Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG and Avira wont update anymore, also problem with CMD and Regedit


  • Please log in to reply
6 replies to this topic

#1 Supertramp73

Supertramp73

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Switzerland
  • Local time:02:25 PM

Posted 10 May 2009 - 03:58 AM

I just found this forum by googling a bit around today because I found this topic:
http://www.bleepingcomputer.com/forums/t/206736/run-cmdexe-causes-explorer-to-crash/

Lately my mom came bugging me, that her AVGFree 8.5 wont update anymore.
Therefore everytime she turns on her Notebook, she get a red cross by Windows
telling here that windows is not safe (because the Virusscanner is not uptodate)
and also a message by the AVG Virusscanner that the updates couldn't be downloaded.
(She's running WinXP SP3 on a Sony Vaio Notebook).

I told her just to wait a bit, because most probably the updateserver is currently
not available. (I have AVG8.5 too - but couldn't explain why mine is updating
and hers not)

Now 3 weeks later she's still bugging me that her AVG is not updating, so I sit a bit down
to have a closer look. I uninstalled AVG8.5, reboot, download the latest version, install it,
reboot again - but it still can't download the updates...

Next I wanted to ping the updateserver and went to START - RUN and wanted to
run CMD, but noticed that this makes the desktop go away for a few seconds
(no Console appearing, instead ALL Icons disappear from the desktop including the
Taskbar). I never saw that before and my first thought was that she seriously mucked
up something... Next I wanted to have a look in the Registry and tryed START - RUN: regedit,
but that also just makes the desktop icons disappear for a few seconds
(in both cases, the desktop icons and the taskbar appear after 5 seconds again,
but I can NOT start the console and can also not get into the registry editor).

Great... so I already prepared myself to backup her data and copy back an image
of the disk which I made a few months ago...


Just yesterday, somebody else came to me, telling me that he is having some "errormessages"
when he starts his XP... I went to that persons home, and noticed when he turns on his comp,
he also gets a red cross and windows telling him that the virusscanner is not uptodate.
He had AVG8.0 installed which also couldn't be updated anymore?

Ok, first try was again to uninstall AVG8.0, reboot, download the latest AVG8.5,
install, reboot -> and again same problem, AVG8.5 can't be updated?
(He's running WinXP SP3 on a Compaq PC)

Now I was sort of seriously thinking that it MUST be something with the AVG Update server...
Then I also tryed "START - RUN: CMD" on his computer - and look, SAME problem:
All Icons from the desktop and the taskbar disappear (you only see the light blue default backgroundcolor),
and after a few seconds the icons appear again (but no Console showing up).
Same with regedit (also can't be started).

My next try was to uninstall AVG8.5 and then I downloaded the Avira Antivir als alternative.
But look - also Antivir CAN NOT update itself??

I tryed to google around if other people have the same problem, but the only topic
i found was on http://www.bleepingcomputer.com/forums/t/206736/run-cmdexe-causes-explorer-to-crash/
I did not experience the problem with redirecting issues, but none of them
wrote something about having virusscanner updateproblems.

For me, it looks like this two problems have something in common.
For example some new Malware/Trojan disables the updating functionality
of the virusscanners (so they can remain unrecognized on the system),
also they disable somehow the access to CMD and Regedit.

Anyone else experiencing this kind of problems?

(Moderator edit and note: post moved to more appropriate forum. jgw)

Edited by jgweed, 10 May 2009 - 09:36 AM.


BC AdBot (Login to Remove)

 


#2 Supertramp73

Supertramp73
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Switzerland
  • Local time:02:25 PM

Posted 11 May 2009 - 03:06 PM

Just found one more guy having nearly the same problem:
http://www.bleepingcomputer.com/forums/ind...p;#entry1259296

#3 Supertramp73

Supertramp73
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Switzerland
  • Local time:02:25 PM

Posted 11 May 2009 - 03:10 PM

And another one more:
http://www.bleepingcomputer.com/forums/ind...p;#entry1259302

#4 Supertramp73

Supertramp73
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Switzerland
  • Local time:02:25 PM

Posted 11 May 2009 - 03:17 PM

Anther one:
http://www.bleepingcomputer.com/forums/ind...p;#entry1259317

He refers to
http://www.bleepingcomputer.com/forums/t/224869/dds-cmdexe-and-regedit-not-working-browser-redirecting/

Where somebody presented a possible solution.
I'll try out tmr evening and give feedback if it worked for me too...

#5 Supertramp73

Supertramp73
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Switzerland
  • Local time:02:25 PM

Posted 11 May 2009 - 03:21 PM

Just stumbled over this post too:
http://www.bleepingcomputer.com/forums/t/224326/avg-wont-update-cant-run-regedit-dds-wont-run/

(Will also try out tmr...)

#6 Supertramp73

Supertramp73
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Switzerland
  • Local time:02:25 PM

Posted 11 May 2009 - 03:26 PM

Again another guy fighting with the same problem:
http://www.bleepingcomputer.com/forums/ind...p;#entry1259338
(Good to see that I'm not the only one...)

#7 Supertramp73

Supertramp73
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Switzerland
  • Local time:02:25 PM

Posted 16 May 2009 - 12:55 PM

Ok, here's the solution:

- First of all, sorry that I posted in some other guys thread a link to my own thread here,
but I am sure that some ppl will follow it and finally land here to find their solution.

