Solved

Removed Antivirus Number 1, but now no other antivirus program will install

Posted on 2009-04-06
19
1,480 Views
Last Modified: 2013-11-22
Have a customer computer that became infected with one of the new trojans - antivirus number 1, while running AVG free version.  I ran sdfix and then malwarebytes.  The fake antivirus appears to have been taken care of, however, I tried to reinstall AVG and it failed.  I ran the AVG remover and then tried again several times unsuccessfully.  A few times it didn't fail on the install, but then it wouldn't run either (startup or manually).  So, then I decided to try Avast.  Avast started the install and then just quit.  So, even though the customer really wanted something free, I decided to try Kaspersky (one of my favorites).  It installed fine, but then won't run - even after a reboot.  It doesn't run at start up and it doesn't run if you launch it manually.  This leads me to think that the trojan isn't gone, but all of the information I've read for this particular one just says to use Malwarebytes.  So, I ran Malwarebytes again, this time in safe mode and it didn't find anything.   Thank you in advance.
0
Comment
Question by:ComputerMunkey
  • 8
  • 3
  • 2
  • +4
19 Comments
 
LVL 1

Expert Comment

by:NAK321
Comment Utility
It seems as though the AVG installation was corrupted (or exploited). It still may have some ghost services floating around on your machine that are interfering with your other anti-virus installs. Here are some steps to try:

1. Re-check your Add/Remove Programs to make sure AVG is gone.
2. Check your C:\Program Files to make sure AVG is gone.
3. Check your Registry (Run: Regedit) to see if AVG is gone.

If any of these yield signs of AVG still being around, its time to boot safe-mode (F8 on reboot) and uninstall there. Uninstall the others as well to be thorough. Reboot to safemode with networking. Reinstall an antivirus and update it to current. Then perform a full scan.

Let us know what you find.
0
 
LVL 3

Author Comment

by:ComputerMunkey
Comment Utility
I'm sorry I didn't go into a little more detail about what I'd tried since I was trying to avoid writing a novel.   I've already done 1 & 2 suggested above and as far as 3 goes I searched for the string "AVG" in the registry and deleted anything that I knew was safe to delete.  
I will try the uninstall etc. in safe mode as you suggest.  The customer is pretty far from my location so I will need to get a few things in my arsenal before I go back.
 
0
 
LVL 1

Expert Comment

by:NAK321
Comment Utility
Another possible option is to remove all antivirus software, download the latest AVG installer, run it, and select repair installation if given the option. Then, after the repair, run the installer again and select remove/uninstall.

This rewrites the bad files and allows the AVG uninstaller to correctly remove them.
0
 
LVL 22

Assisted Solution

by:Adam Leinss
Adam Leinss earned 100 total points
Comment Utility
Try Combofix to see if it finds anything: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Also, try Avira free edition: http://www.free-av.com/en/products/1/avira_antivir_personal__free_antivirus.html
Avira (retail version) was rated pretty high for virus detection.
0
 
LVL 3

Author Comment

by:ComputerMunkey
Comment Utility
I don't recall a repair option on the free version of AVG.  It was the latest free version available.  By the way, I also removed spybot that was on the machine but not running just to make sure there weren't any conflicts.  There were no other "anti" on the computer to remove.  I'd be interested in hearing other comments on Avira that is one I'm not familar with.
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
There is something else as well that you can try:

Start->Run->%tmp% This would take you to the location where the logs that AVG Installer/Uninstaller created with details of what is still left or if there some errors during uninstallation, etc. These logs would be quite helpful. If you cannot find the log there or there are lots of them, try another AVG uninstallation and it would generate a fresh one for you to have a look at.

Alternatively, I would suggest an online scan with Kaspersky Online Scanner based at:

http://www.kaspersky.co.uk/virusscanner

This in combination with MalwareBytes has always removed anything I've seen so far. I suggest their scans done in 'safe mode with networking'. Kaspersky has the highest rates of detection of any antivirus out there. This online scanner wouldn't remove anything but would generate a report on completion of scan containing what is still left. That report will be very useful for us to help you with.

I have no experience with Avira, so cannot comment on it.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 400 total points
Comment Utility
As already been suggested, try Combofix.

