vic45708
asked on
Cannot Install an Anti-Virus
I have a computer that will not allow me to install an Anti-Virus program. The Security Center reports that an AV program is installed and I cannot find a way to remove it. This machine was infected and cleaned. MalwareBytes does not find anything as well as Dr.Web CureIt.
I have attached part of a DDS scan if it will help.
Thanks in Advance
DDS (Ver_09-11-24.02) - NTFSx86
Run by Preschool at 6:16:30.69 on Sat 11/28/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.
AV: Enterprise Suite *On-access scanning enabled* (Updated) {1ED39ED7-08A3-4E29-8DAC-5
FW: Enterprise Suite *enabled* {FF6B533C-4F16-43D9-BBC2-9
============== Running Processes ===============
C:\WINDOWS\system32\svchos
svchost.exe
C:\WINDOWS\System32\svchos
svchost.exe
svchost.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\ctfmon
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.ex
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\wuaucl
C:\Documents and Settings\Preschool\Desktop
I have attached part of a DDS scan if it will help.
Thanks in Advance
DDS (Ver_09-11-24.02) - NTFSx86
Run by Preschool at 6:16:30.69 on Sat 11/28/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.
AV: Enterprise Suite *On-access scanning enabled* (Updated) {1ED39ED7-08A3-4E29-8DAC-5
FW: Enterprise Suite *enabled* {FF6B533C-4F16-43D9-BBC2-9
============== Running Processes ===============
C:\WINDOWS\system32\svchos
svchost.exe
C:\WINDOWS\System32\svchos
svchost.exe
svchost.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\ctfmon
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.ex
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\wuaucl
C:\Documents and Settings\Preschool\Desktop
try trinity rescue kit its a free boot cd that scans for viruses
ASKER
The drive scans clean in the machine and out of the machine.
Can you give us an msconfig listing of the startup tab, please? What AV product does the system say is installed?
Until the system thinks it is clean of AV products, you probably won't get past this.
Until the system thinks it is clean of AV products, you probably won't get past this.
ASKER
Is there an easy way to post this with having to retype?
I honestly don't know if there's an easy way to do that. Try a printscreen and paste to a Word doc. Post that.
ASKER
here is the start up and I included a report from DDS ... it may help.
startup.doc
startup.doc
ASKER
DDS zip file
DDS.zip
DDS.zip
ASKER
Forgot ... the system claims to have "Enterprise Suite"
You have a virus/trojan infection alternately called Interney Security 2010. If you can Google it ("Internet Security 2010 removal"), you will find solutions for removing it. I would give you more instruction, but I am working off my phone right now.
ASKER
I've tried most of the different solutions ... no luck. Could use some new solutions if available. Malwarebytes runs clean. DrWeb CureIt runs clean in safe mode.
I would like to know where the "Windows Security Center" receives the data that an AV program is running. If you open the DDS file you will note that the software shows both an AV and FW. When I ran ComboFix, it also saw an AV program in use, thus giving me a warning.
I know there has to be a registry or internal OS switch that will lead back to the program that is running, I just do not know it.
I would like to know where the "Windows Security Center" receives the data that an AV program is running. If you open the DDS file you will note that the software shows both an AV and FW. When I ran ComboFix, it also saw an AV program in use, thus giving me a warning.
I know there has to be a registry or internal OS switch that will lead back to the program that is running, I just do not know it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nothing unusal in process.
Could you re run autoruns and save as type AutoRuns Data (*.arn)
Once its saved(it should be a few megs) rename it after. Can import it back into autoruns.
Cheers :)
Could you re run autoruns and save as type AutoRuns Data (*.arn)
Once its saved(it should be a few megs) rename it after. Can import it back into autoruns.
Cheers :)
ASKER
The only anti program listed is superantispyware but some nasties can hide!
Whats the error message when you try to install anti virus?
Try rerunning Malwarebytes and pull down the latest updates before scanning
Below link is removal guide for rogue enterprise program
http://www.bleepingcomputer.com/virus-removal/remove-windows-enterprise-suite
Whats the error message when you try to install anti virus?
Try rerunning Malwarebytes and pull down the latest updates before scanning
Below link is removal guide for rogue enterprise program
http://www.bleepingcomputer.com/virus-removal/remove-windows-enterprise-suite
ASKER
The error is that I already have an AV program installed. The DDS report (a type of HJT log) on my first post reflects the same [look at it to refresh your memory, the full report was uploaded a few posts in]. I have used the latest updates for both Malwarebytes and SuperAntiSpyware.
One thing ... I cannot run RootRepeal ... I get a "low on memory error" after a few minutes. I have had this happen in the past and have ended up erasing the drive and starting over. I have time on this one to play and learn.
Registry is clean and so are all the files listed. Not many of these stump me, so I posted here. Asways ready to learn something new.
As always, Thanks!
vic
One thing ... I cannot run RootRepeal ... I get a "low on memory error" after a few minutes. I have had this happen in the past and have ended up erasing the drive and starting over. I have time on this one to play and learn.
