Author Topic: Cannot update, package broken  (Read 12787 times)

0 Members and 1 Guest are viewing this topic.

Offline guysmiley

  • Jr. Member
  • **
  • Posts: 24
Cannot update, package broken
« on: April 03, 2009, 11:16:15 AM »
I'm unable to update my avast, it says package broken.

I have a virus right now, I don't know what it's called or what files are infected, I just know I have one since yesterday, because my firefox crashes all the time, and I get random redirects to spam websites, and I can't update any of my anti-malware software. Kaspersky online scanner and Trend Micro Housecall neither found nor fixed it, and all my scanners on my PC (which won't update) didn't find it either, including Avast.

Besides fixing the auto-update problem, are there any other things I could do to find and eliminate this virus?

Here is the log:

Quote
03.04.2009 05:04:27 general: Started: 03.04.2009, 05:04:27
03.04.2009 05:04:27 general: Running setup_av_pro-537 (1335)
03.04.2009 05:04:27 system: Operating system: WindowsXP ver 5.1, build 2600, sp 3.0 [Service Pack 3]
03.04.2009 05:04:27 system: Memory: 49% load. Phys:1053888/2096672K free, Page:2477404/3515976K free, Virt:2069356/2097024K free
03.04.2009 05:04:27 system: Computer WinName: blah
03.04.2009 05:04:27 system: Windows Net User: blah\blah
03.04.2009 05:04:27 general: Cmdline: /downloadpkgs /noreboot /silent /progress 
03.04.2009 05:04:27 general: DldSrc set to inet
03.04.2009 05:04:27 general: Operation set to INST_OP_UPDATE_GET_PACKAGES
03.04.2009 05:04:27 general: Old version: 537 (1335)
03.04.2009 05:04:27 registry: Deleted registry: Software\Alwil Software\Avast\4.0\UpdateReady
03.04.2009 05:04:27 system: Using temp: C:\DOCUME~1\blah\LOCALS~1\Temp\_av_proI.tm~a04868 (8954M free)
03.04.2009 05:04:27 general: SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
03.04.2009 05:04:27 internet: SYNCER: Agent=Syncer/4.80 (av_pro-1335;p)
03.04.2009 05:04:27 system: Computer DnsName: blah
03.04.2009 05:04:27 system: Computer Ip Addr: 192.168.2.101
03.04.2009 05:04:27 system: Installed in: C:\Program Files\Alwil Software\Avast4 (8954M free)
03.04.2009 05:04:27 internet: SYNCER: Type: use IE settings
03.04.2009 05:04:27 internet: SYNCER: Auth: another authentication, use WinInet
03.04.2009 05:04:27 package: Part prg_av_pro-537 is installed
03.04.2009 05:04:27 package: Part vps-9033100 is installed
03.04.2009 05:04:27 package: Part news-4f is installed
03.04.2009 05:04:27 package: Part setup_av_pro-537 is installed
03.04.2009 05:04:27 package: Part jrog-ec is installed
03.04.2009 05:04:27 general: Old version: 537 (1335)
03.04.2009 05:04:27 file: SetExistingFilesBitmap: 1055->155->155
03.04.2009 05:04:27 general: GUID: (if you need to see this guid let me know, cuz i'm editing it out)
03.04.2009 05:04:29 general: Server definition(s) loaded for 'main': 235 (maintenance:0)
03.04.2009 05:04:29 general: SelectCurrent: selected server 'Download727 AVAST Server' from 'main'
03.04.2009 05:04:29 internet: SYNCER: Type: use IE settings
03.04.2009 05:04:29 internet: SYNCER: Auth: another authentication, use WinInet
03.04.2009 05:04:29 general: Entered SetupProcessPro::Do( INST_OP_UPDATE_GET_PACKAGES )
03.04.2009 05:04:29 general: Entered SetupProcessWin32Avast::Do( INST_OP_UPDATE_GET_PACKAGES )
03.04.2009 05:04:29 general: Entered SetupProcessWin32::Do( INST_OP_UPDATE_GET_PACKAGES )
03.04.2009 05:04:29 general: Entered SetupProcess::Do( INST_OP_UPDATE_GET_PACKAGES )
03.04.2009 05:04:29 general: progress thread start
03.04.2009 05:04:29 internet: SYNCER: Agent=Syncer/4.80 (av_pro-1335;f)
03.04.2009 05:04:49 internet: Used server: http://75.126.120.203/iavs4x
03.04.2009 05:05:04 internet: Used server: http://75.126.120.203/iavs4x
03.04.2009 05:05:04 file: GetFileWithRetry: servers.def.vpu downloaded .
03.04.2009 05:05:04 file: GetNewerStampedFile:DSA_FileVerify(C:\DOCUME~1\blah\LOCALS~1\Temp\_av_proI.tm~a04868\onefile), error: 0x2000000B
03.04.2009 05:05:04 package: Download servers.def, servers.def.vpu failed with error 0x20000011.
03.04.2009 05:05:19 internet: Used server: http://75.126.120.203/iavs4x
03.04.2009 05:05:35 internet: Used server: http://75.126.120.203/iavs4x
03.04.2009 05:05:35 file: GetFileWithRetry: servers.def downloaded .
03.04.2009 05:05:35 file: GetNewerStampedFile:DSA_FileVerify(C:\DOCUME~1\blah\LOCALS~1\Temp\_av_proI.tm~a04868\onefile), error: 0x2000000B
03.04.2009 05:05:35 package: Tried to download servers.def but failed with error 0x20000011.
03.04.2009 05:05:35 package: LoadAllDefs failed 0x20000011
03.04.2009 05:05:35 package: FilterOutExistingFiles: 155 & 155 = 0
03.04.2009 05:05:35 package: FilterOutExistingFiles: 155 & 155 = 0
03.04.2009 05:05:35 general: m_bOperationDidSomething 155/155/0
03.04.2009 05:05:35 general: Err:The package is broken

