problems uninstalling fsecure

[ejames82]

sis's computer is being uncooperative again.
first, fsecure was alerting us that the AV programme was expiring. sis had already purchased panda AV which was on a disk. i figured panda is good, when fsecure is definitely expired, i will uninstall it, make sure it's all deleted from the computer, and install the panda.
it went according to plan. i used add/remove to uninstall fsecure, then checked to see that it was gone, which it was. i also checked "all programs" just to be sure. installing panda went without a hitch.
about 6 weeks later, i checked her computer again and found the fsecure back in full force, except real-time scanning is off. panda is in the "all programs", but i don't think it loads. fsecure antivirus 2006 keeps coming back to the startup list after reboot. when i try to uninstall from add/remove, the screen flashes, then the hourglass disappears with no results. start>all programs>fsecure antivirus 2006 uninstall has no effect. i click on it, and it just disappears, as well.
i have included a hijackthis log, possibly fsecure can be removed manually this way, or insight can be gained using this tool. i will also attach an AVG antispyware log shortly, i will run a scan immediately after posting this. for some reason, AVG AS was not updating, but it was just installed.
thanks to howard, jobeard, rik, or kitty, in advance, or whoever gives me their expert advice, as they have done numerous times in the past.

 

[CCT]

Tried this?:

http://support.f-secure.com/enu/corporate/downloads/removeav.shtml

 

[ejames82]

CCT,
when i try to download the tool, it tells me that i have to log in. it gives me a window that requires me to enter a username and password. i entered a username and password, but it won't let me log in, either anonymously or otherwise.
the second section of the link instructs that i remove the programme via add/remove, which does not work. i have not attempted to make the changes to the registry, since i cannot remove the programme via add/remove.
i have included an AVG 7.5 log as i said i would.
i know i probably will have to call fsecure about this, if all else fails, i will do that, monday at the latest.
thanks for the reply.

 

[CCT]

You can always do this:

http://windowsxp.mvps.org/AddRemove.htm

 

[momok]

Hi,

Try the following and let me know if it works.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

F-Secure Anti-Virus 2006.lnk
F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822)
FSGKHS
fsbwsys
F-Secure Anti-Virus Firewall Daemon (FSDFWD)
F-Secure Management Agent (FSMA)

Go to start > Control Panel > Add and Remove Programs.
Remove anything and everything related to the following:

F-Secure

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

fspex.exe
ieshield.dll
SERVIC~1.EXE
fsgk32st.exe
fsbwsys.exe
fsdfwd.exe
fsma32.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll

O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.

C:\Program Files\F-Secure Internet Security < Delete this entire folder

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post a fresh HJT log from normal mode as an attachment into this thread.


Regards,
Your friendly momok =)

This thread is for the use of ejames82 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ejames82]

momok,
i wish i had known that you were going to deliver such an informative post. last night i searched for all the f-secure i could find and deleted it. i am sure, however, that i can take advantage of alot of the help that you have given me.
f-secure still has entries in the system config, but i was finally able to remove it from add/remove. because of this, i was able to update the antivirus and antispyware programmes.
i am sure that there are entries in the task manager also, it totally slipped my mind to check there.
i am going to see what headway i can make with your info as soon as i post this, also nobody is allowed to use this computer except me, and this website is the only online use that is being allowed. please check back as i will let you know how i make out.
thanks.

edit.
i did everything in safe mode until the hijackthis, which was performed in normal mode. if i need to redo it in safe mode let me know, and i will give it a shot.
everything went as smooth as silk. i was pleasantly surprised to find that there was no fsecure entries in the task manager. most of fsecure was also gone from the hijackthis as well. here is a hijackthis after all the work was done.
could i be so bold to ask for help getting rid of aol using hijackthis. i spent over 2 hours deleting files with aol in the name, last night. i saw aol in at least one entry in the hijackthis log, and i would love to give them "the boot"
thanks again, and also thanks to CCT for his replies.

 

[momok]

Hi,

You did it right. Now let's work on some remnants and aol.

Once again boot into safe mode.

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

AOL TopSpeed Monitor
AOL Connectivity Service

Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:

AOL Toolbar/TopSpeedMonitor etc

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm

O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\Program Files\Common Files\AOL\

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and also a ComboFix log from normal mode as attachments into this thread. The ComboFix log would allow me to double confirm those unwanted software are gone from your system.


Regards,
Your friendly momok =)

This thread is for the use of ejames82 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ejames82]

momok,
it looks like everything went well with the elimination of fsecure, but there are still entries in the system config>startup, though there is no check in the box.
to complicate matters, for some bizarre reason she has no internet service. it was fine when i posted my reply to you last night. i am on my other sisters computer right now, which is just up the road, so the problem is in their cable line.
i think i can still do what you advise without the internet connection, or at least i will go as far as i can. sorry for the late reply, for i just got home from work.
please check back to my post again. i will let you know how it goes.
thanks again.

