I had been using AVG for some time, but I have been moving over to Avast! for several reasons. AVG isn’t horrible. It’s just that I think Avast! is currently doing a better job. All of this aside I want to report a problem that came up recently in case this is useful to anyone still using AVG.
I was helping a user with a Vista machine which was running AVG for viral protection. The user was not able to download or save files. That’s not exactly true. If I saved a Web page, the main file would not save though the folder with the associated images, js files, and so forth would be saved. But the usual method of downloading an installer and saving that file to the desktop was a complete no-go.
Both Opera and Internet Explorer were able to save files as expected. And yet Firefox failed silently.
In short, Firefox behaved as though it was downloading the file correctly. But then the file wasn’t getting to the save location.
I disabled all plugins; I removed all toolbars; and I followed some interesting Mozilla hacks (here and here). All to no avail.
Since Firefox acted as though it was performing the download and save correctly I thought it must be either the firewall or the virus protection. Kill each and see which succeeds.
Needless to say, I found myself wanting to remove AVG. So I gutted AVG using Revo Uninstaller and all was well.
I loaded Avast! onto his machine and now he’s as happy as a monk in October.
I was working to root out some nasties on a laptop and I ran into a rather persistant little bugger. Even though I had removed everything suspicious I could locate using Revo Uninstaller (another of my favorites), I was not able to run updates or download any spyware or virus protection because calls to those URL’s were being redirected to localhost (127.0.0.1). The redirect in the browser would then, of course, take me to some site where I was told of the dozens of problems with my computer and how I should download their software.
I was able to download both of these applications from another machine, but the redirect simply made it impossible for Spybot and AVG to gather their updates from their respective servers. I was even able to download an installer which was Spybot’s update; however, neither of these applications would actually show their GUI’s (they appeared in the Task Manager but neither made an appearance on-screen).
After a bit of searching I found an article which talked about an application called ComboFix. Turns out it’s a great little utility.
Just to recap: I wasn’t able to run any viral/spyware updates or visit any site (like avg.com or safer-networking.org) because of the re-route to localhost (127.0.0.1); the machine was seriously hijacked; and I couldn’t find anything that would be doing it.
This utility does a pretty brutal scan, reboots the machine automatically, and starts itself up before anything else—and keeps doing that until it’s found nothing at all. It found a rootkit problem and rebooted maybe 3 times before it gave its final report. Only then was I able to run Spybot and AVG, run their updates, and run their respective scans.
You’ll want to pay special attention to the section where the article discusses the recovery console (XP) and recovery environment (Vista), but the whole thing worked great. (I used the XP SP2 recovery console because I could not find one for SP3.)