Registry is clean and so are all the files listed. Not many of these stump me, so I posted here. Asways ready to learn something new.
As always, Thanks!
vic
Could you attach the Combofix logfile.
ASKER
ComboFix 112809
ComboFix.txt
ComboFix.txt
Download Atf cleaner to clear temp files http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25
Boot machine into safe mode and run Atf cleaner and delete AntiVirus Plus folder:
c:\documents and settings\Preschool\Local Settings\Application Data\AntiVirus Plus
Boot windows normally and re run latest Combofix + new logfile here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Boot machine into safe mode and run Atf cleaner and delete AntiVirus Plus folder:
c:\documents and settings\Preschool\Local Settings\Application Data\AntiVirus Plus
Boot windows normally and re run latest Combofix + new logfile here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ASKER
I missed that ... the folder was empty :(
ASKER
ComboFix
ComboFix.txt
ComboFix.txt
You could try searching the registry for those two entries and see what they contain. If theres any reference to the rogue program delete the internal entries.
Create a backup of them first by file and export.
{1ED39ED7-08A3-4E29-8DAC-5
{FF6B533C-4F16-43D9-BBC2-9
Create a backup of them first by file and export.
{1ED39ED7-08A3-4E29-8DAC-5
{FF6B533C-4F16-43D9-BBC2-9
ASKER
I'm not one for reading combofix's logfile fully so if you can wait for someone else to review it.
Since you have time on your hands :)
Run process explorer again and select view,select columns and add "verified signer"
Then hit options and "verify image signatures"
Also run autoruns again.
Hit "esc" to cancel scanning.
Hit options and select "verify code signatures"
Press F5 to rescan
Upload them again with those changes
Since you have time on your hands :)
Run process explorer again and select view,select columns and add "verified signer"
Then hit options and "verify image signatures"
Also run autoruns again.
Hit "esc" to cancel scanning.
Hit options and select "verify code signatures"
Press F5 to rescan
Upload them again with those changes
ASKER
Hmm,
Everything still showing up ok.
What legit anti-virus products were installed on that machine before?
Everything still showing up ok.
What legit anti-virus products were installed on that machine before?
ASKER
Norton Client (from a server) .... not sure how old ... may be at least 5 years old. I ran Norton Unintall Tool as a precaution, long before I started posting.
Thanks for the stab,
vic
Thanks for the stab,
vic
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I installed Avast! and ran the scan. The scan was clean, so I ran the DDS and the Enterprise Suite entry is still there.
I looked at the Clone(backup) of the drive prior to cleaning and there is an entry for ES. I looked at the files and check the current registry for those file names and NADA.
Any other ideas or do we leave the machine as is? It runs fine.
The mystery continues...
Thanks!,
vic
I looked at the Clone(backup) of the drive prior to cleaning and there is an entry for ES. I looked at the files and check the current registry for those file names and NADA.
Any other ideas or do we leave the machine as is? It runs fine.
The mystery continues...
Thanks!,
vic
Its a good sign that all is shown up clean, apart from that message!
Dunno what else could detect where its comming from:(
Dunno what else could detect where its comming from:(
ASKER
It has show clean since I started posting. What is wrong is the DDS and ComboFix report of anAV program called "Enterprise Suite" active.
It may be a false positive, but it does not allow me to install the AVG that the balance of our computers will be running on.
I will be returning the computer in about 18 hours. Maybe something will come up as to what is causing the AV detection while we are trying to install AVG.
I receive 24/7 notification of EE notices, so if something comes up, I will respond. Sunday afternoon here.
Thanks for your help,
Take Care and GOD Bless,
Victor
It may be a false positive, but it does not allow me to install the AVG that the balance of our computers will be running on.
I will be returning the computer in about 18 hours. Maybe something will come up as to what is causing the AV detection while we are trying to install AVG.
I receive 24/7 notification of EE notices, so if something comes up, I will respond. Sunday afternoon here.
Thanks for your help,
Take Care and GOD Bless,
Victor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok ... RPG Gamer Girl
You be real bad ... is it possible for you to explain what happen? This did the trick ... DDS is no longer reporting the AV and I just used your pattern and added FireWallProduct and cleaned that one also.
You have assisted me in the past on these weird infections that I run into.
BTW ... I don't know if you read all of the posts ... this machine will not run RootRepeal. Anything to worry about?
Thanks!
Victor
You be real bad ... is it possible for you to explain what happen? This did the trick ... DDS is no longer reporting the AV and I just used your pattern and added FireWallProduct and cleaned that one also.
You have assisted me in the past on these weird infections that I run into.
BTW ... I don't know if you read all of the posts ... this machine will not run RootRepeal. Anything to worry about?
Thanks!
Victor
Hi Victor,
No I haven't read the whole thread, I'll be out and will be back sometime today.
That entry was just the product's info (reg ID etc) as all AV/Antispyware programs write to root\securitycenter WMI namespace.
I'll check back later.
No I haven't read the whole thread, I'll be out and will be back sometime today.
