Removed Antivirus Number 1, but now no other antivirus program will install

Have a customer computer that became infected with one of the new trojans - antivirus number 1, while running AVG free version.  I ran sdfix and then malwarebytes.  The fake antivirus appears to have been taken care of, however, I tried to reinstall AVG and it failed.  I ran the AVG remover and then tried again several times unsuccessfully.  A few times it didn't fail on the install, but then it wouldn't run either (startup or manually).  So, then I decided to try Avast.  Avast started the install and then just quit.  So, even though the customer really wanted something free, I decided to try Kaspersky (one of my favorites).  It installed fine, but then won't run - even after a reboot.  It doesn't run at start up and it doesn't run if you launch it manually.  This leads me to think that the trojan isn't gone, but all of the information I've read for this particular one just says to use Malwarebytes.  So, I ran Malwarebytes again, this time in safe mode and it didn't find anything.   Thank you in advance.
Who is Participating?
rpggamergirlConnect With a Mentor Commented:

>>> It mentions AVG and Kaspersky at the beginning, but they have both been uninstalled. <<<
Okay.. I added their remnant entries in the script to be removed.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:

c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
c:\documents and settings\All Users\Application Data\avg8


3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

It seems as though the AVG installation was corrupted (or exploited). It still may have some ghost services floating around on your machine that are interfering with your other anti-virus installs. Here are some steps to try:

1. Re-check your Add/Remove Programs to make sure AVG is gone.
2. Check your C:\Program Files to make sure AVG is gone.
3. Check your Registry (Run: Regedit) to see if AVG is gone.

If any of these yield signs of AVG still being around, its time to boot safe-mode (F8 on reboot) and uninstall there. Uninstall the others as well to be thorough. Reboot to safemode with networking. Reinstall an antivirus and update it to current. Then perform a full scan.

Let us know what you find.
ComputerMunkeyAuthor Commented:
I'm sorry I didn't go into a little more detail about what I'd tried since I was trying to avoid writing a novel.   I've already done 1 & 2 suggested above and as far as 3 goes I searched for the string "AVG" in the registry and deleted anything that I knew was safe to delete.  
I will try the uninstall etc. in safe mode as you suggest.  The customer is pretty far from my location so I will need to get a few things in my arsenal before I go back.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Another possible option is to remove all antivirus software, download the latest AVG installer, run it, and select repair installation if given the option. Then, after the repair, run the installer again and select remove/uninstall.

This rewrites the bad files and allows the AVG uninstaller to correctly remove them.
Adam LeinssConnect With a Mentor Senior Desktop EngineerCommented:
Try Combofix to see if it finds anything:
Also, try Avira free edition:
Avira (retail version) was rated pretty high for virus detection.
ComputerMunkeyAuthor Commented:
I don't recall a repair option on the free version of AVG.  It was the latest free version available.  By the way, I also removed spybot that was on the machine but not running just to make sure there weren't any conflicts.  There were no other "anti" on the computer to remove.  I'd be interested in hearing other comments on Avira that is one I'm not familar with.
There is something else as well that you can try:

Start->Run->%tmp% This would take you to the location where the logs that AVG Installer/Uninstaller created with details of what is still left or if there some errors during uninstallation, etc. These logs would be quite helpful. If you cannot find the log there or there are lots of them, try another AVG uninstallation and it would generate a fresh one for you to have a look at.

Alternatively, I would suggest an online scan with Kaspersky Online Scanner based at:

This in combination with MalwareBytes has always removed anything I've seen so far. I suggest their scans done in 'safe mode with networking'. Kaspersky has the highest rates of detection of any antivirus out there. This online scanner wouldn't remove anything but would generate a report on completion of scan containing what is still left. That report will be very useful for us to help you with.

I have no experience with Avira, so cannot comment on it.
rpggamergirlConnect With a Mentor Commented:
As already been suggested, try Combofix.

Here's the instruction, if it doesn't run at first then redownload but rename before saving to your desktop.

