MSAS Beta cannot be removed from XP Home Edition SP2

J

Joe

Someone installed a Feb 8 2000 version along with
installing Norton Internet Security 2005 the same day on
a friend's PC.

Of course, it suffered from the Processor cycle runaway
and Virtual Memory flooding caused by "gcas Process",
which I killed using Task Manager,and removed from
msconfig startup.

XP HOME SP2 on DELL 4000 (?). Running in ADMIN mode.
(a) Tried ADD/REMOVE programs in Control Panel,
(b) UNINSTALL module under PROGRAMS MSAS entry,
(c) tried SAFE MODE (ADD/REMOVE Programs - XP message:
not allowed in SAFE MODE or MS Installer not correctly
installed).
(d) tried download latest Beta (Feb 16), can't be removed
(e) downloaded and ran Microsoft Installer Cleanup - no
change
(f) re-activated gcas module in msconfig startup, after
installing newer Beta, and still can't remove MSAS from
Programs.

Every attempt to remove AntiSpyware, gives: "
ERROR: gcasInstallHelp.exe #2753 Internal Error"
Also, got (101) error after downloading the newer Beta,
which still can't be removed.

Since it corrupted some of the SP2 security and
firewall settings, I decided to reinstall WIN-XP HOME
Edition.
Did this twice - a repair install, and an UPGRADE install
with SR2 updates applied.
Still can't remove MSAS.

Restore points were erased by first XP reinstallation, so
that is not an option.

It does not run, can't be de-installed, and has killed
Norton Inernet Security 2005, at the same time.

MSAS worked just fine on my own XP Pro SP2, and I really
liked it, but after this experience trying to recover my
friend's PC for 3 long days, by extracting XP from the
tentacles of MSAS, I decided to remove it from my own PC -
luckily, that de-install worked fine.

I am desperate for a fix to remove this dangerous
program from WIN XP (short of reformatting my friend's
hard drive).

Begging for any other methods.
Thanks
 
J

John

NIS 2005 has some very unfriendly behavior toward this product as well as
other behavior problems - try uninstalling NIS 2005 completely and then try
your removal processes again. In fact, try reinstalling without NIS
interference and see what happens. You might be surprised. Then, only
reinstall NIS 2005 for anti-virus support.

Don't give up, it can be fixed.
 
J

Joe

Don't if my previus transmission got through - the
keyboard launched the post before I was finished typing.
Probably didn't enter s Sender Name, before it launched,
so maybe it will get trashed, instead.
 
J

JOE

Thanks for the encouragement, John. Sorry for these
(repeated) posted segments - (I did it twice so far) - my
fingers on the keyboard somehow seem to launch a post,
before I have finished typing. This time I am using
Outlook Express to create the post which I will paste
into the forum window.

I really liked the MSAS product, but it's actions
scared the heck out of me. To summarize, the PC I am
helping rescue, was running AVG & Zone Alarm for a couple
of years, until a "helper", decided to install Norton
Internet Security 20005 "along with" Microsoft
AntiSpyware (MSAS), beta. The PC's other user, of course,
has downloaded various "internet toys", so I can't say if
they had any added effect, but the system was stable for
2 years, and was on XP-SP2 at the time of the disaster.

I suspect that NIS was installed first and MSAS
thereafter in the same session, since one of the logs had
a record of MSAS running the day following installations,
likely a scheduled system scan - then there were no
records of MSAS after that. It may be that when it ran,
it severely damaged both NIS and itself - now, neither of
these two applications can be uninstalled, while others
still can. The two seem to be in what we used to call in
EDP days, "a deadly embrace".

When I got called for help, WIN XP was running at
100% CPU and Virtual Memory ramped steadily towards
filling the disk. The only way to get any work done was
to kill the (Feb 8/2005 verson) "gcas?" process using XP
Task Manager.

