Solved

Removed Antivirus Number 1, but now no other antivirus program will install

Posted on 2009-04-06
19
1,526 Views
Last Modified: 2013-11-22
Have a customer computer that became infected with one of the new trojans - antivirus number 1, while running AVG free version.  I ran sdfix and then malwarebytes.  The fake antivirus appears to have been taken care of, however, I tried to reinstall AVG and it failed.  I ran the AVG remover and then tried again several times unsuccessfully.  A few times it didn't fail on the install, but then it wouldn't run either (startup or manually).  So, then I decided to try Avast.  Avast started the install and then just quit.  So, even though the customer really wanted something free, I decided to try Kaspersky (one of my favorites).  It installed fine, but then won't run - even after a reboot.  It doesn't run at start up and it doesn't run if you launch it manually.  This leads me to think that the trojan isn't gone, but all of the information I've read for this particular one just says to use Malwarebytes.  So, I ran Malwarebytes again, this time in safe mode and it didn't find anything.   Thank you in advance.
0
Comment
Question by:ComputerMunkey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
  • 2
  • +4
19 Comments
 
LVL 1

Expert Comment

by:NAK321
ID: 24081056
It seems as though the AVG installation was corrupted (or exploited). It still may have some ghost services floating around on your machine that are interfering with your other anti-virus installs. Here are some steps to try:

1. Re-check your Add/Remove Programs to make sure AVG is gone.
2. Check your C:\Program Files to make sure AVG is gone.
3. Check your Registry (Run: Regedit) to see if AVG is gone.

If any of these yield signs of AVG still being around, its time to boot safe-mode (F8 on reboot) and uninstall there. Uninstall the others as well to be thorough. Reboot to safemode with networking. Reinstall an antivirus and update it to current. Then perform a full scan.

Let us know what you find.
0
 
LVL 3

Author Comment

by:ComputerMunkey
ID: 24081161
I'm sorry I didn't go into a little more detail about what I'd tried since I was trying to avoid writing a novel.   I've already done 1 & 2 suggested above and as far as 3 goes I searched for the string "AVG" in the registry and deleted anything that I knew was safe to delete.  
I will try the uninstall etc. in safe mode as you suggest.  The customer is pretty far from my location so I will need to get a few things in my arsenal before I go back.
 
0
 
LVL 1

Expert Comment

by:NAK321
ID: 24081510
Another possible option is to remove all antivirus software, download the latest AVG installer, run it, and select repair installation if given the option. Then, after the repair, run the installer again and select remove/uninstall.

This rewrites the bad files and allows the AVG uninstaller to correctly remove them.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 22

Assisted Solution

by:Adam Leinss
Adam Leinss earned 100 total points
ID: 24081625
Try Combofix to see if it finds anything: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Also, try Avira free edition: http://www.free-av.com/en/products/1/avira_antivir_personal__free_antivirus.html
Avira (retail version) was rated pretty high for virus detection.
0
 
LVL 3

Author Comment

by:ComputerMunkey
ID: 24081762
I don't recall a repair option on the free version of AVG.  It was the latest free version available.  By the way, I also removed spybot that was on the machine but not running just to make sure there weren't any conflicts.  There were no other "anti" on the computer to remove.  I'd be interested in hearing other comments on Avira that is one I'm not familar with.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24082667
There is something else as well that you can try:

Start->Run->%tmp% This would take you to the location where the logs that AVG Installer/Uninstaller created with details of what is still left or if there some errors during uninstallation, etc. These logs would be quite helpful. If you cannot find the log there or there are lots of them, try another AVG uninstallation and it would generate a fresh one for you to have a look at.

Alternatively, I would suggest an online scan with Kaspersky Online Scanner based at:

http://www.kaspersky.co.uk/virusscanner

This in combination with MalwareBytes has always removed anything I've seen so far. I suggest their scans done in 'safe mode with networking'. Kaspersky has the highest rates of detection of any antivirus out there. This online scanner wouldn't remove anything but would generate a report on completion of scan containing what is still left. That report will be very useful for us to help you with.

I have no experience with Avira, so cannot comment on it.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 400 total points
ID: 24083372
As already been suggested, try Combofix.