That entry was just the product's info (reg ID etc) as all AV/Antispyware programs write to root\securitycenter WMI namespace.
I'll check back later.
ASKER
Thanks!
Are you using an older copy of RootRepeal? it's been having problems like scan crashing. Did you get an error at all or it just won't open?
Some third party drivers can also interfere with rootkit scanners, does Gmer and other rootkit scanners able to run?
Try and delete the one you already have and download a fresh copy and run it and see if that runs.
1. Download RootRepeal.
http://ad13.geekstogo.com/RootRepeal.exe
2. Double click RootRepeal.exe to start the program
3. Click on the Report tab at the bottom of the program window
4. Click the Scan button
5. In the Select Scan dialog, check:
1. Drivers 2. Processes 3. SSDT 4. Hidden Services
6. Click the OK button
7. In the next dialog, select all drives showing
8. Click OK to start the scan
Note: The scan should not take very long. DO NOT run any other programs while the scan is running
9. When the scan is complete, the Save Report button will become available
10. Click this and save the report to your Desktop as RootRepeal.txt
11. Go to File, then Exit to close the program
By the way, in case you're not aware, you can also award points to more than one Expert by clicking the "Accept Multiple Solutions" button and distribute points to your liking, thanks.
Some third party drivers can also interfere with rootkit scanners, does Gmer and other rootkit scanners able to run?
Try and delete the one you already have and download a fresh copy and run it and see if that runs.
1. Download RootRepeal.
http://ad13.geekstogo.com/RootRepeal.exe
2. Double click RootRepeal.exe to start the program
3. Click on the Report tab at the bottom of the program window
4. Click the Scan button
5. In the Select Scan dialog, check:
1. Drivers 2. Processes 3. SSDT 4. Hidden Services
6. Click the OK button
7. In the next dialog, select all drives showing
8. Click OK to start the scan
Note: The scan should not take very long. DO NOT run any other programs while the scan is running
9. When the scan is complete, the Save Report button will become available
10. Click this and save the report to your Desktop as RootRepeal.txt
11. Go to File, then Exit to close the program
By the way, in case you're not aware, you can also award points to more than one Expert by clicking the "Accept Multiple Solutions" button and distribute points to your liking, thanks.
ASKER
Thanks for the continued response.
Even with the new copy, I get the same response. Virtual Memory too Low, Adjusting Memory. I have let it go as log as 1 hour. Gmer and other have no problem running.
I forgot about splitting the points. Without Optoma you would not have gotten involved. Kind of late for the points distribution though.
Even with the new copy, I get the same response. Virtual Memory too Low, Adjusting Memory. I have let it go as log as 1 hour. Gmer and other have no problem running.
I forgot about splitting the points. Without Optoma you would not have gotten involved. Kind of late for the points distribution though.
>>>"Without Optoma you would not have gotten involved. Kind of late for the points distribution though."<<<
That I can help.. I will re-open this thread for you so you can re-distribute points.
That I can help.. I will re-open this thread for you so you can re-distribute points.
ASKER
Optoma provided the validation that the machine was infact clean. Rpggamergirl provided the ultimate fix.
Great 1 2 punch!
Great 1 2 punch!
Very kind of Ye!
Cheers :)
Cheers :)
ASKER
RPG,
Please do. When done let me know that your article has been posted.
Thanks,
vic
Please do. When done let me know that your article has been posted.
Thanks,
vic
vic,
Thanks, I very much appreciate it.... when it's published I'll let you know... I will also put a link pointing to this thread.
I've posted 4 articles if you like to check them out (listed in my profile).
Thanks, I very much appreciate it.... when it's published I'll let you know... I will also put a link pointing to this thread.
I've posted 4 articles if you like to check them out (listed in my profile).
ASKER
I have ... sent you a note on system restore. I imagine you get a lot of email.
Can resend if you want.
Can resend if you want.
Hi vic,
I am terribly sorry..... I just found it after I searched my inbox.
The emails that I usually get in my gmail account are alerts for new questions in some of the zones I frequent to.
Sorry I missed yours....you must've thought I'm bad to not even reply. Again sorry.
I am terribly sorry..... I just found it after I searched my inbox.
The emails that I usually get in my gmail account are alerts for new questions in some of the zones I frequent to.
Sorry I missed yours....you must've thought I'm bad to not even reply. Again sorry.
Here's the published article, thanks.
Can't Install an Antivirus - Windows Security Center still detects previous AV:
https://www.experts-exchange.com/articles/Virus_and_Spyware/Anti-Virus/Can%27t-Install-an-Antivirus-Windows-Security-Center-still-detects-previous-AV.html
Merry Christmas and happy holidays to you all!
Can't Install an Antivirus - Windows Security Center still detects previous AV:
https://www.experts-exchange.com/articles/Virus_and_Spyware/Anti-Virus/Can%27t-Install-an-Antivirus-Windows-Security-Center-still-detects-previous-AV.html
Merry Christmas and happy holidays to you all!