ALL browser downloads report as viruses

[NYJimbo]

Machine comes in running Vista 32 sp2, MSSE, but its very slow, so disabled MSSE to get started. TDSSkiller found zero access, then went on with other tools and found some smaller old virus files, java junk etc. All the usual stuff, got machine control quickly and then went for normal cleaning.

Did full scans mbam, combofix, GMER, hitman pro, all other cleanups, windows updates, roguekiller, adwcleaner, JRT, autoruns, all CCleaner related stuff including sched tasks, startups, IE stuff, Reset IE, killed all addons, sfc, chkdsk, etc, etc. Looked ok. Then I tried to download something directly through IE9 and it comes back as file is infected and was deleted. Tried in firefox and chrome, same thing. Tried different downloads via web based download functions and all the same either in normal http or ftp protocol. Each time download completes but then browser reports back that the file was infected and deleted.

Removed MSSE and reinstalled, no good. Removed all MSSE stuff via manual instructions, ran Norton, avg, mcaffee, avast uninstallers just in case as some have wrappers for this stuff, reset winsock, fixed and reset all internet related things ip, firewall, defender, tried all possible MS FIXIT functions from the portable fixit tool, etc. Also uninstalled java, flash, shockwave just in case. Still no good. Ran bootable MSSE full, TDSS rescue 10, found nothing but still d/l's come back "infected".

Found a few dozen "fixes" blaming everything from bad windows installs to junkware but nothing fixed it. Tried all kinds of registry checks and registering all known dll's that might be related.

Windows update works fine, ANY program with its own downloader will work, including all D7 apps and standalone FTP program, but if it uses a browser to download it will download and then fail as infected. EVERYTHING else seems to be fine including searches, music playing, java, flash, (java/flash worked fine before uninstall but did it anyway to be safe) etc. This happens in normal or safe mode in any browser.

I see nothing in installed programs that look like they are related to any kind of browser/download/helper/crapware and nothing in programs from clicking "start-> all programs" or on the desktop or a quick scroll through folder names.

I can't figure out what I am missing, has anyone been through this before ?

 

[Xander]

Second thread on this today....
http://www.foolishtech.com/viewtopic.php?f=16&t=284

 

[ComputerRepairTech]

saw it here: http://www.technibble.com/forums/showthread.php?t=46967

same offer to you, i'll help you fix that for free im dying to get my hands on that issue. I will be home after 6pm est today.

 

[NYJimbo]

saw it here: http://www.technibble.com/forums/showthread.php?t=46967

same offer to you, i'll help you fix that for free im dying to get my hands on that issue. I will be home after 6pm est today.

I don't want someone else to fix it, I want to figure this out myself but I've pretty much exhausted everything that I can afford to do today because I am swamped with machines that I can actually make money off of.

 

[ComputerRepairTech]

I don't want someone else to fix it, I want to figure this out myself but I've pretty much exhausted everything that I can afford to do today because I am swamped with machines that I can actually make money off of.

if you fix it let us know how, if you can't let me give it a shot before you do something like reinstall.

 

[NYJimbo]

if you fix it let us know how, if you can't let me give it a shot before you do something like reinstall.

Oh, I will keep everyone informed. It could be obvious and I just don't see it OR it could be something broken by a virus and this is kind of a "fall through" failure so it wont be obvious the broken thing is related. I got a bunch of FBI machines here to clean so I don't want to stare at this one all day so I am just walking over to it when I get an idea.

I don't want to do a reinstall because I rarely do one and this seems like its something in a narrow area that must have a fix (I think).

 

[Xander]

Is this browser-dependent? One thread was Firefox-based... new profile?

Two of the threads I've seen have involved AVG having been on the system. AVGremover? (Whoops, missed that in the OP)

 

[NYJimbo]

I noted above I ran Norton, avg, mcaffee, avast uninstallers.

After all the cleanups I tried to make a new admin-level account and it had the same problem in any browser. Everything else about that account works perfectly. No hijacks or redirects or slowness or anything weird found in task manager.

On IE the download will come in but then show up as a virus warning and gets deleted and on Firefox it looks like you downloaded it but you cannot click on the downloaded files and going to the folder via windows explorer you cannot find the file.

 

[Galdorf]

Give malwarebytes anti-rootkit a try it finds thing others don't.