It appears that MSAS has done some major surgery to
the XP installation's "Security Settings", perhaps
killing some/all Certificates, and disabling ACTIVEX, and
access to certain websites. For example, I couldn't make
the WINDOWS UPDATE (WU) site work successfully, so I had
to download the XP SP2 file from their download page,
and install it on the newly reinstalled XP HOME Edition,
from hard drive. Reading forum posts about WU, many
people have had their ACTIVE-X and other web settings
reset, some of these people also refer to MSAS. I need to
check that out to get WU working again, as it had been
before MSAS. NIS 2005 Folder contains ONLY Norton
Antivirus - none of the other NIS modules. It can't be
uninstalled, by any method I have tried, and can't be re-
installed from CD, nothing happens. Running the NAV scan,
it doesn't even launch - completely dead. MSAS won't
unload, but did download it's beta update. Tried to
rename the program folder to "MSAS BETA", and to
uninstall it again, or download a fresh version - but it
would not recreate a new healthy version folder. Somehow
it knows that it's former self still exists in the
renamed folder, so that is where it likely updated the
files anyway.

I have also been getting "Microsoft Installer" errors
(message saying it needs to be registered, or installed
from SETUP), on login, from NIS 2005, trying to launch
itself. I don't want to install XP a third time in as
many days, to get the MSI working - got to be an easier
way to patch it up.

If I could just somehow "unload" MSAS and NIS 2005,
to be able to start over with a fresh install, I think
the problem might go away. She also purchased a copy of
NORTON SYSTEMWORKS 2005, before telling me about
this "train wreck". Although I am "reluctant" to feed
MSAS with another Norton Product to satisfy it's
rapacious appetite, perhaps the NSW's 2005 One Button
Cleanup Utlity, might cleanse a screwed up registry?
Might this help fix the uninstall problem by relinking
lost threads, or is that wishful thinking? Any opinion on
this approach?

One observation - although NIS 2005 (actually just
NAV), doesn't launch, neither does MSAS - there are no
icons, etc. when I launch it from Programs. It just runs
like heck, in background, without any screens. Could that
be because it ate the MSI Microsoft Installer that would
hav popped up it's usual screens? Also, the FEB 16 newer
version only hogs 85% or so, of CPU cycles, but leaves
the virtual memory alone, which is a Good Thing. Still, I
wonder WHAT it was doing so busily, until I killed it's
process again, after about 10 minutes of no information
on why it was thrashing about. As I said - scarry.

Any further "uninstallation advice" would be most
welcome. I just want MSAS and NIS 2005 off my PC, in
order to start fresh.

Joe
 
J

JOE

-----Original Message-----
NIS 2005 has some very unfriendly behavior toward this product as well as
other behavior problems - try uninstalling NIS 2005 completely and then try
your removal processes again. In fact, try reinstalling without NIS
interference and see what happens. You might be surprised. Then, only
reinstall NIS 2005 for anti-virus support.

Don't give up, it can be fixed.

*************************

Hi John,

After posting my response to you, I did a search on
the SYMANTEC website for "Microsoft AntiSpyware", and
strangely enough there are 2 Trojan Horses already that
can affect this product:

The second one steals banking passwords when you logon to
XP etc.

However, the first one, KillAV.E messes with Windows
Update. Both of these Trojan Horses
use "GCASINSTALLHELPER" which makes me wonder if
the "Internal ERRR # 2753", I keep getting when I try to
uninstall Microsoft AntiSpyware, may have something to do
with this problem of being unable to uninstall it
and "coincidentally", Norton Antivirus in the newly
installed Norton Internet Security.

Coincidentally, these TROJANS that target Microsoft
AntiSpyware, were just discovered Feb 10 and Feb 15,
2005 - which was between the dates the PC installed NIS
2005 & MSAS, and the date I started debugging. It would
have even nice if Microsoft had posted some kind of
warning themselves about this specific possible threat
to Beta Testers.

That may be my own "clutching at straws", but
perhaps not totally impossible, since nothing but these
two apps, and also Internet Explorer's access to Windows
Update - changed when this PC's NIS 2005 and MSAS were
installed the same day, in the exact timeframe.

