AVG and Avira won't update - win32 poly crypt virus?

Status
Not open for further replies.
M

markymark06824

Posts: 12   +0
Hello all.
I am struggling and hope you can help. My antivirus programs have not updated in weeks. I had AVG (which I can't remove) and downloaded Avira. Neither will update.

AVG has found the Win32 poly crypt virus. I don't know how to get rid of this. I have performed the 8 step removal process, but still no luck. Here is my HJT log. Any help would be appreciated.

M
 
I have performed the 8 step removal process, but still no luck. Here is my HJT log. Any help would be appreciated.
Click to expand...

Where are the other logs?

Also, verify Parental Controls are being used.
 
I didn't save the other logs. I will try the steps again tonight and resave the logs. I do use parental controls, but my kids sometime surf under my identity as well. Y8.com is their most favorite site.
 
Okay on the Parental Controls. There are 9 of these entries- just wanted to verify:
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

Symantec says Y8.com is a safe site, but games use Flash so be sure to keep the flash player updated with the security fixes: http://voices.washingtonpost.com/securityfix/2009/02/adobe_issues_security_update_f.html

I'll review the logs after you attach them. Follow the step and run Malwarebyetes, then Superantispyware and follow with new scan with HijackThis.

Please include a current scan from Avira. If you can't remove AVG at this point, take the AVG entries off of Startup:
Start> Run> msconfig> enter> Selective Startup> Startup Menu> UNCHECK all AVG entries> Apply> OK

Then Start> Run> services.msc> right click> Properties on any AVG Service> change Startup type to Disabled> Stop the Service> Reboot the computer.

NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
 
Sorry for the delay, but this is going to be a process on this end. I can only work on this at night and the scans take a long time. Here is the Avira scan. The Avira program has not updated since May 7th.
 
Thanks, Kimsland. I tried this once already and unbelievably it did not work. I am currently running (at home), the C Cleaner. Will run it twice and move onto the next step of the 8 step program. I will also try to remove AVG again.

M
 
I don't see evidence of AVG, but I do see Symantec entries. If you previously use Symantec/Norton security, all the files were not removed. Please run the Norton Removal Tool HERE.

Unfortunately, I also see evidence of piracy:
\F\Documents and Settings\Mark\Local Settings\Temp\crack.ace

And this warning was given:
Out of memory! The virus or unwanted program was not deleted!
Click to expand...

I also question the source of this:
F:\F\Documents and Settings\Mark\Local Settings\Temp\fifa.ace

It is heavily found on torrent sites.

See this section in Step 3: Uninstall File Sharing/P2P Programs
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
 
Bobbye,
This machine came with a free trial of Symantec. I never activated it, so any files that remain are just what was installed previously. Do i need to remove it if I never activated it?

The F:/drive is an external hard drive that I used on an old machine. I think that the files you are seeing there are from prior backups from that machine. Any viruses their would likely be in a vault from AVG. I do not run any programs from the F:drive.

The FIFA reference was likely an old soccer game (again part of the backup)

I used to belong to Peer to Peer several years ago. Have not had any peer to peer in 3 or 4 years and never on this machine. As to the crack.ace, I am unsure what this is from.
 
markymark06824, you should always uninstall any programs you didn't or don't use. They are taking up 'space' on your hard drive.
Do i need to remove it if I never activated it?
Click to expand...
Yes. I saw Symantec because it is loading on your machine- this can cause a conflict with current security programs. There are 10 Symantec processes starting and loading when you boot. All of the them should be gone once you run the Norton Removal Tool.

The F:/drive is an external hard drive that I used on an old machine. I think that the files you are seeing there are from prior backups from that machine. Any viruses their would likely be in a vault from AVG. I do not run any programs from the F:drive.
The FIFA reference was likely an old soccer game (again part of the backup)I do not run any programs from the F:drive.
Click to expand...

If I see the entries, they are loading. If they are old, unused files, delete them:
F:\F\Documents and Settings\Mark\Local Settings\Temp\crack.ace
F:\F\Documents and Settings\Mark\Local Settings\Temp\fifa.ace

CrackAce is a serial crack for Ace Screen Capture 2.3. There is a free download for a portion of the program. There is a free trial. But the license to use is $25. Using CrackAce means it wasn't paid for, pirated instead. Please remove it.

You are running the following Real Time Protection. Step 3 instructs you to temporarily disable them before running the scans as it can interfere with the results:

SPYBOT TEATIMER
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • When we are done, you can re-enable TeaTimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.
WINDOWS DEFENDER

  • [* ]Click Start > Programs > Windows Defender or launch from the system tray icon.
  • Click on Tools & Settings > Options.
  • Under Real-time protection options, uncheck the "Real-time protection" check box.
  • Click Save.
  • Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
  • When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.

