Help this man scan, if you can
December 15, 2008 5:33 AM   Subscribe

Anti-virus and anti-malware scanners mysteriously unable to update -- how to tell if I have a virus, and what to do about it?

This week I started getting annoying, malware-style popups on my PC (32-bit Vista). A full scan came up with nothing beyond a few of the usual tracking cookies, so I tried updating definitions to give it another go... but both Windows Defender and Symantec AntiVirus were strangely unable to do so despite the fact that my internet connection apparently working fine in all other respects. Symantec's manual definitions download also fails inexplicably, and I installed the free version of AVG Anti-Virus only to find that it, too, has proven unable to update itself.

This may be jumping to conclusions, but I suspect that my PC is infected with something smart enough to protect itself by preventing popular anti-virus software from updating.

How can I confirm this? What should I do about it? For example, can you recommend any lesser-known but safe and reliable anti-virus scanners to which this malware is not immune? I can't afford to throw money away on Norton or some other popular anti-virus software if the same thing is going to happen.
posted by onshi to Computers & Internet (22 answers total) 3 users marked this as a favorite
 
Have you tried updating definitions while in Safe Mode?
posted by Memo at 5:42 AM on December 15, 2008


Also, check if your HOSTS file ( %SystemRoot%\system32\drivers\etc\hosts ) is unchanged by opening it in notepad.

It should look like this:
# copyright (c) 1993-1999 microsoft corp.
#
# this is a sample hosts file used by microsoft tcp/ip for windows.
#
# this file contains the mappings of ip addresses to host names. each
# entry should be kept on an individual line. the ip address should
# be placed in the first column followed by the corresponding host name.
# the ip address and the host name should be separated by at least one
# space.
#
# additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# for example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
posted by Memo at 6:01 AM on December 15, 2008


try in safe mode - press F8 during start-up to access.
posted by the_very_hungry_caterpillar at 6:02 AM on December 15, 2008


Try finding and running a copy of HijackThis.
posted by BrotherCaine at 6:35 AM on December 15, 2008


While not perfect, Bittorrent will let you download a free bootable cd to run an offline scan. Download, burn to cd, reboot, and scan.
posted by brian60640 at 6:45 AM on December 15, 2008


Response by poster: Unfortunately, safe mode didn't help -- still no updates. I'll check out HOSTS and HijackThis ASAP. Thanks for the suggestions!
posted by onshi at 6:47 AM on December 15, 2008


Response by poster: HOSTS file looks like this...
[all of that stuff at the start, then...]
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost
Is that last line signficant? I tried commenting it out, but notepad won't let me save the edited HOSTS file.
posted by onshi at 7:01 AM on December 15, 2008


Malwarebytes has succeeded for me where spybot has failed. Under the update tab there are multiple servers, try each one of them.

Trendmicro I like to use this when I'm unable to update local antivirus or if local antivirus has been compromised.

Last rec. is for a boot CD. Hirens because if I recall it's one of the few you don't need to "build". I'm not 100% though I get all my stuff through other avenues.
posted by syntheticfaith at 7:18 AM on December 15, 2008


Were you in 'safe mode with networking' rather than just safe mode when you tried updating?

It's possible that one of the AV programs you are using is protecting the hosts file. AFAIR, spybot does that, depending on your settings.
posted by mandal at 7:37 AM on December 15, 2008


Response by poster: @ syntheticfaith: thanks for reminding me about HouseCall. Sadly, it's throwing errors at me, too... "An error occurred while trying to transfer data from the Internet! Do you want Trend Micro HouseCall to try resending the required files?"
posted by onshi at 7:40 AM on December 15, 2008


Response by poster: @ mandal: Yes, I was in safe mode with networking. I will try to use HijackThis to fix the HOSTS file in a moment.
posted by onshi at 7:43 AM on December 15, 2008


Oh, BTW, in answer to your original question, you can grab a 30-day free trial of Kaspersky here, 15-day Norton trials here, and McAfee 30-day free trials here.

McAfee online scan | Kaspersky online scan

I doubt either remove anything though.
posted by mandal at 7:54 AM on December 15, 2008


Trinity Rescue Kit is a bootable CD which includes some virus scanners.

::1 localhost
Is that last line signficant?


Apparently that's OK, something to do with IPv6.
posted by DarkForest at 7:56 AM on December 15, 2008


I also once managed to install SuperAntiSpyware on a machine when I could install precious little else.
posted by mandal at 7:57 AM on December 15, 2008


Response by poster: Wow, this is fun. Kaspersky's online scanner won't run, either, saying that it "Failed to connect to update source". Whatever I have really does seem to be preventing pretty much everything from updating. I was able to manually download Windows Defender's updates on another computer and get it onto my Vista machine by sneakernet, and am now trying the same thing with Symantec.
posted by onshi at 8:16 AM on December 15, 2008


Another vote for Malwarebytes' Anti-Malware. I'm frequently in situations where the updater won't connect (behind a firewall), but they update the install executable frequently enough (with updated definitions) that the base install will detect/remove most infections.

From your description, I'm going to guess that the virus you have is a variant of the Antivirus 2009 one. The above program does wonders removing it.
posted by waxlight at 8:26 AM on December 15, 2008


This. Go to a clean machine (work, friends, library) and get everything, put it on a jump drive, and bring it back to your machine.
posted by deezil at 8:50 AM on December 15, 2008


WinWeb?

A friend of mine encountered this, he posted the following to a forum we both visit:

---------------------------------------------------
Winweb Security 2008 manual removal:
Kill processes:
WinwebSecurity.exe

Delete registry values:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "WinwebSecurity"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\Browser Helper Objects\{D5DF7C9D-6069-4552-8B0C-D02A912FC889}

Delete files:
c:\\Documents and Settings\\All Users\\Application Data\\WinwebSecurity\\config.udb c:\\Documents and Settings\\All Users\\Application Data\\WinwebSecurity\\init.udb c:\\Documents and Settings\\All Users\\Application Data\\WinwebSecurity\\WinwebSecurity.exe c:\\Documents and Settings\\All Users\\Application Data\\WinwebSecurity\\Languages\\English.lng

Delete directories:
C:\Documents and Settings\All Users\Application Data\WinwebSecurity
posted by Nice Guy Mike at 9:07 AM on December 15, 2008


Response by poster: True to today's theme, Malwarebytes Anti-Malware also couldn't update itself. It's running now.

FWIW, AVG (after a manual definitions download using another computer) just detected "amfamous.dll Win32/Cryptor messing with firefox.exe.
posted by onshi at 10:24 AM on December 15, 2008


Ugh. just realized I typed bittorrent when I meant BitDefender. I mean, you could get BitDefender via bittorrent...
posted by brian60640 at 10:40 AM on December 15, 2008


Response by poster: Cured! Spybot Search & Destroy FTW!
posted by onshi at 4:52 PM on December 15, 2008 [1 favorite]


Glad to hear it onshi. Remember to clear all of the potentially clashing AV programs you may have installed.
posted by mandal at 2:45 AM on December 16, 2008


« Older Wedding (and general family) drama..   |   Advice on dealing with a mental health issue Newer »
This thread is closed to new comments.