Antivirus uninstall & clean up tools

[Copernic Reporter]

Situation:

When you uninstalled antivirus products through Windows Programs list or Add/Remove Programs, the process failed.

1. All Symantec Removal Tools in One Page

2. Symantec Corporate Products Clean Up Tool

3. avast! uninstall utility

4. AV Uninstaller Tool - Download

5. BitDefender 7, 8, 9 uninstall tool

[HoodiBoY]

Thanx Dude 4 this tip.....!!!! :)

[techy07]

This will come in handy thanks

[HappyAndyK]

Nice. Thanx. Norton just doesnt install properly without this uninstaller.

[GrimReeper]

Thanks, I didn't know it was such a pain to uninstall a av but now I know if ever need to uninstall bitdefender. I've only ever needed to uninstall nod32 and kaspersky.

[APK]

How to clean yourself up? This absotively 100% freewares "toolkit" & process has helped me get thru over a 1,000 spyware/virus clean up calls!

(& I only recall "failing" on 3 of them using it, & imo? They were TRUE "rootkits" & not just trojans driven by a Ring 0/RPL 0/kernelmode driver, but a TRUE subverting of the OS from beneath it @ lower levels than THAT even)

Hopefully? It will yourself, as well, so... here goes:

==========

1.) Reboot your system to F8 @ startup "Windows Advanced Options" bootup menu that stops you during the boot sequence.

2.) There, choose "safemode with networking" (via the "Windows Advanced Options" menu you get presented with while tapping the F8 key repeatedly @ system startup).

3.) Once in safemode with networking Windows, download/install & RUN these tools (they are not much to look at, BUT, they do work on MOST threats today & get regularly updated):

a. Run IE, use its TOOLS menu, Manage Addons Submenu, & turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here).

b. Run msconfig.exe, & stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program & what it does? Look it up on GOOGLE... same with BHO's above in IE.

c. GET SpyBot 1.51x (download & install)

d. GET ComboFix (download & install)

e. GET SmitFraudFix (download & install)

f. AVG AntiVirus (I suggest this one, because it is free, & just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a "2nd Dr.'s Opinion" is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, "resident" (meaning runnings its background application & file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives & vb100 tend to 2nd me here as well.

4.) Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way).

5.) Then, run ComboFix (this will reset your webbrowser homepage & background desktop wallpaper, you will have to reset these, & possibly your date/time clock in Windows too).

6.) Then, run SmitFraudFix

7.) Reboot to "normal Windows" (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part.

8.) Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully & if not, do update it first & then scan).

* @ that point? You probably will have 'caught the culprits', OR, @ least have the name + location of any threats they could NOT eliminate... & here is where it gets REALLY "fun"...

==========

NOW, when you CAN'T remove a virus using "script kiddie automated tools" like those noted above (not putting them down calling them that because they ARE somebody's hard work & freely given time as well... but, they ARE that, because they're only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, & more tools like Process Explorer + regedit & explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do).

-----

IF you can get its name, & location on disk say, via a report from AVG or other programs you use for this?

Boot your system from the OS install CD, & go to RECOVERY CONSOLE!

There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))!

Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename.

----

It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...

You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (& many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk.

(This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type)

That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is...

Using Process Explorer can help!

(Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)).

----

The easier/simpler route?

My first suggestion:

Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-****.

APK

P.S. => Additionally:

IF you want to stay "safe?" online, especially today, after cleaning yourself up & setting a restore point (clean one)?

Try this:

https://www.neowin.net/forum/index.php?showtopic=602537

:))

* It works...

APK

[APK]

REVISION #1 - A BETTER ORDER, & SHORTER:

TRY THIS SET OF TOOLS & TECHNIQUES:

How to clean yourself up?

This "toolkit" & process has helped me get thru over a 1,000 spyware/virus clean up calls, & hopefully? It will yourself, as well, so... here goes:

==========

1.) Reboot your system to F8 @ startup "Windows Advanced Options" bootup menu that stops you during the boot sequence.

----

2.) There, choose "safemode with networking" (via the "Windows Advanced Options" menu you get presented with while tapping the F8 key repeatedly @ system startup).

----

3.) Once in safemode with networking Windows, download/install & RUN these tools (they are not much to look at, BUT, they do work on MOST threats today & get regularly updated):

a. Run IE, use its TOOLS menu, Manage Addons Submenu, & turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here).

b. Run msconfig.exe, & stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program & what it does? Look it up on GOOGLE... same with BHO's above in IE.

c. DOWNLOAD & INSTALL SpyBot 1.51x

d. DOWNLOAD ComboFix (don't run it yet - there is no installer, it IS its own install + run package)

e. DOWNLOAD SmitFraudFix (which also has its own LSP (layered service provider fix I have heard tell), BUT, againL Don't run it yet - as AGAIN -> there is no installer, it IS its own install + run package)

----

4.) Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way).

----

5.) Then, run ComboFix (this will reset your webbrowser homepage & background desktop wallpaper, you will have to reset these, & possibly your date/time clock in Windows too).

----

6.) Then, run SmitFraudFix

----

7.) Reboot to "normal Windows" (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part.

----

8.) Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully & if not, do update it first & then scan).

Good suggested FREE one, is AVG AntiVirus (I suggest this one, because it is free + complete w/ mail protection too that's decent enough, & just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a "2nd Dr.'s Opinion" is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, "resident" (meaning runnings its background application & file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives & vb100 tend to 2nd me here as well.

