How to uninstall CA Internet Security Suite?

[rll]

Hello-

My laptop recently got hit twice with trojan/malware (first VirusHeat then the XP 2008 or what ever it was called) thanks to my daughter.  It thought I had manually gotten rid of them, but apparently I hadn't.  First the computer got slower.  Then I got a notification from TimeWarner Cable that apparently "emails with the characteristics of spam" were being sent from my cable address.  Yesterday I started getting BSOD's indicating SESSION5_INITIALIZATION_FAILED blah blah.  This was on startup.  The only way I could get the computer started was either in safe mode or by selecting "start in the most recent configuration that worked."  Google searches seemed to indicate that this SESSION5_... issue was one of the things fixed with XP Sp3 (the lap top is currently Sp2).  But something was preventing me from getting the Windows Update for XP3.

All during this time, I noticed that the LED on the router corresponding to the port it was plugged into was always constantly blinking at a regular about 1X second rate.  The LEDs for the other 2 computers and the printer do not blink regularly like this.  This probably was an indication that the lap top was constantly pumping something out when it was on.

In the information from TimeWarner regarding their warning, it gave a bunch of things to try.  The first thing I tried was McAfee Stinger.  The malware was preventing me from downloading it so I downloaded it to another computer, copied it to a thumb drive, and copied it to the lap top that way.  I ran it.  It indicated that the "dropper" programs where in phony MP3 files that my daughter said she had gotten from Limewire.  It deleted them.  After running about 10 minutes, Stinger bombed out and just disappeared with no trace.  I tried to run it several times, always after about 10 minutes, it bombed out and disappeared.  The first time I ran it in normal mode.  The subsequent runs were in safe mode, same deal.

Then I tried Trend Micro Housecall.  This didn't find anything and also quit back to the desktop after about 5 minutes.

Then I tried the Microsoft Malicious Software Removal Tool  The latest version of this also could not be downloaded by the lap top so I again downloaded it elsewhere and copied it over with a thumb drive.  I ran this and after about 15 minutes, it too bombed.  This time it gave the "Microsoft Windows Malicious Software Removal Tool has encounterd a problem and needs to close Version 2.1.2407.0 etc... etc...  send error report to Microsoft?..." pop up.  I tried several times and always the same thing.  It never found anything during the time it was running either.

Then I got Malwarebytes Anti-Malware, for some reason I could get this one to download directly with the lap top.  I got the latest updates, and ran the quick scan.  It found 30 infected files and folders.  It could delete all but two of them which it said would be deleted on restart.  I did that and these last two were in fact deleted.  I ran it several more times and it reported all clean each time.  It said that the malware I had was a keylogger and something that messes with the internet connection.  This was probably why I couldn't download the programs.

After running these quick scans, TimeWarner suggested installing an anti-virus program.  CA Internet Security Suite is free for TW customers so I downloaded it and installed it.  It indicated that it needed to run a scan so I let it.  It found 9 more infected files and deleted them.  Then after about an hour of running, I got a BSOD with the computer locked up.  This time the screen indicated STOP: 0x000008E and a problem with KmxFile.sys. and an address.  I restarted the computer and now after logging in, it goes straight to the BSOD.  It will start in safe mode.  Running the earlier configuration that worked does now not work.  In normal mode it always goes to the blue screen error after booting up.  A Google search of kmxfile.sys indicates that it is a CA component.  So now the computer is unusable thanks to this CA program.

Does anyone know how to uninstall CA Internet Security Suite?  I see no uninstall options anywhere.

Thanks!

[evilfantasy]

KmxFile.sys is part of the CA firewall I'm pretty sure. Firewalls can be heavy on resources and the STOP error is memory related I think. Did you uninstall your other antivirus and or firewall before installing CA?

Have you tried in Add or Remove Programs to uninstall it?

Go to Removal Tools and Methods for Uninstalling Major Antivirus Products and scroll to CA Internet Security for instructions.

See if you can get a HijackThis log posted.

Download TrendMicro HijackThis.exe (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• Upon install, HijackThis should open for you.
• Click on the Do a system scan and save a log file button
  
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

[rll]

Yes kmxfile.sys is definitely part of CA ISS.