 

[momok]

No problem.
Regarding entries in the system config startup, those are simply remaining empty registry keys. No worries about those. You'll find the location in the registry stated beside the entry. Delete if you wish.


Regards,
Your friendly momok =)

This thread is for the use of ejames82 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ejames82]

momok,
removing the entries from the system config sounds easy, now that you have explained it.
internet is up and running again. this happened to me on my own computer once, there's a button that needs to be pushed on the modem.
it appears that all the info you gave me yesterday was usable, even without the internet connection. it worked fine.
included is a hijackthis and combofix logs. i know that there is no antivirus and firewall. they will be installed shortly. i wanted to be sure that all remnants of fsecure was gone before i attempt to install the panda again. the panda is a suite with antivirus, antispyware, and firewall. other than this website, no internet activity is taking place with this computer.
please check back. i will keep you informed of my progress.
thanks again.

edit.
what is given in the system config is this:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

the registry starts with this:

HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG

i don't know where to begin. i realize how important it is not to mess up the registry, so i though it was best to leave it alone until i get some expert advice from you.
thanks again.

 

[momok]

Hi,

I've provided you the locations for deleting those unwanted entries.

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^F-Secure Anti-Virus 2006.lnk

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\
(within this delete the following)
AOL Fast Start
AOL Spyware Protection
AOLDialer
F-Secure Manager
F-Secure Startup Wizard
F-Secure TNB
HostManager

Note the root directories in bold. The entries are within those directories, but you'll have to weed out the inidividual entries.

With regards to your choice of firewall and antivirus, I would say that it is normally not good to leave everything in the hands of one program or security suite.

Here are some recommended free software and links to them. You can choose to use some of them to complement your security suite, or replace certain features of your security suite.

For antivirus, please use one and only one. Using more than one is not recommended as it may cause serious conflicts in your system.
AVG free
Avast

For firewalls please use one and only one. Using more than one is not recommended as it will hog your system resources.
Zonealarm
Kerio
Comodo

Here are some other miscelleneous programs which I recommend.
Spybot Search & Destroy. < use this gem if you have no other real time monitoring programs such as spyware doctor.
Ccleaner.


Regards,
Your friendly momok =)

This thread is for the use of ejames82 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ejames82]

momok,
i screwed up. i attempted to do an online scan with kaspersky and the cursor froze. i was lucky that i was able to do a system restore with the keyboard. it set me back to the point where fsecure is back on the add/remove and i can't remove it the usual way.
sorry for the inconvenience. i learned my lesson from this one.

the task manager has these entries:

FSM32.EXE instead of fsma32.exe is this file related to fsecure? FSM32.EXE?
services.exe i don't think is related to fsecure. you say look for SERVIC~1.EXE am i correct that these are totally different? do not touch services.exe?

since this changes what should be in the registry, i have not made the changes there. my bad. i know these changes eventually need to be made, however, just not yet.

i have included hijackthis and combofix logs, which were just made. they should get me back to where i should be.
once again i appreciate what you have done.

 

[momok]

Hi,

No worries about that. Let's use avenger this time to help speed things up a little.

Please follow these instructions carefully.

1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Have HijackThis fix the following entries (if you find them):

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b

6. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and ComboFix log.


Regards,
Your friendly momok =)

This thread is for the use of ejames82 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ejames82]

momok,
i forgot to mention that i agree with you about having differing programmes, versus a suite. sometimes suites work. i have a bitdefender disk that i offered sis, but she wants to try the panda that she paid $70 for. she is not adamant. she says give it a try, and if it doesn't work, try something else. personally i prefer kaspersky. i bought a 3 year deal with them that was strictly antivirus. they have excellent customer support on the phone.
error messages popped up during avenger. however, it still completed it's tasks, as far as i could tell.
included are avenger, combofix, and hijackthis logs, made today. if i have forgotten anything, please let me know.
thanks again.

 

[momok]

Hi,

No worries about the error messages. It did what it was supposed to do. I realised I left out a few entries, I apologize for that.

Boot into safe mode as previously and unhide all your files.

Go to start > Run > services.msc

Search for and stop the following services. Disable them from startup too.
HostManager
AOL Spyware Protection
AOL Fast Start

Go to Control Panel and uninstall anything related to the following:
AOL Spyware Protection
AOL Fast Start
etc

Have HijackThis fix the following entries:

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138063953\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b


Navigate in windows explorer and delete the following folders:
C:\Program Files\Common Files\aolshare
C:\Program Files\Common Files\AOL\
C:\Program Files\America Online 9.0b

Lastly, use regedit and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete the entry: HostManager

Reboot into safe mode and rehide your files.

