAM found a load of AdwareCrapola and there may be something else lurking
since something funny is happening
check Add Remove programs and remove anything which you do not recognize
rerun MBAM full scan with all options selected and CLICK REMOVE
run the Rogue Remover scan
do the boot time avast thing- send any hits to the Chest
I’d also run a Super Anti Spyware scan
Thankfully all of my records are back suddenly just by exiting and going back to MB.
All of the Adware is still there but the Trojan is gone. I could have swore I got rid of all of it. Though at least now I won’t have to scan again. deletes all of adware
Also, in add or remove programs everything is in order except way too many updates from SP2 >P
Did you click REMOVE on a previous MBAM scan- where did all the adware go?
looks like MBAM is clean which is GOOD 10 min scan- not bad
Did you CLEAN or whatever you do with SAS?
looking good
I’d do an online scan with Kaspersky AV
if Kaspersky finds anything it will not fix it on free scan so post back
If kaspersky is clean
run secunia software inspector and update all your apps
run ccleaner
Defrag
set a new restore point
I got rid of the adware that showed up in MBAM and SAS.
Well, I thought I was smooth sailing past all your steps until Kaspersky found Trojan-Downloader.Win32.IstBar.ja. Appareantly the file name is C:\data. How in the hell that randomly showed up is beyond me. When I was running Kaspersky I had stopped Avast’s onacess protection because it instructed me… Hopefully that didn’t have anything to do with it… sigh
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453094274
shows five files
search for them and delete 4 if found
on the one called “data” best to check properties and file location
post back if you cannot id the correct one as the baddie
if it is C:\data just delete it- it is dropped by the trojan into your “root file”
ISTbar ISTbar is a Trojan downloader which will download additional malware components including but not limited to Internet Optimizer and Bargain Buddy. Servers which ISTbar will contact to download malware include: ysbweb.com, sidefind.com, download.bargain-buddy.net, slotch.com and more. In addition to being a Trojan it is also an Internet Explorer BHO installed as a toolbar.
Notice how a Host file would keep this kind of crapola from phoning home
This Trojan arrives as a file that is either dropped or downloaded file by other malware.
Upon execution, it displays a Graphical User Interface (GUI) that prompts an affected user to install an Internet Explorer toolbar on the system. Once the user clicks the I AGREE button in the said GUI, this Trojan downloads and installs several adware toolbars on the affected machine.
perhaps one of the “site advisor” type tools would be helpful
disable System Restore
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>IST
In the right panel, locate and delete the entry:
exe_start = “dword:00001”
Close Registry Editor.
search for this and delete if found- be sure to enable show hidden files etc
TROJ_ISTBAR.DU
read the stickie at the top of this forum and post a Hijack this
and any logs
As DavidR hinted - we gotta know exactly what we are dealing with
Notice how getting a second opinion with Kaspersky or other on line scanners is helpful
Kaspersky is usually pretty good at trojans
I am surprised that AVG Anti-Spyware (formerly EWIDO) did not pick up this older, once common, infection,
however these infections are constantly morphing
Okay, from Virus Total I got this result during scanning: c:\data
Antivirus Version Last Update Result
BitDefender 7.2 2008.08.24 Trojan.Downloader.Istbar.JA
Ewido 4.0 2008.08.24 Downloader.IstBar.ja
F-Secure 7.60.13501.0 2008.08.24 Trojan-Downloader.Win32.IstBar.ja
Fortinet 3.14.0.0 2008.08.24 VBS/Istbar.JG!tr
Ikarus T3.1.1.34.0 2008.08.24 Trojan-Downloader.Win32.IstBar.JA
Kaspersky 7.0.0.125 2008.08.24 Trojan-Downloader.Win32.IstBar.ja
VBA32 3.12.8.4 2008.08.23 Trojan-Downloader.Win32.IstBar.ja
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453094274
shows five files
search for them and delete 4 if found
[b]*on the one called "data" best to check properties and file location
post back if you cannot id the correct one as the baddie[/b]
if it is C:\data just delete it- it is dropped by the trojan into your "root file"
I am not quite sure how to find the other files to search for using Virus Total.
*I did find the file called "data" in c:\ I am a bit confused about what you mean but hopefully the above information will help.
I am glad that I checked several thanks to your help. Though it seems like the checking never ends D:
HKEY_CURRENT_USER>Software>IST
iinstall.exe
crack.exe
data
iinstall.exe
crack.exe
notice that two of the files are found in different locations- the question is where
do a “search” or “find” for these using your os START>FIND (or whatever)
you can then upload to virus total my use of “search” was inappropriate
virus total will eventually report to Avast to help improve detections
notice how EWIDO shows- you might try the EWIDO online scan
or the Bit-Defender one Bit Defender will remove
*but watch for False Positives with their advanced heuristics
I do not know if the IST or possibly 1ST is in the registry- try a search
verify the paths if you find it as these bastards frequently use the same name in a different location as a trap for the overanxious and imprudent
F-Secure also has an on-line scan I think
take your time and track down all the leads no rush now
Yeah, I searched for them before and nothing turned up aside from the file called “data”. Is iinstall.exe and crack.exe MEANT to exist? When I my search I selected “search on all files and folders” and filled in the names in both criteria boxes “all or part of the file name” and “a word or phrase in the file” and searched in “My Computer”. Hopefully I did things correctly.
When I searched the registry several times for “IST” I am presented with something different every single time.
read the stickie at the top of this forum and post a Hijack this
and any logs
As DavidR hinted - we gotta know exactly what we are dealing with[/i][/b]
I have yet to do what is bolded, so y’know. There’s quite a bit right now and I feel like a chicken with it’s head cut off.
I chose to scan with Ewido. Haven’t scanned with F-Secure or Bit-Defender yet because I assume that this will be sufficent enough in providing information.
stay at it
the anti Trojans/malware scanners target different (overlaping) sets than the AV’s
so you need to do some of each
I like to alternate- sorta like pealing an onion
we hope those file are gone since they were baddies no problem if they are missing - good riddence
besides these baddies change file names so we gotta double check everything
SO EWIDO and Bit Defender are two good choices- one of each type
then post up the HJT well save the big gun tilllater
i do not remember and gotta go for awhile- did you do this?
search for this and delete if found- be sure to enable show hidden files etc
TROJ_ISTBAR.DU
i do not remember and gotta go for awhile- did you do this?
search for this and delete if found- be sure to enable show hidden files etc
TROJ_ISTBAR.DU
Yeah, I searched for it but didn’t find it.
So, I am currently rescanning with Ewido because last night I fell asleep and didn’t get rid of what I found and once I came back my computer restarted Interesting, after doing it again it’s found a few different tracking cookies than the last scan. Anyway. After it’s finished (which it is close to) I’ll scan with Bit Defender and then the HJT.