Now do the scans for Malwarebytes, Superantispyware and rescan with HijackThis. I will review the logs when I have all three.
 
bobbye,
I tried to follow your direction for S&D, however, there is no Tea Timer option is System Startup.

Similarly, there was no realtime protection option under Windows Defender.

Am i doing something wrong?
 
# Click on the "System Startup" icon in the List
# Uncheck the "TeaTimer" box and "OK" any prompts.
Click to expand...
This is within Spybot S&D itself, not the Startup menu found using msconfig.[/quote]

# Click on Tools & Settings > Options.
# Under Real-time protection options, uncheck the "Real-time protection" check box.
# Click Save.
Click to expand...
This is from within WD itself.

If you have a problem finding either of these, try this path:

Right click on Start> Explore> Programs> find Spybot S&D and Windows Defender> open each. look on the right screen for the option to run. You should be able to disable at startup from there.
 
Does it matter that i am running Vista? Neither SD nor Defender had the options you write of.

When I try the other option, I do not get a run option.

Sorry.

Here is the error log from the unsuccessful Avira Update attempt.
 
Yes, it does. The path to the Run command is different:

Where is the Vista Run Command?
Vista uses Start Search dialog box, in the same way we used the old 'Run' command in XP. All that you need is to type the name of the executable, e.g. cmd, in the Start Search dialog box. See screenshots below:.
search_two.jpg


you can also find information on customizing here:
http://www.computerperformance.co.uk/vista/vista_run_command.htm
 
Mbam and SAS are clean.
HijackThis log from 6:17:38 AM, on 5/22/2009 show previous entries removed as instructed with the following exceptions:

Real Time Protection still running:
[/BC:\Program Files\Windows Defender\MSASCui.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

New Real Time Protection added:
C:\Program Files\TrojanHunter 5.1\THGuard.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.1\THGuard.exe"
Temporarily disable: TROJAN HUNTER
  • Go to TrojanHunter Guard in the the system tray. It is a light blue icon with a magnifying glass and red handle.
  • Right click on it and select settings.
  • Uncheck "Load at startup" and "Enabled". Make sure that the program, TrojanHunter itself, is also closed/not running.
Avira Antivirus Updater failed! attempted May 21 10:24:48 2009> 10:25:35
Failed: 10 Files downloaded 0 Files installed

I can have you run more programs, but it would be useless while the three Real Time Protection programs are running. As long as they are starting and running in the background, I cannot verify that the logs are accurate.

You can run this online scan and see if anything turns up:
Open Kaspersky Online Scanner in Internet Explorer HERE.
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected: Scan using the following Anti-Virus database:
    [o] Extended (if available otherwise Standard)
  • Make the following choices in Scan Options:
    [o] Scan Archives
    [o] Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Attach that log with your next post.
If you get the Real Time Protection stopped, do a new HijackThis and attach new log.
 
Geez. It is like I am taking steps backwards. I uninstalled SD and Trojan hunter(couldn't figure out how to stop the monitoring). I figured out Windows Defender, I think. Let's try this again.

Going to run the scan now.
 
Yeah, I know> sometimes it's the pits! But we will ignore that Windows Defender is still running and go on.

Did you run the Kaspersky scan? Did you save the report?

Please open HijackThis, and select Do a system scan only.

Place a checkmark next to the following entries (if present):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab


Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

To disable the Eset Nod32 Online Scanner running in the background:

  • [1] Click Start, and then click Control Panel.
    [2] Click Network and Internet.
    [3] Under Internet Options, click Manage browser add-ons.
    [4] Click Manage Add-Ons.
    [5] At the Manage Add-Ons dialog, click to highlight eset OnlineScanner.
    [6] Then, click Disable to prevent the add-on from automatically loading.

Update Java:
Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update.
Click HERE to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 13) and save to your desktop):
Double click the setup to run.
Reboot your computer.

Remove the older versions of Java: Vista
1. Click Start, Control Panel> Programs> Installed Programs> Highlight the program> File> Change/Remove
http://www.netomatix.com/development/images/AddRemoveProgram2.PNG[/omg]
2. Uninstall all Java updates except J2SE Runtime Environment 6.0 Update 13

What is the status of the AV update?
 
ok. Here is the latest HJ log.

The Kaspersky scan found a virus in a file on the f:drive. I think that it was very old as it was contained in an old unused file. The f:drive is an external disk drive. It has old backed up files from old machines. Been less than diligent cleaning them up. I deleted this file.

I could not locate the the ESET online scanner as per the instructions. As I used this like Kaspersky to do an online scan, I simply deleted the program.

I have updated the JAVA. Do not see any prior versions.

AV still not updating.

Uggghhh.
 