 

[NYJimbo]

Give malwarebytes anti-rootkit a try it finds thing others don't.

Yes, I did mbam and mbar, I always do them during a virus clean. I really got a feeling that something might be broken but nothing is leaving a paper trail.

EDIT: What I mean is that after I tried pretty much everything I went in and cleared out all the logs, logged off, went back in and then ran IE, firefox and Chrome to try downloads and then went into event viewer looking for any clue. Nothing. This is vista so you got a lot more logs than xp so I even went through all the Microsoft logs but nothing shows for the time I did my tests and nothing else shows for any browser/download/protocol/security issue.

 

[mr m]

I just did some Googling and the general consensus is AVG is the culprit but I see you already ran the AVG uninstaller.

Some claim that deleting the AVG folder left behind in Program Files after the uninstaller did its thing resolved the issue.

A few geniuses edited the registry to turn off the scan function during downloading!

 

[AndyM]

I haven't come across this yet, but by the sounds of it, I think it will only be a matter of time.

Have you tried logging everything using Sysinternals Process Monitor? Its the only thing that I can think of that will log absolutely everything as it is running, which you can then filter and search on.

Andy

 

[NYJimbo]

A few geniuses edited the registry to turn off the scan function during downloading!

LOL, yeah anything to get it back online. Well, the customer doesn't care when I get it back to him so I am going to leave it on the bench until 9:30am Monday morning and just run anything I can think of an I will post it here.

ANYONE who comes up with an idea (well, a reasonable idea) throw it at me and I will try it and let you know what I get. This problem might happen to others and it would be nice to pin it down so we all don't go nuts when it come to you.

 

[NYJimbo]

Have you tried logging everything using Sysinternals Process Monitor? Its the only thing that I can think of that will log absolutely everything as it is running, which you can then filter and search on.

Andy

That's the one thing I haven't had time to sit down and try on this job. I fired it up and played with it for a few minutes and didn't see anything that caught my eye but its a tool you have to fiddle with for a while and I have too many machines here today.

If someone doesn't come up with the fix I will find time this weekend to dig deeper but I cant do that today.

 

[Bubbajoe]

If you have multiple AVG folders (e.g. AVG9, AVG10, AVG11), you need to manually kill the non-applicable ones (in your case, all of them). The AVG cleanup tool won't help.

 

[numnutz]

I was never able to go back and resolve the issue on the pc that had the issue but I have tried everything every one else has. The one thing I noticed on my pc was windows defender seems to be damaged can't run it can't reinstall it. My user was ok with optional browser if ever needed to download from the Internet which for my client hardly never as long as outlook works. Good luck!

 

[NYJimbo]

If you have multiple AVG folders (e.g. AVG9, AVG10, AVG11), you need to manually kill the non-applicable ones (in your case, all of them). The AVG cleanup tool won't help.

None exist. Nothing even remotely AVG.

 

[FremontPC]

Jimbo, uninstall MSE again and then disable Windows Defender startup and in Services.

How long has the PC had this issue? Did the System Restore files get cleared out? If the above doesn't help, see if SR will get it working just as a test.

Any mystery partitions listed if you boot from a linux disk?

It may just be a damaged Windows Defender installation, but maybe look at any recent MS "Malicious Software Removal Tool" installs.

 

[NYJimbo]

Jimbo, uninstall MSE again and then disable Windows Defender startup and in Services.

How long has the PC had this issue? Did the System Restore files get cleared out? If the above doesn't help, see if SR will get it working just as a test.

Any mystery partitions listed if you boot from a linux disk?

It may just be a damaged Windows Defender installation, but maybe look at any recent MS "Malicious Software Removal Tool" installs.

I left MSSE uninstalled after playing with it throughout that morning so it would not add anything to the issue. Playing with Defender did not show any difference. There was only 2 SR's and they were in the past few days and the customer claimed he was infected/slow for a week so I didn't bother with them and cleared them out during the virus clean process.

Nothing odd using boot disks, normal partitions and expected sizes.

I really don't think there is any live virus doing this, like you said it could be a corrupt defender but its not dead, just "broken" in some way. I am going to google the heck out of defender issues and see what I can come up with.

 

[ComputerRepairTech]

ill be here all day...just throwing that out there.

You said it happens in google chrome? Is your google chrome up to date?