Meanwhile, there is a huge multi-page set of
instructions on Symantec's website, on how to remove
a "stuck" NIS or other of their Norton products, that
can't be removed using regular ADD/REMOVE Programs method.

Just a head-up to others, about doing a virus scan,
possibly one like Symantec's on-line website version,
before perhaps installing MSAS, or Downloading and
Updating it.

Anyway , that is a lead I will pursue next week.

If anyone can think of a similar set of procedures to
remove MSAS without ADD/REMOVE programs I would be most
grateful.

Joe

**************************************

(a) Trojan KillAV.E

Trojan.KillAV.E is a Trojan horse that installs a Browser
Helper Object (BHO) and disables security software. The
installed BHO causes the browser to download pornographic
dialers. The Trojan may also attempt to download a
password stealer for financial Web sites.

Type: Trojan Horse
Infection Length: 14,848 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98,
Windows NT, Windows Server 2003, Windows XP


Terminates the following processes:

NMAIN.EXE
SYMLCSVC.EXE
NAVAPSVC.EXE
CCSETMGR.EXE
SAVSCAN.EXE
CCEVTMGR.EXE
CCAPP.EXE
MCSHIELD.EXE
GIANTANTISPYWAREUPDATER
AVCONSOL.EXE
GIANTANTISPYWAREMAIN
VSMAIN.EXE
GCIPTOHOSTQUEUE
VSHWIN32.EXE
GCASSWUPDATER
AVSYNMGR.EXE
GCASSERVALERT
QCLEAN.EXE
KAVSVC.EXE
KAVSEND.EXE
KAV.EXE
GCASSERV
GCASNOTICE
RULAUNCH.EXE
VSSTAT.EXE
GCASINSTALLHELPER
ALOGSERV.EXE
GCASDTSERV
GCASCLEANER



Searches the infected computer for the following files
and deletes any that it finds:

C:\Program Files\Norton Antivirus\*.*
C:\Program Files\Common Files\Network Associates\*.*
C:\Program Files\McAfee\*.*
C:\Program Files\Kaspersky Lab\*.*
C:\Program Files\Microsoft AntiSpyware\*.*

Deletes the startup registry entry for any antivirus
programs that are installed on the infected computer, so
the programs will no longer automatically run when
Windows starts.

Note: The startup entry is usually located in one of the
following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Run

May download a file and save it as %System%
\wupdate\flagdata.txt.

*************************
(b) Trojan PWSteal.Bankash.A

PWSteal.Bankash.A
Discovered on: February 10, 2005
Last Updated on: February 10, 2005 12:59:00 PM

PWSteal.Bankash.A is a password-stealing Trojan horse
that attempts to log usernames and passwords from certain
financial Web sites. The Trojan will also attempt
to "disable Microsoft's AntiSpyware software".

Note: Virus definitions released prior to February 10,
2005 may detect this threat as PWSteal.Trojan.


Also Known As: Trojan-Downloader.Win32.Small.ain
[Kaspersky Lab], PWS-Banker.j [McAfee], Troj/BankAsh-A
[Sophos]

Type: Trojan Horse
Infection Length: 171,008 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98,
Windows Me, Windows NT, Windows Server 2003, Windows XP





Ends the following processes, which are part of the
Microsoft AntiSpyware application:

GCASCLEANER
GCASDTSERV
GCASINSTALLHELPER
GCASNOTICE
GCASSERV
GCASSERVALERT
GCASSWUPDATER
GCIPTOHOSTQUEUE
GIANTANTISPYWAREMAIN
GIANTANTISPYWAREUPDATER

Deletes all the files in the C:\Program Files\Microsoft
AntiSpyware folder.

Prevents users from viewing warning messages from the
Microsoft AntiSpyware application.

Modifies the Hosts file to prevent access to several Web
sites.

**************** end ******
 
J

John

Joe,

You are on the right track. Let's get NIS 2005 cleaned oof completely - you
may need to go the www.macecraft.com and download/use their RegSupreme to do
some registry cleaning. Symantec does make a utility of sorts to help clean
their messes up - I'll send the link if I find it. I would also shutdown or
even uninstall ZoneAlarm for now. Get AVG uninstalled too if it is still on
there. Uninstall any junk programs and fluff stuff so you can make a clean
sweep.