Here's the instruction, if it doesn't run at first then redownload but rename before saving to your desktop.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
0
 
LVL 3

Author Comment

by:ComputerMunkey
Comment Utility
This is the failure information from the AVG install log.  
 Result:
Local machine: installation failed
    Installation:
        Error: Action failed for file avgwdsvc.exe: starting service....
            Error 0x8007041d
    Rollback:
        Warning: Action failed for directory Log: removing directory....
            Error 0x80070091
        Warning: Action failed for directory avg8: removing directory....
            Error 0x80070091
 <avg_installation_record>
  <timestamp start_time="09-04-05 21:42:07" end_time="09-04-05 21:43:57"/>
  <setup_version build="285" date="09-03-25" xml="$Rev: 95565 $"/>
  <failure phase="install" severity="error" code="0xc0010208"/>
  <failure phase="rollback" severity="warning" code="0x80010208"/>
  <failure phase="rollback" severity="warning" code="0x80010208"/>
</avg_installation_record>
0
 
LVL 3

Author Comment

by:ComputerMunkey
Comment Utility
Here is the combofix file.  It mentions AVG and Kaspersky at the beginning, but they have both been uninstalled.  
ComboFix.txt
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 47

Accepted Solution

by:
rpggamergirl earned 400 total points
Comment Utility

>>> It mentions AVG and Kaspersky at the beginning, but they have both been uninstalled. <<<
Okay.. I added their remnant entries in the script to be removed.


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\tdisp.sys

Folder::
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
c:\documents and settings\All Users\Application Data\avg8

Driver::
tdisp.sys

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

0
 
LVL 3

Author Closing Comment

by:ComputerMunkey
Comment Utility
Thank you very much.  rpggamergirl you've been spot on so many times on these fake anti-virus threats.  I really appreciate you continuing to follow up.
0
 
LVL 3

Author Comment

by:ComputerMunkey
Comment Utility
Problem solved after running the above combo fix.  
I did find this Kaspersky support entry after the fact that might help someone in the future, but I never tried since I just now found it.  
Here is t he link:
http://support.kaspersky.com/kis2009/install?qid=208279831
Here is the text:
"Sometimes installation of Kaspersky Anti-Virus version 2009 can be hindered by the 'remains' of AVG8 in the system, although AVG8 was successfully removed and the system was restarted.
Prior to copying the installation files onto the hard drive, the Configuration Wizard checks the computer for third-party software incompatible with Kaspersky Anti-Virus version 2009. The records of AVG8 in the system registry are identified by the Wizard as a fully installed and functioning anti-virus AVG8 although the product has already been uninstalled. As a result the Configuration Wizard asks to manually uninstall the incompatible software and interrupts the installation.
 To resolve the situation you should do the following:  Cancel the current installation of Kaspersky Anti-Virus version 2009  download the archive avg8.zip  unpack all files from the archive avg8.zip into one folder  run the file KLeaner.exe wait until the utility finishes its work  restart your PC  rerun installation of Kaspersky Anti-Virus version 2009"

Thank you aleinss and  rpggamergirl.  
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
No problem... glad to know it's now resolved.
Thank you for the valuable info on KAS 2009 and AVG8 which will surely help other users who are experiencing the same problem.


To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset system Restore.

Thanks!
0
 

Expert Comment

by:PacBlu
Comment Utility
My current problem is very similar and it occured with Norton 360 Version 2.0 installed. Anti Vrius #1 hit me on Sunday. Malware removed it but also shutdown Norton. I tried reinstalling and it wouldn't run. I also had no internet connectivity. Uninstall Norton and I got my connectivity back. I've been dealing with a Norton rep all week. I've tried installing all Norton products, AVG and McAfee with no luck. I've also been exchanging emails with a Malware techie. The Norton rep was the one who informed me of the post on this forum regarding the tdisp file, which Norton asked me to send to their virus center. Looks like I need to try ComboFix. I'll post the results.
0
 
LVL 3

Author Comment

by:ComputerMunkey
Comment Utility
It is interesting that you said you were running Norton 360.  Until this customer running AVG got infected with this fave AV malware, every other one I've fixed has been using Norton 360 or some other Norton product.   I couldn't believe that one of the Norton updates wouldn't take care of the vulnerability especially since it has been going on since September.
0
 
LVL 3

Author Comment

by:ComputerMunkey
Comment Utility
Sorry I meant "fake" AV.
0
 
LVL 22

Expert Comment

by:Adam Leinss
Comment Utility
@PacBlu

For your problem: please post a new question so we don't confuse the two issues.

@ComputerMunkey

Not a fan of Symantec myself.  We got hit by the Phllis virus on December 21, 2006.  Symantec tech support was of no help even after sending them a sample of an infected executable.  I ended up downloading the Mcafee SuperDat, running to machine to machine and scanning them by hand to disinect all the executables.  Symantec would only delete, not clean the infected executables.  Rebuilding 100+ PCs was NOT an option.

Now we use NOD32 and are much happier.
0
 

Expert Comment

by:PacBlu
Comment Utility
I re-posted my comments under the "Find Answers" tab. I hope this is how new threads are started. This forum is set up somewhat different than the others I belong to.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
PacBlu -
The simplest thing for you to do is to look below this post in the "Post Comment" block and click the hyperlink that says 'ask a related question'.
Look for this:
This question already has been closed and points assigned. Post additional comments only if you want to clarify or comment on the solution. You can also ask a related question.
Doing that will open a question of your own and notify all of the participants that you did so.
 
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now