- You can skip steps 1-3 if you are not interested in the solutionsearch,
Point 4 gives the information you are looking for

1.)
I ran the free Kapersky Online Scanner over the system which detected:
"Trojan.Win32.Small.aarn" in C:\Windows\xiwl.tvb

/*
Thanks to xblindx for giving me the link to the Kapersky Online scanner which is:
http://www.kaspersky.com/kos/eng/partner/d...n=1242495913828
*/

(Uploading that file to www.virscan.org or www.virustotal.com
showed that this file is definitively infected, but more or less each
virusscanner had an own name for it).

At least I was sure now that all the problems on that system really
seem to be caused by an infection...

2.)
Some ppl in other forums wrote that aSquare was able to remove it
(the USB Stick version when booted in safe mode).
In my case a Squared found "Trojan.Win32.Small!IK" in
C:\Windows\xiwl.tvb.

But putting that file into quarantine and rebooting the system
didn't help: The file "xiwl.tvb" was still there.
When deleting it by hand, after a second it just appears automatically
again...

3.)
I went through all this
http://www.geekstogo.com/forum/Malware-Spy...uide-t2852.html

and then followed this thread:
http://www.geekstogo.com/forum/Trojan-Spy-...ot-t237387.html

As usual too much blablabla - but anyway, very friendly!

However, I came to Combofix, and started to follow this instructions
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Since I was not able to START - RUN: CMD, also Combobox didn't work
(because it seems to work in a Consolewindow)

4.)
My fault that I just now had again a closer look at this link:
http://www.bleepingcomputer.com/forums/t/224869/dds-cmdexe-and-regedit-not-working-browser-redirecting/
(as mentioned above, i promised to give feedback about it)

Big Thanks to "FarBar" who brought me to the right idea!

Same as he explained, I also had a closer look with HJT at the
RUN-Keys and fixed 3 *.exe which seemed suspicious to me
(means I deleted 3 entries of executables that start automatically).
If you can't figure out yourself which *.exe make no sense,
post a HJT-Logfile, some friendly ppl in here might give you a hint)

Then I renamed C:\Windows\regedit.exe to copy.exe
and was also able to start regedit that way again.

In the Registry I also had a look at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Drivers32
and in my case found: aux4 -> C:\WINDOWS\xiwl.tvb
Of course I immediately removed that key.

Rebooted the comp, and was now able to delete
C:\Windows\xiwl.tvb
(now it didn't show up anymore again automatically after a second)

"START - RUN: CMD" is now working again
"START - RUN: Regedit" is now working again too
(after the reboot, C:\Windows\regedit.exe was automatically there again,
so I just deleted the "copy.exe" which I previously made myself,
in your case it might be necessary to rename "copy.exe" back to "regedit.exe"
if it's not already there again)

And most important - AVG8.5 is now updating again...

Best regards,
Supertramp73
Ok, here's the solution:

- First of all, sorry that I posted in some other guys thread a link to my own thread here,
but I am sure that some ppl will follow it and finally land here to find their solution.

- You can skip steps 1-3 if you are not interested in the solutionsearch,
Point 4 gives the information you are looking for

1.)
I ran the free Kapersky Online Scanner over the system which detected:
"Trojan.Win32.Small.aarn" in C:\Windows\xiwl.tvb

/*
Thanks to xblindx for giving me the link to the Kapersky Online scanner which is:
http://www.kaspersky.com/kos/eng/partner/d...n=1242495913828
*/

(Uploading that file to www.virscan.org or www.virustotal.com
showed that this file is definitively infected, but more or less each
virusscanner had an own name for it).

At least I was sure now that all the problems on that system really
seem to be caused by an infection...

2.)
Some ppl in other forums wrote that aSquare was able to remove it
(the USB Stick version when booted in safe mode).
In my case a Squared found "Trojan.Win32.Small!IK" in
C:\Windows\xiwl.tvb.

But putting that file into quarantine and rebooting the system
didn't help: The file "xiwl.tvb" was still there.
When deleting it by hand, after a second it just appears automatically
again...

3.)
I went through all this
http://www.geekstogo.com/forum/Malware-Spy...uide-t2852.html

and then followed this thread:
http://www.geekstogo.com/forum/Trojan-Spy-...ot-t237387.html

As usual too much blablabla - but anyway, very friendly!

However, I came to Combofix, and started to follow this instructions
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Since I was not able to START - RUN: CMD, also Combobox didn't work
(because it seems to work in a Consolewindow)

4.)
My fault that I just now had again a closer look at this link:
http://www.bleepingcomputer.com/forums/t/224869/dds-cmdexe-and-regedit-not-working-browser-redirecting/
(as mentioned above, i promised to give feedback about it)

Big Thanks to "FarBar" who brought me to the right idea!

Same as he explained, I also had a closer look with HJT at the
RUN-Keys and fixed 3 *.exe which seemed suspicious to me
(means I deleted 3 entries of executables that start automatically).
If you can't figure out yourself which *.exe make no sense,
post a HJT-Logfile, some friendly ppl in here might give you a hint)

Then I renamed C:\Windows\regedit.exe to copy.exe
and was also able to start regedit that way again.

In the Registry I also had a look at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Drivers32
and in my case found: aux4 -> C:\WINDOWS\xiwl.tvb
Of course I immediately removed that key.

Rebooted the comp, and was now able to delete
C:\Windows\xiwl.tvb
(now it didn't show up anymore again automatically after a second)

"START - RUN: CMD" is now working again
"START - RUN: Regedit" is now working again too
(after the reboot, C:\Windows\regedit.exe was automatically there again,
so I just deleted the "copy.exe" which I previously made myself,
in your case it might be necessary to rename "copy.exe" back to "regedit.exe"
if it's not already there again)

And most important - AVG8.5 is now updating again...

Best regards,
Supertramp73
(Alen Markov)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users