Empty out your temp files under My Documents and Settings/"user accounts"
for your account and anyone elses.
Clean out the internet temp files cache and clean out the temp under the
windows directory.

Once you have Norton/Symantec completely off (don't forget LiveUpdate), try
reinstalling MSAS and then uninstall MSAS from add/remove just to see if it
will install and uninstall cleanly. If that seems to be successful, then
clean up the registry, reinstall MSAS, run twice from safe mode and see what
that reports.

Then, reinstall antivirus only and see if they play nice. Then ZoneAlarm.

Oh BTW: Be sure you are not connecting to the internet while your firewall
and antivirus are offline.

JohnF.
 
B

Bill Sanderson

Thanks for this post Joe.

I've posted instructions that I think will do what you want with Microsoft
Antispyware in response to other messages of yours.

However, I'd strongly recommend doing a complete scan with an antivirus with
current definitions at this point. Since this one attempts to disable
Symantec, and since I don't immediately spot Trend Micro's executables in
the list, you might try Trend Micro's online scan:

http://housecall.antivirus.com.

I was not aware of this bug before your post, and it is a possible
expanation for several posts I've seen in the last few days.

I'm not sure about the best course of action, in terms of a message about
these bugs.

This is a public beta, open to the world. Users of all degrees of technical
ability are included, although those that accesss these groups tend to be
more technically adept--but this is changing, due to the HTML interface
access.

These bugs do not "target" Microsoft Antispyware, in the sense that having
Microsoft Antispyware installed does not make you more likely to acquire
either of these trojans--you must click and install the thing in some
fashion.

These bugs also do not "infect" Microsoft Antispyware. They may succeed in
disabling it, or turning it off, but they don't cause it to work in a way
contrary to its design.

So--I think a heads-up might be reasonable, but it needs to be pretty
carefully worded--there is no need for panic, any more than there is for
users of Norton products which have been targeted by viruses for years now
in similar function. However, if you find that both NAV and Microsoft
Antispyware are disabled, looking at viruses as a cause is certainly in
order.

I'd be glad to hear what others here think about this "notification" issue.
I don't think I'm ready to compose such a message myself--but I'd be
interested to hear what others reading this think is a reasonable and
responsible course of action for Microsoft.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

JOE said:
-----Original Message-----
NIS 2005 has some very unfriendly behavior toward this product as well as
other behavior problems - try uninstalling NIS 2005 completely and then try
your removal processes again. In fact, try reinstalling without NIS
interference and see what happens. You might be surprised. Then, only
reinstall NIS 2005 for anti-virus support.

Don't give up, it can be fixed.

*************************

Hi John,

After posting my response to you, I did a search on
the SYMANTEC website for "Microsoft AntiSpyware", and
strangely enough there are 2 Trojan Horses already that
can affect this product:

The second one steals banking passwords when you logon to
XP etc.

However, the first one, KillAV.E messes with Windows
Update. Both of these Trojan Horses
use "GCASINSTALLHELPER" which makes me wonder if
the "Internal ERRR # 2753", I keep getting when I try to
uninstall Microsoft AntiSpyware, may have something to do
with this problem of being unable to uninstall it
and "coincidentally", Norton Antivirus in the newly
installed Norton Internet Security.

Coincidentally, these TROJANS that target Microsoft
AntiSpyware, were just discovered Feb 10 and Feb 15,
2005 - which was between the dates the PC installed NIS
2005 & MSAS, and the date I started debugging. It would
have even nice if Microsoft had posted some kind of
warning themselves about this specific possible threat
to Beta Testers.

That may be my own "clutching at straws", but
perhaps not totally impossible, since nothing but these
two apps, and also Internet Explorer's access to Windows
Update - changed when this PC's NIS 2005 and MSAS were
installed the same day, in the exact timeframe.

