[X] My Assistant

[patfla]

Trying to upgrade from 2010.463 to 736. I'm having all the same problems PeterR is having.

I've used KISGetSystemInfo along with www.kaspersky.fr (the parser) I don't know how many times. Have removed everything 'suspicious' and have worked a lot with the list labelled as 'unknow'.
This seem to be the relevant part (the failure) in the LOG file:

Property(S): OSFORUPDATER = Win-XP-SP3
Property(S): SourcedirProduct = {9D8B0949-7C47-476F-9F06-F900D3B078EA}
Property(S): SOURCEDIR = C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\
MSI (s) (E8:AC) [23:13:57:796]: MainEngineThread is returning 1603
MSI (s) (E8:AC) [23:13:57:906]: Destroying RemoteAPI object.
MSI (s) (E8:80) [23:13:57:906]: Custom Action Manager thread ending.
MSI © (F8:6C) [23:13:57:953]: Back from server. Return value: 1603
MSI © (F8:6C) [23:13:57:953]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI © (F8:6C) [23:13:57:953]: PROPERTY CHANGE: Deleting SECONDSEQUENCE property. Its current value is '1'.
Action ended 23:13:57: ExecuteAction. Return value 3.
MSI © (F8:6C) [23:13:57:953]: Doing action: FatalError
Action 23:13:57: FatalError.
Action start 23:13:57: FatalError.
Action 23:13:57: FatalError. Dialog created

MSI 1603 error - I've also googled for that.

Downloaded and used MS' Windows Install Clean Up tool (that's how I finally removed the Windows Defender Defn files).

All, as yet, to no avail.

As I've been looking through the boards, it seems the problem (and that I saw) is that the rootkit scanner in 463 would run crazy at times (more-and-more often over time) and consume your whole cpu (I have a single core). It was certainly an unpleasant problem.

I suppose I should be able to find it myself but where is the download for the 463 installer?

Aside from anything else, it seems one other thing to try is to completely reinstall and uninstall 463 again.

Sigh.

pat

[keefrto]

I had similar issues when updating my KIS however I have 2 different licences, 1 from UK and from from North AMERICA. My isue was with my UK laptop, so I uninstalled KIS (orginally from UK but updated from US website), went to UK website, downloaded updated KIS and it seems fine now.
Coincidence?

[patfla]

I've continued trying all kinds of things today. Reinstalled 463; then uninstalled it. And retried 765 - it still rolls back (fails).

fwiw here's a GSI log I made a short while ago.

http://www.getsysteminfo.com/read.php?file...5da2dca24293843

[richbuff]

1) Free up an additional 5 GB of disk space on C, and then do two defrags.

2) Follow the instructions found in post #4.

3) Please attach the zipped virusinfo_syscure.zip; instructions, see: http://forum.kaspersky.com/index.php?s=&am...st&p=678334

[patfla]

Did #s 1 and 2.

#3 attached.

Attached File(s)

 virusinfo_syscure.zip ( 83,45K ) Number of downloads: 3

 

[richbuff]

Run this script, instructions: http://forum.kaspersky.com/index.php?s=&am...st&p=678368 PC will reboot:

CODE

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\DOCUME~1\Pat\LOCALS~1\Temp\RWSRTECRIOTU.exe','');
DeleteService('RWSRTECRIOTU');
StopService('RWSRTECRIOTU');
QuarantineFile('C:\DOCUME~1\Pat\LOCALS~1\Temp\RQRFCPD.exe','');
DeleteService('RQRFCPD');
StopService('RQRFCPD');
DeleteFile('C:\DOCUME~1\Pat\LOCALS~1\Temp\RQRFCPD.exe');
DeleteFile('C:\DOCUME~1\Pat\LOCALS~1\Temp\RWSRTECRIOTU.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a Combofix log, please review and follow these instructions carefully.

Before Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

[patfla]

Hi,

I'm curious. So what's with all the RWSRTE* stuff? I.e. what is it?

I'll follow your instructions of course, but my curiosity has been piqued.

[patfla]

A snag (problem).

Ran the AZV script; machine rebooted.

Started 123.exe (combofix). Its second dialog told me that I have Avira Antivir running and I need to stop this. I'm familiar with the piece of software. It's on a different computer that I own.

But I didn't think it was on this computer at all. Searched. Taskmgr, sysinternals' procexp.exe, services.msc, checked for an Avira folder under c:\program files. Nothing.

So I'll hold up for the moment and see what advice you might give.

[patfla]

Maybe I should run in Windows Safe Mode?

[patfla]

Ah. Going back to here virusinfo_syscure.htm

I can see that there's a reference in the registry to its control panel file (avconfig.cpl).

I'll delete that from the registry (with regedit) then try combofix again.

[richbuff]

Safe mode is a worthy try. If you are absolutely sure that Avira is not running, and that Avira leftovers are not present, then go ahead with Combofix.

[patfla]

Here's the combofix log.

Attached File(s)

 ComboFix.txt ( 33,33K ) Number of downloads: 9

 

[patfla]

hmm - fixmbr recommended. That doesn't sound good.

[patfla]

And I'm not running an instance of KIS at the moment. I was running (2010) 463 - that's now uninstalled. But I haven't been able to install 736 - maybe I can install that now (?).

Although if I have a fixmbr coming up, maybe I should wait.

I'm indulging in Safe Browsing for the moment. And of course no downloads.

[richbuff]

Run this one:

CODE

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/
Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: Start > run >
type combofix /u > ok. Or Start > run > type 123 /u > ok.

Also, if you use Windows System restore, turn it off > reboot. This to remove malware from system volume information files. Then turn system restore back on, if you wish. How to turn it off/on: http://support.kaspersky.com/faq/?qid=208279208

Also, scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't fix anything yet, until the log is reviewed.

You can try to install Kaspersky, and to use "Recovery Console" command "fixmbr".

[patfla]

OK - thanx. That'll have to be tmw. Going to bed now. I'm in 'GMT-8' (I believe).

And turn my machine off before going to sleep that is.

This post has been edited by patfla: 12.11.2009 10:05

[patfla]

Malwarebyte LOG attached.

Attached File(s)

 mbam_log_2009_11_12__14_11_25_.txt ( 887bytes ) Number of downloads: 4

 

[richbuff]

Do not fix this detection: netcat\nc.exe, if the application is from the official source.

Go ahead and try to install Kaspersky.

[patfla]

No, the install failed. Rolled back yet again.

[richbuff]

Run through these three steps in order, and if still no go, contact Tech Support, link is at upper left of this forum page.

1) Make sure you have your Activation Code handy first, then (if applicable) right click the K icon and select Exit, then run the removal tool: http://support.kaspersky.com/faq/?qid=208279463
Scroll down to and follow the Command parameter instructions. Use the command parameter for each and every product and version that you ever had installed and attempted to install.
Reboot after tool use. Then download a fresh distributive of the installer from links contained here: http://forum.kaspersky.com/index.php?showtopic=140856

2) Run this zip file, but do not reboot after running it: http://www.kaspersky.com/support/kolt?eid=207694096

3) Windows Control panel and in Folder options, View tab, Show hidden files > ok, and then refresh the infcache. Delete infcache.1, located at C:\Windows\inf\infcache.1

4) Then try install again, but please with no reboot from step 2 to step 4.