Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 10905 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue uninstalling Sophos standalone client on Windows 7 64-bit

MikeZ

Hello,

I'm having a strange problem when uninstalling Sophos Anti-Virus version 10.0 standalone on Windows 7 x64. I've followed the knowledgebase article, stopping the Auto Update service then uninstalling Sophos Anti-Virus first and Sophos Auto Update second. (Those are the only two components installed as I've been updating remotely to my University's server.)

The uninstall appears to proceed as expected, so I then reboot. However, I then find that some other completely unrelated services either fail to start (e.g. Cloudberry Online Backup) or stop unexpectedly (according to Event Viewer) e.g. LogMeIn and Perfect Disk's PDEngine service). If I run Sysinternals Process Monitor it shows svchost trying to access and/or create various files in C:\ProgramData\Sophos. Looking in Services it appears that all Sophos Services have been correctly uninstalled and removed.

If I re-install Sophos and bring it up to date then everything is OK again - no other services fail to start or stop unexpectedly.

Does this sound familiar to anybody? Although Sophos appears to uninstall correctly it is clearly leaving something behind but I've no idea what.

Incidentally, I've uninstalled Sophos on a couple of 32-bit Windows machines and have not had this problem, so I'm wondering if it's something to do with it being 64-bit Windows.

I'd be grateful for any help anybody can offer.

:35589


This thread was automatically locked due to age.
  • 0

    Hi,

    It does sound like the uninstall is leaving some hook behind.

    The two obvious things I can think of, that could potentially cause other process problems would be detoured or the LSP.

    When you uninstall and reboot do the following 2 components get removed::

    Removal of Detoured reference:

    Under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Windows

    does the reference to the Sophos file get removed from the string "AppInit_DLLs" in these locations?

    Removal of the LSP registration:
    If you run:

    netsh winsock show catalog > ws.txt

    Does that output in "ws.txt" still reference sophos files, e.g.

    C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll

    C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll

    Regards,

    Jak

    :35591
  • 0

    Hi jak,

    I've attempted another uninstall and I'm seeing the same symptoms. I've checked both the things you mentioned:

    there is nothing in either of the registry keys you specified

    there is nothing sophos-related in the output of the netsh command

    What I have found is that I can't delete the Sophos directory from C:\ProgramData because files are in use. Running Process Explorer I see that svchost has a temporary file open:

    C:\ProgramData\Sophos\Web Intelligence\del41DF.tmp

    There is also another .tmp file in that directory which can't be deleted.

    Searching for "sophos" in the registry I see this:

    HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

    with the value:

    \??\C:\ProgramData\Sophos\Web Intelligence\del41DF.tmp

    \??\C:\ProgramData\Sophos\Web Intelligence\del41E0.tmp

    \??\C:\ProgramData\Sophos\Web Intelligence

    Any ideas where to look next?

    Thanks,

    Mike

    :35597
  • 0

    HI,

    the next reboot should remove them

    Regards,

    Jak

    :35601