Please attach a new HijackThis log after doing the above.


Regards,
Your friendly momok =)

This thread is for the use of ejames82 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ejames82]

momok,
you are helping me. no need to apologize.
i did another system restore when the mouse froze again. it turns out that the batteries in the mouse were weak. i have never owned a battery powered mouse. this is sis's mouse, sis inherited it from dad, who recently passes away, it's hard to be mad about it. i'm frustrated, but glad that i found the cause of the problem. here's where i stand, and what i've done.
run>services.msc, and stopped, and disabled, apply>ok all fsecure and aol files and processes, from all your posts.
add/remove aol, but fsecure remains. i deleted a bunch of fsecure files before to get rid of the fsecure, but due to the mouse/system restore problem, fsecure remains. simply deleting fsecure from program files or common files doesn't work.
hijackthis removed alot, though some still remains.
aol doesn't seem hard to delete at all, except aolshare, which remains.
i'm sure i've forgotten a little, but that is the jist of it.
here are combofix and hijackthis logs. if you need an avenger log, please let me know, or if i have forgotten anything. with all that has happened it is easy to forget. once again, thank you so much.

 

[momok]

Oh no, why ever did you do a system restore? Seems like alot of stuff is back.

Please follow these instructions carefully.

1. Download the attached "ejamesscript.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Boot into safe mode and unhide all files and folders. Go to Add&Remove programs and remove the anything related to the following:

Viewpoint
AOL
F Secure

If you had boot into safe mode by checking '/safeboot' through msconfig, uncheck that now so your next boot is in normal mode. Do not restart yet.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment ejamesscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and ComboFix log.


Regards,
Your friendly momok =)

This thread is for the use of ejames82 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ejames82]

momok,
i didn't want to system restore, but i am somewhat a newbie. i didn't know what else to do. the mouse just froze and wouldn't move. sorry.
there was also a problem with safe mode. it froze again. i wonder if the computer may be overheating. i left the computer on overnight so as not to interrupt the work we are doing.
all your instructions went without a hitch, except deleting fsecure from add/remove. the last time i managed to delete it, i manually deleted all the fsecure files i could find. i remember that there was one i could not delete, but i can't remember the name of it. i am prepared to do that again if you suggest.
included are avenger, combofix, and hijackthis logs, just made.
thanks again.

 

[momok]

Hi,

No worries about that. From your logs, I do not see any traces of fsecure or aol left.

You may also delete c:\avenger and C:\avenger(2) folders and their contents.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of ejames82 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ejames82]

momok,
if i have a choice, i am not letting you get away just yet.
i deleted fsecure files, not many left, and removed fsecure from add/remove.
i attempted to get in the registry to see what changes i could make in there. this path:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^F-Secure Anti-Virus 2006.lnk

startupfolder opened, but did not offer me anything related to C:^Documents and Settings^All Users^Start Menu^Programs^Startup^F-Secure Anti-Virus 2006.lnk. it said something like "default" or "no value set" in the right-hand pane. i didn't know how to find any other info at that location, so i didn't think there was anything there.

same thing with this path:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\

this path didn't contain any fsecure or aol (Host Manager):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete the entry: HostManager

i did find fsecure and aol in the registry here:
HKEY LOCAL_MACHINE\SOFTWARE
also i found netscape, symantec, and viewpoint here. can i delete these entries at this location? can i delete aol, fsecure, netscape, earthlink, symantec, and viewpoint, entries, anywhere i find them? i have discovered the convenient "find" feature that exists there in the registry.
i haven't done any of this yet, and won't unless you give me the ok.
i am very grateful for your help.

 

[momok]

Hi,

Ah yes, the find feature is very convenient. You may delete all fsecure, aol and viewpoint entries that you find since the programs have been removed from your system. With regards to the others however, I do not know if the software still reside in your system and whether you use them. Removing the wrong keys would cause these programs to not function properly.

If you wish to remove them, but have troubles with the usual uninstall method, let me know and I'll help you. For Norton/Symantec, do check out our sticky on removing it HERE.

Regards,
Your friendly momok =)

 

[ejames82]

momok,
you are indeed an asset to techspot, along with many others that have helped me. thanks again, and if i have any other problems, i will give you a hollar.

 

[momok]

Hi,

Thank you for the kind comments. (lol I initially misread it as you would give me a dollar)

Regards,
Your friendly momok =)