I would have liked to see the virus from Kaspersky.
The Eset entry no longer shows.
You are missing three Java entries that would have started with Java v6u12. They are:
C:\Program Files\Java\jre6\bin\jqs.exe
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

JQS= Java Quick Start. The processes aren't necessary, can be removed and the Service disabled, but you do not give any indication that you have done this.

The only Java entries you have are for the auto-updater:
C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

and a plug-in for an earlier version- Java(TM) Platform SE 6 U10\
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

I have compared the HJ logs for the security programs. The tally is below:
HJ 1 Scan saved at 8:02:59 AM, on 5/17/2009: AVG (toolbar), O20 - AppInit_DLLs: avgrsstx.dll , Avira, Symantec/Norton, Windows Defender, TeaTimer,
HJ 2 Scan saved at 6:17:38 AM, on 5/22/2009: Windows Defender, Trojan Hunter, Avira, AVG (toolbar), O20 - AppInit_DLLs: avgrsstx.dll. TeaTimer, Avira, NO Symantec/Norton
HJ 3 Scan saved at 2:44:10 PM, on 5/22/2009: Avira, Windows Defender, AVG (toolbar, O20 - AppInit_DLLs: avgrsstx.dll, NO TeaTimer
HJ 4 Scan saved at 8:54:53 AM, on 5/24/2009: Avira, Windows Defender, AVG toolbar continues> this is the entry:
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)[/b], O20 - AppInit_DLLs: avgrsstx.dll

HijackThis can remove the toolbar but not the 020 entry. The 020 type items are associated with library files that are loaded automatically on every Windows startup.

Please try this:
1) Click on Start, Control Panel
2) Open Add/Remove Programs
3) Find AVG in the Programs list and highlight it
4) Click Remove and follow the prompts to uninstall AVG Free

It's the basic. If you get any error message trying to do this:
Boot into Safe Mode> Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all AVG entries> Apply> OK

Then try the uninstall above.
Reboot the computer into Normal mode. NOTE: ignore and close the nag message after the reboot after checking 'don't show this message again.' Stay in Selective Startup.

One more scan with HijackThis to make sure AVG is gone. I used AVG and did a normal uninstall without any special tool and had no files left over.

See if you can now manually update Avira. Run a full system scan. Leave HJ log and Avira log attached to next reply. It's important to know if you can update manually. IF you can, but aren't getting the auto-updates, then it's a configuration problem.
 
Latest try.

Here is what I have done. I did my very best to uninstall AVG. Avira was still not updating, manually or automatically. I uninstalled Avira and install Avast.

I ran Kaspersky again. The log is attached. I also ran HJT again. Here is the log.

Thoughts?
 
Okay, looking good. Kaspersky fine one infection in a temporary internet file- otherwise you're clean.

You might find this discussion interesting regarding the AVG/Avira problem with Win32 poly crypt virus:
http://forum.avira.com/wbb/index.php?page=Thread&postID=787691

Strange that Avast would load but Avira wouldn't update. But that was a good move on your part. Did you do a full system scan with Avast after installation. If not, you should. If there is any infection, you should attach the log.

Steps to finish up:

  • [1] UPDATE and run a full system scan with Avast. If malware found, attach log. If nothing is found, go to next step
    [2] Do a disc cleanup to remove temporary internet files, temp files and Cookies you don't want to save.
    [3] To remove all of the tools we used and the files and folders they created:
    • Please download OTCleanIt by OldTimer and Save to your Desktop:
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

      [4] You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

      [5] Remove old restore points:
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools .
      [*] Click "OK" to select the partition or drive you use
      [*] Click the "More Options" Tab.
      [*] Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

      More details and screenshots for Disk Cleanup in Windows Vista can be found here.


    Empty the Recycle Bin when finished with all of above.

    You worked hard. You did a good job. If there are additional problems, please let me k
 
Bobbye,
Sorry for the delay in replying. It has been a crazy week. I took all of your suggestions for the restore point and the final back up. Thank you for all of them and for all of your help. I can't help wonder why this problem happened. I now have Avast running well on this machine, AVG running on another desktop and Avira running on my notebook. May eventually switch everything to Avast (when time permits, that is!)
Thanks again for your patience and for a job well done.

Mark
 
It was a pleasure helping you Mark. Of the three AV programs you're using on the different machines, Avira is likely the best- so if you decide to make change for all systems to have same AV, I suggest Avira. Avast would be second choice, AVG not recommended at all- too many updating problems as well as missed malware.

Let me know if you need anymore help.
 
Status
Not open for further replies.

Similar threads

S
Inactive Malware created Win7 system processes I cannot end or delete
2
Replies
36
Views
5K
Broni
Broni
B
  • Locked
Inactive-A Unknown virus / malware
Replies
13
Views
3K
Broni
Broni
S
Inactive Possible virus remains after formatting and rescue disk execution
Replies
7
Views
3K
Broni
Broni

Latest posts

Back