1) From safe mode, I tried to Add/Remove CA ISS.  The screens look like what is shown in the link you provided.  It said it couldn't remove the anti-virus part or the firewall part but it did remove the anti-spamware part.  Still got BSOD after logging in in normal mode.  I'm wondering if it couldn't uninstall those components because it was in safe mode.

2) Looking at the Add/Remove list, I saw that Malwarebytes Anti-Malware installed itself.  I had thought that it was a standalone run once sort of program that didn't install itself.  So I uninstalled that.  Still got BSOD after logging in in normal mode.

3) What about Windows Firewall?  It is there but not enabled (and hasn't been for a while).  Does that have to be actually uninstalled?

4) I can't download HiJack This because the computer will only run in safe mode.  The BSOD happens as all the drivers and little icons in the lower right are filling in before I can get a chance to do anything.

The most recent time I tried to boot it to normal mode, instead of logging in, I clicked turn computer off.  Somehow Windows snuck in and said there were a bunch of updates that it said it was going to do before turning off.  So those ran their course.  Then I tried going back to normal mode again, still the same BSOD.

So essentially the computer is currently unusable.

Thanks.

[evilfantasy]

Can you do a System Restore?

[rll]

If you mean the selection "Last Known Good Configuration (your most recent settings that worked)" from the F8 boot up screen, no.  That doesn't fix it.

[evilfantasy]

Try going in and deleting the CA folder in Program Files. Honestly I'm sort of baffled at the moment on what's going on.

[rll]

Well very strange.  This lap top has 3 accounts on it.  One has administrator privileges, and the other 2 have the lowest level of privileges.  I had always been using the administrator because that's were you can control everything from.  But I figured what the hey, and tried to log into one of the other accounts to see what would happen.  Lo and behold it booted up fine.   Applications ran fine and I could go to websites with Firefox.  No BSOD.   And the parts of CA ISS that remained (anti-spyware and firewall) after I tried to uninstall it in safe mode were still there and actually running.  The firewall was blocking all sorts of things and giving notifications. 

So, from the CA ISS main screen I selected help and there was a CA support web address given (I didn't write it down).  I went there and one of the choices is uninstall.  I clicked it and it downloaded something to the desk top and ran.  Judging by the things that flashed by, it modified stuff in the registry.  Then it said to shut down and restart for the uninstall changes to take effect.  I did this and logged into the administrator account instead.  The CA firewall logo was still up and it now popped up the firewall notifications.  And it didn't crash to the BSOD here either.  Again I could go to the Internet, and applications worked.  But it appeared that ISS had not been fully removed.  So I went to Control Panel add/remove programs and it showed as still being there so I selected to uninstall and it cleanly uninstalled all of it.  So now it is gone and the computer seems to be working.

Next I'm going to get XP Sp3 loaded.  Windows Update is now causing problems, not finishing and giving "error code: 0xD0000005"  Google for this doesn't turn up much useful.  So I am going to try the Microsoft Support for that.  They say live help is free for Update issues. 

Then I will clean up the hard drive, get rid of all the temp stuff, and maybe re-run Malwarebytes again just to be sure.  It seemed to have been the most effective at getting rid of the the associated junk that VirusHeat and XP Antivirus 2008 dumped on the system.   The Malwarebytes log included the following classifications of nastiness that it found and deleted:

rogue.virusheat
rogue.multiple
rogue.antivirus2008
rogue.link
trojan.fakealert
trojan.zlob
hijack.wallpaper
hijack.displayproperties
spyware.passwords
rootkit.dnschanger.h

The last two are obviously the most troubling.  Luckily I never use this computer for accessing bank information and the like.  And the filename that was the rogue.link was called "online security test.url".  Hah.

It must have been all the different things that I did while trying to remove this stuff that broke CA ISS and also the Windows Update.  The saga is not done yet.  After I can get XP Sp3 installed, I may give the CA another try.  Or maybe AVG.

It's amazing to me that the most popular operating system in the world is the one that is the most vulnerable to exploits like this.  I also have a W98 SE machine that I've used for over 8 years and it has never gotten anything like this.

I hope all this detail that I have written might help someone else in this situation.

Thanks for the suggestions.

[evilfantasy]

There have been some different variations of virus lately that are completely crippling systems laving reinstalling the only option. Hopefully MS will help you get the updates fixed.

Be sure you are 100% free of malware before installing SP3. If not it will cause big problems.

MalwareBytes is a very good application. That along with your antivirus is all most will ever need.