Please download ComboFix by sUBs:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
ComputerMunkeyAuthor Commented:
This is the failure information from the AVG install log.  
Local machine: installation failed
        Error: Action failed for file avgwdsvc.exe: starting service....
            Error 0x8007041d
        Warning: Action failed for directory Log: removing directory....
            Error 0x80070091
        Warning: Action failed for directory avg8: removing directory....
            Error 0x80070091
  <timestamp start_time="09-04-05 21:42:07" end_time="09-04-05 21:43:57"/>
  <setup_version build="285" date="09-03-25" xml="$Rev: 95565 $"/>
  <failure phase="install" severity="error" code="0xc0010208"/>
  <failure phase="rollback" severity="warning" code="0x80010208"/>
  <failure phase="rollback" severity="warning" code="0x80010208"/>
ComputerMunkeyAuthor Commented:
Here is the combofix file.  It mentions AVG and Kaspersky at the beginning, but they have both been uninstalled.  
ComputerMunkeyAuthor Commented:
Thank you very much.  rpggamergirl you've been spot on so many times on these fake anti-virus threats.  I really appreciate you continuing to follow up.
ComputerMunkeyAuthor Commented:
Problem solved after running the above combo fix.  
I did find this Kaspersky support entry after the fact that might help someone in the future, but I never tried since I just now found it.  
Here is t he link:
Here is the text:
"Sometimes installation of Kaspersky Anti-Virus version 2009 can be hindered by the 'remains' of AVG8 in the system, although AVG8 was successfully removed and the system was restarted.
Prior to copying the installation files onto the hard drive, the Configuration Wizard checks the computer for third-party software incompatible with Kaspersky Anti-Virus version 2009. The records of AVG8 in the system registry are identified by the Wizard as a fully installed and functioning anti-virus AVG8 although the product has already been uninstalled. As a result the Configuration Wizard asks to manually uninstall the incompatible software and interrupts the installation.
 To resolve the situation you should do the following:  Cancel the current installation of Kaspersky Anti-Virus version 2009  download the archive  unpack all files from the archive into one folder  run the file KLeaner.exe wait until the utility finishes its work  restart your PC  rerun installation of Kaspersky Anti-Virus version 2009"

Thank you aleinss and  rpggamergirl.  
No problem... glad to know it's now resolved.
Thank you for the valuable info on KAS 2009 and AVG8 which will surely help other users who are experiencing the same problem.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset system Restore.

My current problem is very similar and it occured with Norton 360 Version 2.0 installed. Anti Vrius #1 hit me on Sunday. Malware removed it but also shutdown Norton. I tried reinstalling and it wouldn't run. I also had no internet connectivity. Uninstall Norton and I got my connectivity back. I've been dealing with a Norton rep all week. I've tried installing all Norton products, AVG and McAfee with no luck. I've also been exchanging emails with a Malware techie. The Norton rep was the one who informed me of the post on this forum regarding the tdisp file, which Norton asked me to send to their virus center. Looks like I need to try ComboFix. I'll post the results.
ComputerMunkeyAuthor Commented:
It is interesting that you said you were running Norton 360.  Until this customer running AVG got infected with this fave AV malware, every other one I've fixed has been using Norton 360 or some other Norton product.   I couldn't believe that one of the Norton updates wouldn't take care of the vulnerability especially since it has been going on since September.
ComputerMunkeyAuthor Commented:
Sorry I meant "fake" AV.
Adam LeinssSenior Desktop EngineerCommented:

For your problem: please post a new question so we don't confuse the two issues.


Not a fan of Symantec myself.  We got hit by the Phllis virus on December 21, 2006.  Symantec tech support was of no help even after sending them a sample of an infected executable.  I ended up downloading the Mcafee SuperDat, running to machine to machine and scanning them by hand to disinect all the executables.  Symantec would only delete, not clean the infected executables.  Rebuilding 100+ PCs was NOT an option.

Now we use NOD32 and are much happier.
I re-posted my comments under the "Find Answers" tab. I hope this is how new threads are started. This forum is set up somewhat different than the others I belong to.
PacBlu -
The simplest thing for you to do is to look below this post in the "Post Comment" block and click the hyperlink that says 'ask a related question'.
Look for this:
This question already has been closed and points assigned. Post additional comments only if you want to clarify or comment on the solution. You can also ask a related question.
Doing that will open a question of your own and notify all of the participants that you did so.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.