Meanwhile, there is a huge multi-page set of
instructions on Symantec's website, on how to remove
a "stuck" NIS or other of their Norton products, that
can't be removed using regular ADD/REMOVE Programs method.

Just a head-up to others, about doing a virus scan,
possibly one like Symantec's on-line website version,
before perhaps installing MSAS, or Downloading and
Updating it.

Anyway , that is a lead I will pursue next week.

If anyone can think of a similar set of procedures to
remove MSAS without ADD/REMOVE programs I would be most
grateful.

Joe

**************************************

(a) Trojan KillAV.E

Trojan.KillAV.E is a Trojan horse that installs a Browser
Helper Object (BHO) and disables security software. The
installed BHO causes the browser to download pornographic
dialers. The Trojan may also attempt to download a
password stealer for financial Web sites.

Type: Trojan Horse
Infection Length: 14,848 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98,
Windows NT, Windows Server 2003, Windows XP


Terminates the following processes:

NMAIN.EXE
SYMLCSVC.EXE
NAVAPSVC.EXE
CCSETMGR.EXE
SAVSCAN.EXE
CCEVTMGR.EXE
CCAPP.EXE
MCSHIELD.EXE
GIANTANTISPYWAREUPDATER
AVCONSOL.EXE
GIANTANTISPYWAREMAIN
VSMAIN.EXE
GCIPTOHOSTQUEUE
VSHWIN32.EXE
GCASSWUPDATER
AVSYNMGR.EXE
GCASSERVALERT
QCLEAN.EXE
KAVSVC.EXE
KAVSEND.EXE
KAV.EXE
GCASSERV
GCASNOTICE
RULAUNCH.EXE
VSSTAT.EXE
GCASINSTALLHELPER
ALOGSERV.EXE
GCASDTSERV
GCASCLEANER



Searches the infected computer for the following files
and deletes any that it finds:

C:\Program Files\Norton Antivirus\*.*
C:\Program Files\Common Files\Network Associates\*.*
C:\Program Files\McAfee\*.*
C:\Program Files\Kaspersky Lab\*.*
C:\Program Files\Microsoft AntiSpyware\*.*

Deletes the startup registry entry for any antivirus
programs that are installed on the infected computer, so
the programs will no longer automatically run when
Windows starts.

Note: The startup entry is usually located in one of the
following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Run

May download a file and save it as %System%
\wupdate\flagdata.txt.

*************************
(b) Trojan PWSteal.Bankash.A

PWSteal.Bankash.A
Discovered on: February 10, 2005
Last Updated on: February 10, 2005 12:59:00 PM

PWSteal.Bankash.A is a password-stealing Trojan horse
that attempts to log usernames and passwords from certain
financial Web sites. The Trojan will also attempt
to "disable Microsoft's AntiSpyware software".

Note: Virus definitions released prior to February 10,
2005 may detect this threat as PWSteal.Trojan.


Also Known As: Trojan-Downloader.Win32.Small.ain
[Kaspersky Lab], PWS-Banker.j [McAfee], Troj/BankAsh-A
[Sophos]

Type: Trojan Horse
Infection Length: 171,008 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98,
Windows Me, Windows NT, Windows Server 2003, Windows XP





Ends the following processes, which are part of the
Microsoft AntiSpyware application:

GCASCLEANER
GCASDTSERV
GCASINSTALLHELPER
GCASNOTICE
GCASSERV
GCASSERVALERT
GCASSWUPDATER
GCIPTOHOSTQUEUE
GIANTANTISPYWAREMAIN
GIANTANTISPYWAREUPDATER

Deletes all the files in the C:\Program Files\Microsoft
AntiSpyware folder.

Prevents users from viewing warning messages from the
Microsoft AntiSpyware application.

Modifies the Hosts file to prevent access to several Web
sites.

**************** end ******
 
J

JOE

Thanks John,

I had already found the Norton article tou mention, to
remove NIS 2005. It's a very involved procedure, so I
was hoping there was an executable "script" for it. I
intend on trying it, the next time I am on site. It
definitely has to be expunged.

