Category: Antivirus/Antimalware Tools and Issues

Antimalware for Remote
article #168, updated 14 days ago

One good standby lately is the Microsoft Malicious Software Remover:

https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx

For major infections, another is Comodo Cleaning Essentials, courtesy of the amazing Jared Dexter:

https://www.comodo.com/business-security/network-protection/cleaning_essentials.php

After that, Malwarebytes:

http://malwarebytes.org

For garbageware, irritationware, and similar things, I like the following, only rarely needing the whole series:

  1. JRT

http://thisisudax.org/?p=1

  1. RogueKiller

http://tigzy.geekstogo.com/roguekiller.php

  1. AdwCleaner

http://www.bleepingcomputer.com/download/adwcleaner/

Categories:   Antivirus/Antimalware Tools and Issues   Cleanup

==============

Interesting secondary antivirus
article #880, updated 470 days ago

This one appears to work rather well:

http://smadav.en.lo4d.com/

Categories:   Antivirus/Antimalware Tools and Issues   

==============

New malware remover
article #849, updated 550 days ago

Here’s a new one, being recommended by shouldiremoveit.com, appears to work well:

https://www.reasoncoresecurity.com/product.aspx

Categories:   Antivirus/Antimalware Tools and Issues   

==============

Ports used by ESET
article #803, updated 674 days ago

Here is a list:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2221&locale=en_US

Categories:   Antivirus/Antimalware Tools and Issues   

==============

New Antivirus Live CD
article #798, updated 688 days ago

Works well:

http://sourceforge.net/projects/antiviruslivecd/

Categories:   Antivirus/Antimalware Tools and Issues   

==============

Removing Trend Micro Antivirus
article #509, updated 765 days ago

If the Windows uninstaller does not work or fails, things can get difficult. The Trend Micro Diagnostic Toolkit for the product at hand may be necessary. For the Titanium product, it is available here for 32-bit and 64-bit:

http://esupport.trendmicro.com/solution/en-us/1059841.aspx

And a general 32-bit download, at least for some versions, appears here:

http://solutionfile.trendmicro.com/solutionfile/EN-1037161/32bit.exe

And another, a general agent remover, very general:

http://esupport.trendmicro.com/solution/en-US/1057237.aspx

Categories:   Antivirus/Antimalware Tools and Issues   

==============

List of Antivirus Removal Tools
article #721, updated 926 days ago

Here is a great list of links:

http://kb.eset.com/esetkb/index?page=content&id=SOLN146&product=0&vendor=0

Discovered by the amazing Mike Hunsinger.

Categories:   Antivirus/Antimalware Tools and Issues   Cleanup

==============

Base Filtering Engine missing, in Vista and Windows 7
article #719, updated 926 days ago

This service is essential for lots of things, including security in general and antivirus. If it’s missing on Vista or Windows 7, it was probably removed by an infection. A good first step is probably here:

http://kb.eset-la.com/esetkb/index?page=content&id=SOLN2861

Look for the “ESETSirefefCleaner tool”. If that doesn’t do it, try the steps here:

http://www.hageltech.com/blog/2012/02/07/base-filtering-engine-problems.html

Categories:   Cleanup   Antivirus/Antimalware Tools and Issues

==============

VIPRE Agent Removal Script, also helpful for failed agent installs
article #448, updated 942 days ago

The script below was written using the VIPRE manual recommends. It can be downloaded here as RemoveVIPRE.cmd. It leaves a problematical remnant for which you will need msicuu2. Very corrupt agents may need further intervention, e.g., manual removal of files and folders, clearing of system and profile temp files, and possibly registry deletions as well.