Here's the instruction, if it doesn't run at first then redownload but rename before saving to your desktop.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
0
 
LVL 3

Author Comment

by:ComputerMunkey
ID: 24089448
This is the failure information from the AVG install log.  
 Result:
Local machine: installation failed
    Installation:
        Error: Action failed for file avgwdsvc.exe: starting service....
            Error 0x8007041d
    Rollback:
        Warning: Action failed for directory Log: removing directory....
            Error 0x80070091
        Warning: Action failed for directory avg8: removing directory....
            Error 0x80070091
 <avg_installation_record>
  <timestamp start_time="09-04-05 21:42:07" end_time="09-04-05 21:43:57"/>
  <setup_version build="285" date="09-03-25" xml="$Rev: 95565 $"/>
  <failure phase="install" severity="error" code="0xc0010208"/>
  <failure phase="rollback" severity="warning" code="0x80010208"/>
  <failure phase="rollback" severity="warning" code="0x80010208"/>
</avg_installation_record>
0
 
LVL 3

Author Comment

by:ComputerMunkey
ID: 24089601
Here is the combofix file.  It mentions AVG and Kaspersky at the beginning, but they have both been uninstalled.  
ComboFix.txt
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 400 total points
ID: 24097722

>>> It mentions AVG and Kaspersky at the beginning, but they have both been uninstalled. <<<
Okay.. I added their remnant entries in the script to be removed.


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\tdisp.sys

Folder::
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
c:\documents and settings\All Users\Application Data\avg8

Driver::
tdisp.sys

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

0
 
LVL 3

Author Closing Comment

by:ComputerMunkey
ID: 31567195
Thank you very much.  rpggamergirl you've been spot on so many times on these fake anti-virus threats.  I really appreciate you continuing to follow up.
0
 
LVL 3

Author Comment

by:ComputerMunkey
ID: 24099616
Problem solved after running the above combo fix.  
I did find this Kaspersky support entry after the fact that might help someone in the future, but I never tried since I just now found it.  
Here is t he link:
http://support.kaspersky.com/kis2009/install?qid=208279831
Here is the text:
"Sometimes installation of Kaspersky Anti-Virus version 2009 can be hindered by the 'remains' of AVG8 in the system, although AVG8 was successfully removed and the system was restarted.
Prior to copying the installation files onto the hard drive, the Configuration Wizard checks the computer for third-party software incompatible with Kaspersky Anti-Virus version 2009. The records of AVG8 in the system registry are identified by the Wizard as a fully installed and functioning anti-virus AVG8 although the product has already been uninstalled. As a result the Configuration Wizard asks to manually uninstall the incompatible software and interrupts the installation.
 To resolve the situation you should do the following:  Cancel the current installation of Kaspersky Anti-Virus version 2009  download the archive avg8.zip  unpack all files from the archive avg8.zip into one folder  run the file KLeaner.exe wait until the utility finishes its work  restart your PC  rerun installation of Kaspersky Anti-Virus version 2009"

Thank you aleinss and  rpggamergirl.  
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24103831
No problem... glad to know it's now resolved.
Thank you for the valuable info on KAS 2009 and AVG8 which will surely help other users who are experiencing the same problem.


To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset system Restore.

Thanks!
0
 

Expert Comment

by:PacBlu
ID: 24119155
My current problem is very similar and it occured with Norton 360 Version 2.0 installed. Anti Vrius #1 hit me on Sunday. Malware removed it but also shutdown Norton. I tried reinstalling and it wouldn't run. I also had no internet connectivity. Uninstall Norton and I got my connectivity back. I've been dealing with a Norton rep all week. I've tried installing all Norton products, AVG and McAfee with no luck. I've also been exchanging emails with a Malware techie. The Norton rep was the one who informed me of the post on this forum regarding the tdisp file, which Norton asked me to send to their virus center. Looks like I need to try ComboFix. I'll post the results.
0
 
LVL 3

Author Comment

by:ComputerMunkey
ID: 24120644
It is interesting that you said you were running Norton 360.  Until this customer running AVG got infected with this fave AV malware, every other one I've fixed has been using Norton 360 or some other Norton product.   I couldn't believe that one of the Norton updates wouldn't take care of the vulnerability especially since it has been going on since September.
0
 
LVL 3

Author Comment

by:ComputerMunkey
ID: 24120650
Sorry I meant "fake" AV.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 24120915
@PacBlu

For your problem: please post a new question so we don't confuse the two issues.

@ComputerMunkey

Not a fan of Symantec myself.  We got hit by the Phllis virus on December 21, 2006.  Symantec tech support was of no help even after sending them a sample of an infected executable.  I ended up downloading the Mcafee SuperDat, running to machine to machine and scanning them by hand to disinect all the executables.  Symantec would only delete, not clean the infected executables.  Rebuilding 100+ PCs was NOT an option.

Now we use NOD32 and are much happier.
0
 

Expert Comment

by:PacBlu
ID: 24122099
I re-posted my comments under the "Find Answers" tab. I hope this is how new threads are started. This forum is set up somewhat different than the others I belong to.
0
 
LVL 38

Expert Comment

by:younghv
ID: 24124964
PacBlu -
The simplest thing for you to do is to look below this post in the "Post Comment" block and click the hyperlink that says 'ask a related question'.
Look for this:
This question already has been closed and points assigned. Post additional comments only if you want to clarify or comment on the solution. You can also ask a related question.
Doing that will open a question of your own and notify all of the participants that you did so.
 
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question