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: Cannot update, package broken
« Reply #1 on: April 03, 2009, 12:40:17 PM »
Hi, guysmiley and welcome to the forum.
If you don't have MBAM http://www.malwarebytes.org/mbam.php try downloading ,installing, updating, and scanning with that. Other good demand scanners include Dr Web's Cureit, and Superantispyware.
I can't work out the malware basd on your update log, nor know if this is possible.
Some malware can and does disable Avast, including a Bagle variant (rootkit.)
http://andymanchesta.com/ This site has a good selection of up to date scanners/tools. Have a look at the antrirootkit section. Try one. TM Root Kit buster is easy to use, as are GMER and Rootalyser. (gmer is used in Avast, the technology is good, it will scan-when the package isn't broken- 8 minutes after start. I believe Rootalyser is provided by the good folk at Spybot.
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Cannot update, package broken
« Reply #2 on: April 03, 2009, 03:06:12 PM »
Please check if the file C:\Program Files\Alwil Software\Avast4\Setup\servers.def is displayed correctly, it should contain [servers] on the first line.

You can try and download the servers.def file, http://files.avast.com/iavs4x/servers.def and replace the one in the avast setup folder, disabling the avast self-defense module first.

How do you connect to internet, is it ADSL? And do you have other computers with working avast updates using the same connection?

Try to open avast settings - Update (Connections), press Proxy button, and select Direct connection, press OK to confirm. Then try to start iAVS update manually again.
The best things in life are free.

Offline guysmiley

  • Jr. Member
  • **
  • Posts: 24
Re: Cannot update, package broken
« Reply #3 on: April 03, 2009, 10:14:19 PM »
@Tarq57,

I have MBAM, it did not find any virus. However I cannot update MBAM, because the virus crashes MBAM when I try to do an update. Would there be any purpose in uninstalling MBAM and downloading and installing a fresh copy? (assuming the virus would let me...)

I have SuperAntiSpyware (SAS), and it did not find any virus. Also, I cannot update SAS because the virus stops it and makes it give the error message: "There was an error trying to retrieve definitions. Make sure your firewall is not blocking SUPERANTISPYWARE.EXE from accessing the Internet". The only software firewall I have is windows firewall, so I went in there and couldn't find SAS listed, so I manually added SUPERANTISPYWARE.EXE and SSUpdate.exe to allow them to access the internet. Then I tried to update again and got the same error. (I suspect SAS never needed to be in that list, since I was updating it find before this virus, and I'm assuming it was never in the firewall list...)

I will try Dr Web's Cureit, and some of those anti-rootkits you mentioned. Update: Actually I might not need to since my Avast updated now (see below)


@Tech,

My servers.def does display [servers] on the first line and then has a bunch of servers listed at avast.com. So I assume this file is fine.

I connect to the internet with cable. None of the other computers on my network run avast.

I tried your idea to change the Update (Connections) setting and switched it to Direct connection (no proxy) And now I am able to update!!!

Why oh why would Avast's default behaviour be to use "Auto detect (use Internet Explorer settings)"  Internet Explorer?! That's like letting a convict babysit your kids. So, am I to understand that a virus corrupted IE's settings (which let's face it, is not hard to do considering how lousy IE is) and then Avast uses those settings? Maybe I'm just not understanding what the setting means, and maybe it doesn't mean that, but if it does I'm fairly horrified :|

As soon as I updated I got a warning that I have Win32-KillAV-KS [trj]

So now time for me to see about removing this thing. Thanks very much for the help guys!


(By the way, another symptom of the virus is that it crashes Winamp)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Cannot update, package broken
« Reply #4 on: April 04, 2009, 05:24:44 PM »
I tried your idea to change the Update (Connections) setting and switched it to Direct connection (no proxy) And now I am able to update!!!
Are you using Internet Explorer 8?
Did you update recently?
The best things in life are free.

Offline guysmiley

  • Jr. Member
  • **
  • Posts: 24
Re: Cannot update, package broken
« Reply #5 on: April 04, 2009, 09:23:23 PM »
No, 7. I didn't update (yet).

Now that I was able to update avast, it found 2 infected files:
Win32:KillAV-KS [trj]
C:\WINDOWS\rribl.vcb
and
Win32:Daonol-L [Drp]
C:\WINDOWS\system32\setup_u.exe\[UPX]

After rebooting (avast probably did that thing where it deletes them when you reboot) those files are gone now and I'm able to update all my other anti-badware programs. So my computer appears to be clean now (but we'll see after I do a dozen scans with a dozen programs haha)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Cannot update, package broken
« Reply #6 on: April 04, 2009, 11:00:29 PM »
Thanks for posting back.
Seems that malware is direct trying to disable and block avast... They know that we (avast) exist  ;D
The best things in life are free.