@echo off

echo --------------------------------------------
echo ------- VIPRE Removal Script by J.E.B. -----
echo --------------- version 3.1 ----------------
echo --------------------------------------------
echo ---------------- 2013-08-09 ----------------
echo --------------------------------------------

net stop sbamsvc
net stop sbapifs
net stop sbemi
net stop sbhips
net stop SBPIMSvc
net stop sbre
net stop sbtis
net stop sbfwimcl
net stop sbfwimclmp
net stop gfi_lanss10_attservice

taskkill /F /IM SBPIMSvc.exe
taskkill /F /IM SBAMSvc.exe
taskkill /F /IM SBAMTray.exe
taskkill /f /im SBRC.EXE

sc delete sbamsvc
sc delete sbapifs
sc delete sbemi
sc delete sbhips
sc delete SBPIMSvc
sc delete sbre
sc delete sbtis
sc delete sbfwimcl
sc delete sbfwimclmp
sc delete gfi_lanss10_attservice

REM *** First change permissions on general registry keys ***

echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBAMSvc [10] > RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBAPIFS [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBEMI [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBHIPS [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBPIMSVC [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBRE [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\Sbtis [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\services\SBFWIMCL [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\services\SBFWIMCLMP [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\services\gfi_lanss10_attservice [10] >> RemoveVIPRE.regfix

echo \registry\machine\software\classes\Installer\Products\2B680A936D70B034EAE58BCAC18C347A [10] >> RemoveVIPRE.regfix
echo \registry\machine\software\classes\Installer\Products\116445D9734F351419E319EC305638CC [10] >> RemoveVIPRE.regfix
echo \registry\machine\software\classes\Installer\Products\1363B974717ACE24EB715AECFB5698B1 [10] >> RemoveVIPRE.regfix
echo \registry\machine\software\classes\Installer\Products\BF8FC7BD8368E4846A1C735FCA12CD2B [10] >> RemoveVIPRE.regfix

echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\03BCC3AEA8C639B48B86726A768A9284 [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\083B3A6D7B7F6FB4DB9A45972E2DF34D [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A760992A13C24C448E6C6B4627DA5B0 [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B2AF55E92E0E81478FE9C1B31E21805 [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0D148412C177E7C4598C46875973B574 [10] >> RemoveVIPRE.regfix

REGINI -b RemoveVIPRE.regfix

REM *** Then remove general registry keys ***

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBAMSvc /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBAPIFS /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBEMI /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBHIPS /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBPIMSVC /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBRE /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sbtis /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBFWIMCL /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBFWIMCLMP /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\gfi_lanss10_attservice /f

REG DELETE HKEY_CLASSES_ROOT\Installer\Products\2B680A936D70B034EAE58BCAC18C347A /F
REG DELETE HKEY_CLASSES_ROOT\Installer\Products\116445D9734F351419E319EC305638CC /f
REG DELETE HKEY_CLASSES_ROOT\Installer\Products\1363B974717ACE24EB715AECFB5698B1 /f
REG DELETE HKEY_CLASSES_ROOT\Installer\Products\BF8FC7BD8368E4846A1C735FCA12CD2B /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\03BCC3AEA8C639B48B86726A768A9284" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\083B3A6D7B7F6FB4DB9A45972E2DF34D" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A760992A13C24C448E6C6B4627DA5B0" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B2AF55E92E0E81478FE9C1B31E21805" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0D148412C177E7C4598C46875973B574" /f

REM *** Change permissions on x86-specific registry keys ***

echo \registry\machine\software\classes\Installer\Products\116445D9734F351419E319EC305638CC [10] >> RemoveVIPRE.regfix

echo \registry\machine\SOFTWARE\SBAMSvc [10] > RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\GFI Software\GFI Business Agent [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Sunbelt Software\Sunbelt Enterprise Agent - 4.0 Agent [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\GFI Software\GFI Business Agent - 5.0 Agent [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Sunbelt Software\Sunbelt Enterprise Agent [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\GFI\LNSS10 [10] >> RemoveVIPRE.regfix

echo "\registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9D544611-F437-4153-913E-91CE036583CC}" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\116445D9734F35141" [10] >> RemoveVIPRE.regfix

