Can't update flash player or CryptoPrevent ...

For background, my computer was recently infected with ransomware - http://www.bleepingcomputer.com/forums/t/586174/started-as-u-cash-now-bsod/page-5#entry3823952 - and cured via this forum.

After that I discovered CryptoPrevent, CryptoMonitor, and Malwarebytes Anti-Exploit: http://www.bleepingcomputer.com/forums/t/591190/question-on-scans-sandboxing-cryptoprotect-etc/page-5

I couldn't get Cryptoprevent to update, so I started a thread here: http://www.bleepingcomputer.com/forums/t/594470/cant-update-flash-player-or-cryptoprevent/page-2#entry3862393 and was ultimately requested to start a thread in this sub-forum.

I suspect the issue might be related to some services I disabled per Black Viper's guide - and I have listed those services in the last thread above.

The system is running WinXP SP3, btw.

To recap - there are two main issues with the computer right now:

If I try to update CryptoPrevent manually, I get a pop-up box with the message "Could not update definitions" - which is the same message I get if the computer is off-line.

Adobe Flash Player plug in will not update automatically.  If I go to https://get.adobe.com/flashplayer/ - I can't download the file, but at the end it says "Installation failed".  If I download and install the file from http://www.adobe.com/es/products/flashplayer/distribution3.html - it seems to work fine, but at the end of the install, I get a message that "Real Player 11 is incompatible and can cause issues with Flash Player and should be uninstalled or disabled".  I ignore this message, but as far as I can tell, Real Player is not installed on the system at all.

Thanks in advance for assistance.

Edited by Tiger-Heli, 17 November 2015 - 09:04 AM.

No.

I use Firefox Portable, although I have a really old version of Firefox standard installed as well, but neither list Real Player.

Look in IE addons. It may be listed there.

Will do - but I am more concerned with the CryptoPrevent not updating issue ...

Are you doing manual updates with Cryptoprevent? Temporarily disable your firewall and see if it will update.

Edit: If you do not see RealPlayer in IE then see this page. Look for the processes in Task Manager. Are they there?

Edited by JohnC_21, 17 November 2015 - 10:42 AM.

Yes, manually updates with CryptoPrevent are not working.

I added cryptoprevent.exe to the exclusions or allowed programs for the Windows Firewall, but I didn't try disabling the firewall - will try that.

I am pretty sure I don't see Real Player in add/remove programs or a Program Files/Real/ folder, but I will check for the services.

You can download the Pro Version of Revo Uninstaller and see if it detects RealPlayer. It is good for 30 days.

http://www.revouninstaller.com/online_manual/

Again - I'll look into it, but it isn't my main concern.  As far as I can tell, the distribution version of Flash Player installs and works fine - it just gives me an error that it doesn't like Real Player 11, but since I don't use that, I don't care too much.

No luck ...

Cryptoprevent won't update with the firewall disabled either.

No real player add-ons listed in I.E.

None of those listed processes shown as running.

For CryptoPrevent, I really think it is services related.  From the other thread, here are the differences between my setup and the default WinXP Pro config:

Also - I went through the BlackViper list of default configurations and came up with these differences, but I'm not sure which ones might be causing an issue and which ones are not good to enable:

Automatic Updates - Disabled - Default Automatic (Started)
Background Intelligent Transfer Service - Manual (Started) - Default Manual
Clipbook - Manual - Default Disabled
Computer Browser - Disabled - Default Automatic (Not Started)
Distributed Link Tracking Client - Disabled - Default Automatic (Started)
Fast user Switching - Manual - Default Manual (Started)
Human Interface Device Access - Automatic (Started) - Default Disabled
Indexing Service - Manual - Default Automatic (Started)
Net Logon - Disabled - Default Manual
NetMeeting Remote Desktop Sharing - Disabled - Default Manual
Network Connections - Manual (started) - Default Manual
Network Location Awareness (NLA) - Disabled - Default Manual (Started)
Perfomance Logs and Alerts - Disabled - Default Manual
Qos RSVP - Disabled - Defualt Manual
Remote Access connection Manager - Manual (Started) - Default Manual
Remote Desktop Help Session Manager - Disabled - Default Manual
Remote Procedure Call Locator - Automatic (Started) - Default Manual
Remote Registry - Disabled - Default Automatic (Started)
Security center - Manual - Default Automatic (Started)
Shell Hardware Detection - Disabled - Default Automatic (Started)
Smart Card - Disabled - Default Manual
SSDP Discovery Service - Disabled - Default Manual (Started)
Task Scheduler - Disabled - Default Automatic (Started)
TCP/IP NetBISO Helper Service - Manual - Default Automatic (Started)
Telephony - Manual (Started) - Default Manual
WebClient - Manual - Default Automatic (Started)
Windows Image Acquisition - Automatic (Started) - Default Manual