Wouldn't it be nice if companies like Norton would
allow a "network based copy" to run on an installation
system, if the install CD is present? That way, the
install PC could be remotely "cleaned", just prior to
actual hard drive install. In my case, even installing
NIS from it's CD, into a system, might have already
corrupted it. I think "initial installs" like that should
have the option of being done "on-line" at the
manufacturer site - as well as later, if the target PC
becomes hopelessly corrupted, as in this case.
Unfortunately, Norton, like others, offer only a
complementary scan of a prospect's PC, for the purpose of
advertising, whereas, the additional "fix and removal
of bugs (that extra step), would be nice for registered
users using a CD & activation code, as a key.

I am also hoping that Microsoft's Bill Sanderson can
publish a simmilar "removal tool for MSAS". That might be
the "first" thing to try, since if it works, it can do a
scan for ISTART spyware, which I do have on that system
as an infestation. Perhaps, if KILLAV is also present, it
may not mess up MSAS on a new install - I am suggesting
here, that the virus works ONLY on an "already installed"
MSAS, as opposed to new ones. That may be how it got BOTH
MSAS and NIS 2005, in the same shot, on it's inaugural
run, the day prior to Symantec learning about it - or
rather - confirming it as real, and reporting it on their
website.

Joe
 
S

Steve Wechsler [MVP]

I am also hoping that Microsoft's Bill Sanderson can
publish a simmilar "removal tool for MSAS".

Bill is an MVP, he doesn't work for Microsoft, Joe. Doubt he'll come up
with that tool ;)

Steve Wechsler (akaMowGreen)

MS-MVP 2004-2005
Windows Server
Windows - Security
 
J

JOE

Thanks to all - especially John and Steve,

I finally got my MSAS and Norton Internet Security
2005 "REMOVAL" problem solved - but only partially, since
in the end I was forced into reformatting and re-
installing WIN-XP from scratch.



Removing MSAS from the corrupted system was finally
achieved by running Microsoft's installer "uninstaller" -
see:

Description of the Windows Installer CleanUp Utility -
Article 290301

However, Microsoft's description is pretty bad. I
would very highly recommend downloading Symantec's
(Document ID:2003092915164136), Titled:


Error: "The MSI must be launched through setup" while
installing Norton Internet Security or Norton Personal
Firewall 2004 or earlier

Symantec's description of this process has great
pictures, and an example that clarifies how to use that
tool - Microsoft's doesn't. That was something that
stopped me from getting MSAS, at least, freed from the
clutches of NIS 2005.

*********

Once I ran the Windows Installer Clean Up Utility
(Msicuu.exe), I was ONLY then able to REMOVE Program
Microsoft AntiSpyware. Next, I downloaded the newer
version, installed it, and it ran perfectly, finding 3
attackers (Trojans, virus, and spyware). However, I was
still unable to REMOVE Norton Antivirus, resulting from a
bad Norton Internet Security 2005 installed at the same
time as MSAS. In fact, I went to the Symantec website,
and ran their remote offline, website version of the
Norton Antivirus scan, which reported that I had the 3
attackers on my system, but their website server is
somewhat messed up - only one removal script ran - but
the links to others failed miserably

So I had no choice but to save MY DOCUMENTS folder as
well as my OUTLOOK EXPRESS mail system (see: How to back
up and recover Outlook Express data - Microsoft Article
ID: 270670), to CD's, and to reformat the drive.

The new system is now running fine and the fresh
install of NIS 2005 is working. However, even though I
have confidently reinstalled MSAS on my own PC (I had
uninstalled it because of this bad MSAS experience on
that other system), - even so, I have purposely NOT
reinstalled MSAS on the problem system, since BETA
software should NOT be installed on PC's of people
unfamiliar even with WINDOWS. No matter how well
intentioned that would be, Beta software can be a bear.

Final advice for really sticky MSAS de-installation
problems: Have a look at the SYMANTEC document describing
the use of Microsoft's MSI Uninstaller (above), then use
it.

Once again, thanks to all MVP's.

Joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top