REGINI -b RemoveVIPRE.regfix

REM *** Remove x86-specific registry keys ***

REG DELETE "HKEY_CLASSES_ROOT\Installer\Products\116445D9734F351419E319EC305638CC" /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\SBAMSvc" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Sunbelt Software\Sunbelt Enterprise Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\GFI Software\GFI Business Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Sunbelt Software\Sunbelt Enterprise Agent - 4.0 Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\GFI Software\GFI Business Agent - 5.0 Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\GFI\LNSS10" /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9D544611-F437-4153-913E-91CE036583CC}" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\116445D9734F35141" /f

REM *** Change permissions on x64-specific registry keys ***

echo \registry\machine\SOFTWARE\Wow6432Node\SBAMSvc [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\Sunbelt Software\Sunbelt Enterprise Agent" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\GFI Software\GFI Business Agent" [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Wow6432Node\GFI\LNSS10 [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\Sunbelt Software\Sunbelt Enterprise Agent - 4.0 Agent" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\GFI Software\GFI Business Agent - 5.0 Agent" [10] >> RemoveVIPRE.regfix

echo "\registry\machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9D544611-F437-4153-913E-91CE036583CC}" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\116445D9734F35141" [10] >> RemoveVIPRE.regfix

echo \registry\machine\software\classes\Installer\Products\116445D9734F351419E319EC305638CC [10] >> RemoveVIPRE.regfix

REGINI -b RemoveVIPRE.regfix

REM *** Remove x64-specific registry keys ***

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SBAMSvc /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sunbelt Software\Sunbelt Enterprise Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI Software\GFI Business Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI\LNSS10" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sunbelt Software\Sunbelt Enterprise Agent - 4.0 Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI Software\GFI Business Agent - 5.0 Agent" /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9D544611-F437-4153-913E-91CE036583CC}" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\116445D9734F35141" /f

REG DELETE "HKEY_CLASSES_ROOT\Installer\Products\116445D9734F351419E319EC305638CC" /f

REM *** Clean up misc items from VIPRE support sessions etc. ***

DEL "%USERPROFILE%\appdata\local\temp\removevipre\sbrc.exe"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SBRegRebootCleaner" /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SBAMTray" /f

REM *** Finish up. ***

del RemoveVIPRE.regfix

RegSvr32 /u /s SBAMScanShellExt.DLL

RMDIR /S /Q "%SYSTEMDRIVE%\Program Files\GFI Software\GFIAgent"
RMDIR /S /Q "%SYSTEMDRIVE%\Program Files\GFI Software\LanGuard 10 Agent"
RMDIR /S /Q "%SYSTEMDRIVE%\Program Files\Sunbelt Software\SBEAgent"

RMDIR /S /Q "%SYSTEMDRIVE%\Program Files (x86)\Sunbelt Software\SBEAgent"
RMDIR /S /Q "%SYSTEMDRIVE%\Program Files (x86)\GFI Software\GFIAgent"
RMDIR /S /Q "%SYSTEMDRIVE%\Program Files (x86)\GFI Software\LanGuard 10 Agent"

RMDIR /S /Q "%AppData%\Sunbelt\Antimalware"
RMDIR /S /Q "%AppData%\Sunbelt Software\Antimalware"
RMDIR /S /Q "%AppData%\GFI Software\Antimalware"
RMDIR /S /Q "%AppData%\GFI Software\LanGuard 10"

echo ---------------------------
echo ---------------------------
echo RemoveVIPRE completed.
echo ---------------------------
echo ---------------------------

Categories:   VIPRE Antivirus   Antivirus/Antimalware Tools and Issues

==============

ESET Antivirus Deployment Issues
article #697, updated 980 days ago

If the installer does not complete, but rolls back:

  1. Check Windows services, see if the Base Filtering Engine is present. If not, the ESETSIRefefCleaner tool must be run to restore it. See this KB article for steps and download.
  2. Open RegEdit, backup the registry.
  3. Search for: 6BDD1FC6-810F-11D0-BEC7-08002BE2092F
  4. If there is a value named “UpperFilters”, delete it.
  5. If there is a value named “LowerFilters”, delete it.
  6. Shutdown and restart.

The above provided by the excellent Jared Dexter.

Categories:   ESET Endpoint Antivirus   Antivirus/Antimalware Tools and Issues