* @ that point? You probably will have 'caught the culprits', OR, @ least have the name + location of any threats they could NOT eliminate... & here is where it gets REALLY "fun"...

==========

NOW, when you CAN'T remove a virus using "script kiddie automated tools" like those noted above (not putting them down calling them that because they ARE somebody's hard work & freely given time as well... but, they ARE that, because they're only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, & more tools like Process Explorer + regedit & explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do).

ANYHOW - IF you can get its name, & location on disk say, via a report from AVG or other programs you use for this?

Boot your system from the OS install CD, & go to RECOVERY CONSOLE!

There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))!

Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename.

****

It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...

You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (& many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk.

(This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type)

That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is...

Using Process Explorer can help!

(Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)).

****

The easier/simpler route?

My first suggestion:

Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-$heet.

APK

P.S. => Additionally:

IF you want to stay "safe?" online, especially today, after cleaning yourself up & setting a restore point (clean one)?

Try this:

https://www.neowin.net/forum/index.php?showtopic=602537

:))

* It works...

[Delightus14]

thannkyou, ive always had crappy uninstallers. why do most companies always give crappy uninstallers ? isnt there just a way just do like get the installer, and reverse everything it does ?

plus deleting the temp files n shiz ?

[APK]

thannkyou,

Oh, you're welcome... & you make a point I missed in fact: About deleting browser "temp/cache" files! It's a GOOD MEASURE vs. today's online attack vectors in bogus .js files & such (javascripted OR other types of exploits) - kudos, to you!

ive always had crappy uninstallers. why do most companies always give crappy uninstallers ? isnt there just a way just do like get the installer, and reverse everything it does ?

Well, coming from experience as a developer (for 10 of my 15++ years in this field, professionally)? Many companies often "lay off" development teams (maybe keeping the senior/lead coder @ most), & this is the problem: I don't care WHO YOU ARE, it is nearly impossible to remember "all of your code you ever wrote" & especially, line-for-line.

It is bad enough being the actual coder of a program (OR, a dev team member), & going back to "older code" to patch it - let alone some new guy (usually a student, or someone who is desperate for a job & takes a HUGE paycut to make ends meet, & companies DO take advantage of these kinds of guys naturally (they are LOW COST)).

They have to LEARN all the code AND ITS MECHANICS/ENGINE/ALGORITHMS... takes time, & NO GUARANTEE of being fully correctly understood... thus, the problem imo?

Employee turnovers (specifically coding team members).

plus deleting the temp files n shiz ?

Great point, one I missed in fact!

:)

QUESTION:

May I credit you on other forums for this note, & insert you into those posts regarding this point, on other forums where this is located online?

(You make an EXCELLENT & SOLID POINT - Killing off %temp/tmp% environmental variable temporary operations areas' content, AND in your webbrowser caches too)

Thanks!

APK

[hm2k]

Do we have a removal tool for AVG?

Thanks.

[sayyakhan]

Thanks dude,

Kespersky's removal tool is also available.

[Srugie Veteran]

Do we have a removal tool for AVG?

Thanks.

Try this:

http://www.avg.com/download-tools

[.Kompressor]

I just had to use the Norton Removal Tool 2009 to get rid of NIS 2007 from the registry of an XP computer......because it won't let me install the new Symantec Endpoint until everything was gone.

http://service1.symantec.com/Support/tsgen...005033108162039

Or

ftp://ftp.symantec.com/public/english_us_.../removal_tools/

[kimsland]

McAfee Removal Tool

F-Secure Internet Security Uninstall Tool

ftp://ftp.f-secure.com/support/tools/uito...llationTool.exe

And\Or Here: ftp://ftp.f-secure.com/anti-virus/tools/removal/uninst23.zip

Viewpoint Removal Tool

Norton Removal tool or direct download h e r e

SUPERAntiSpyware Uninstaller Assistant

Spyware Sweeper Uninstall Tool, an older removal tool is Here

Uninstall Combofix: Start > Run > Combofix /U

* Start->Run-> C:\Program Files\Trend Micro\Internet Security 12\TISSuprt.exe

The Trend Micro Diagnostic Toolkit window will appear. Click on the Uninstall tab

Click on the Un-install button

Click on the Un-install button again when asked if you want to continue with the un-installation

Restart your computer

* Note: If the Trend Micro Diagnostic Toolkit window does not appear

Run: C:\Program Files\Trend Micro\Internet Security 12\PCCTool.exe

Or read here for more info: http://esupport.trendmicro.com/support/vie...p;id=EN-1036064

Norton Removal tool or direct download h e r e

AVG 32Bit uninstall (most users): http://www.avg.com/filedir/util/avg_arm_su.../avgremover.exe

AVG 64Bit uninstall: http://www.avg.com/filedir/util/avg_arv_su...gremoverx64.exe

By the way, this is what I prefer to use (and highly recommend)

Direct Download link for CCleaner: http://download.piriform.com/ccsetup220.exe

Direct download link for MalwareBytes: http://www.malwarebytes.org/mbam/program/mbam-setup.exe

Direct Download link for SUPERAntiSpyware: http://downloads.superantispyware.com/down...AntiSpyware.exe

Avira free AntiVirus: http://www.free-av.com/en/download/1/downl..._antivirus.html

Actually all of the above is free ;)

Edited June 2, 2009 by kimsland