CryptoPrevent support said none of these would disable their updates, but I'm not sure, - but I don't want to blindly enable or disable services to test.  However, not being able to update CryptoPrevent is like running a six-month old un-updated AntiVirus - it's better than nothing, but ...

For Real Player - I'm guessing there's probably some registry key that should be deleted and wasn't.

Thanks again!!!

Are you saying that you set all services back to default. If not, I would do that and see if CryptoPrevent updates. I believe this can be done using Windows All in One Repair. Only check set Services to Default in the list. Black Viper also has a program that will set services back to default. 

http://www.blackviper.com/2008/06/16/windows-xp-service-pack-3-services-registry-files/

If you have an XP install disk with the same SP as what you currently have on the computer, I would run sfc /scannow from a command prompt to check for corrupted and missing system files.

No, they are not set back to default - for example where I said:

Automatic Updates - Disabled - Default Automatic (Started)

I have this set to disabled, but the default setting for this is Automatic and Started.

I thought it was good to disable some of the service, but I can try resetting to default and see where that takes me.

Thanks again!!!

I set the services back to default and CryptoPrevent still will not update.

Also - after I did that, Avast Free Antivirus said it found a Trojan .exe file that I didn't recognize using the svchost.exe process.  I let it fix it automatically and haven't had any issues since.

If you have an XP install disk with the same SP as what you currently have on the computer, I would run sfc /scannow from a command prompt to check for corrupted and missing system files.

I didn't try this yet, but I have several questions about this:

• I have a few install disks - one from the previous PC and one that I slipstreamed with N-Lite to add the SATA drivers and that I also used recently to make an Ultimate Boot CD.  Does it matter which one I use?
• I probably have run either Windows Update or Autopatcher after installing Windows XP.  If that has changed files, will that create issues?
• Most importantly - is there any potential for sfc /scannow to replace working good files with old bad ones and prevent the computer from booting up?

If you have a good SP3 install disk then run the sfc /scannow on a fresh install. If you have already updated through Windows update after the scan you would need to go to Windows Update again to update the system files it replaced that were either found missing or corrupt. I know of no time where sfc /scannow replaced a good file with a bad one. See this page. I am not familiar with AutoPatcher and if it changes any System Files other than ones approved by Microsoft. Personally, if the computer is running fine other than CryptoPrevent updating, I would remove it and use HitmanProAlert. This is paid software but you can see from this page what it can do. 

I am running an old XP computer dual booting with Ubuntu. If you browse in a User Account with a browser with Firefox using Noscript and Adblocker that would go a long way to preventing an infection along with not opening attachments in emails unless verified from the person sending it.

Personally, I would recommend you stop using it and go to a linux distro like Mint or Ubuntu. You would need a min of 1GB for either of these distros.

I've been away for a while, but I'm thinking I might just ignore this issue.

I have a good SP3 install disk, but I don't want to do a fresh install.

I can't run windows update - both b/c XP is EOL except for critical updates and b/c my copy can't pass genuine validation.

Autopatcher is essentially all the windows update files in one release that you can install from CD rather than having to download individually from Windows update.

I use Firefox with NoScript and AdBlockPlus but there are still a lot of Catch-22's there, b/c some pages won't work correctly without the scripts enabled, so you either think the page doesn't work properly when it really should, or you enable the scripts to see if the page works and then you find out the script was malicious ...