Category: Antivirus/Antimalware Tools and Issues

List of Antivirus Removal Tools
article #721, updated 2063 days ago

Here is a great list of links:

http://kb.eset.com/esetkb/index?page=content&id=SOLN146&product=0&vendor=0

Discovered by the amazing Mike Hunsinger.

Categories:      

==============

Base Filtering Engine missing, in Vista and Windows 7
article #719, updated 2063 days ago

This service is essential for lots of things, including security in general and antivirus. If it’s missing on Vista or Windows 7, it was probably removed by an infection. A good first step is probably here:

http://kb.eset-la.com/esetkb/index?page=content&id=SOLN2861

Look for the “ESETSirefefCleaner tool”. If that doesn’t do it, try the steps here:

http://www.hageltech.com/blog/2012/02/07/base-filtering-engine-problems.html

Categories:      

==============

VIPRE Agent Removal Script, also helpful for failed agent installs
article #448, updated 2079 days ago

The script below was written using the VIPRE manual recommends. It can be downloaded here as RemoveVIPRE.cmd. It leaves a problematical remnant for which you will need msicuu2. Very corrupt agents may need further intervention, e.g., manual removal of files and folders, clearing of system and profile temp files, and possibly registry deletions as well.

@echo off

echo --------------------------------------------
echo ------- VIPRE Removal Script by J.E.B. -----
echo --------------- version 3.1 ----------------
echo --------------------------------------------
echo ---------------- 2013-08-09 ----------------
echo --------------------------------------------

net stop sbamsvc
net stop sbapifs
net stop sbemi
net stop sbhips
net stop SBPIMSvc
net stop sbre
net stop sbtis
net stop sbfwimcl
net stop sbfwimclmp
net stop gfi_lanss10_attservice

taskkill /F /IM SBPIMSvc.exe
taskkill /F /IM SBAMSvc.exe
taskkill /F /IM SBAMTray.exe
taskkill /f /im SBRC.EXE

sc delete sbamsvc
sc delete sbapifs
sc delete sbemi
sc delete sbhips
sc delete SBPIMSvc
sc delete sbre
sc delete sbtis
sc delete sbfwimcl
sc delete sbfwimclmp
sc delete gfi_lanss10_attservice

REM *** First change permissions on general registry keys ***

echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBAMSvc [10] > RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBAPIFS [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBEMI [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBHIPS [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBPIMSVC [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\SBRE [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\Services\Sbtis [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\services\SBFWIMCL [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\services\SBFWIMCLMP [10] >> RemoveVIPRE.regfix
echo \registry\machine\SYSTEM\CurrentControlSet\services\gfi_lanss10_attservice [10] >> RemoveVIPRE.regfix

echo \registry\machine\software\classes\Installer\Products\2B680A936D70B034EAE58BCAC18C347A [10] >> RemoveVIPRE.regfix
echo \registry\machine\software\classes\Installer\Products\116445D9734F351419E319EC305638CC [10] >> RemoveVIPRE.regfix
echo \registry\machine\software\classes\Installer\Products\1363B974717ACE24EB715AECFB5698B1 [10] >> RemoveVIPRE.regfix
echo \registry\machine\software\classes\Installer\Products\BF8FC7BD8368E4846A1C735FCA12CD2B [10] >> RemoveVIPRE.regfix

echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\03BCC3AEA8C639B48B86726A768A9284 [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\083B3A6D7B7F6FB4DB9A45972E2DF34D [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A760992A13C24C448E6C6B4627DA5B0 [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B2AF55E92E0E81478FE9C1B31E21805 [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0D148412C177E7C4598C46875973B574 [10] >> RemoveVIPRE.regfix

REGINI -b RemoveVIPRE.regfix

REM *** Then remove general registry keys ***

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBAMSvc /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBAPIFS /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBEMI /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBHIPS /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBPIMSVC /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBRE /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sbtis /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBFWIMCL /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBFWIMCLMP /f
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\gfi_lanss10_attservice /f

REG DELETE HKEY_CLASSES_ROOT\Installer\Products\2B680A936D70B034EAE58BCAC18C347A /F
REG DELETE HKEY_CLASSES_ROOT\Installer\Products\116445D9734F351419E319EC305638CC /f
REG DELETE HKEY_CLASSES_ROOT\Installer\Products\1363B974717ACE24EB715AECFB5698B1 /f
REG DELETE HKEY_CLASSES_ROOT\Installer\Products\BF8FC7BD8368E4846A1C735FCA12CD2B /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\03BCC3AEA8C639B48B86726A768A9284" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\083B3A6D7B7F6FB4DB9A45972E2DF34D" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A760992A13C24C448E6C6B4627DA5B0" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B2AF55E92E0E81478FE9C1B31E21805" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0D148412C177E7C4598C46875973B574" /f

REM *** Change permissions on x86-specific registry keys ***

echo \registry\machine\software\classes\Installer\Products\116445D9734F351419E319EC305638CC [10] >> RemoveVIPRE.regfix

echo \registry\machine\SOFTWARE\SBAMSvc [10] > RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\GFI Software\GFI Business Agent [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Sunbelt Software\Sunbelt Enterprise Agent - 4.0 Agent [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\GFI Software\GFI Business Agent - 5.0 Agent [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Sunbelt Software\Sunbelt Enterprise Agent [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\GFI\LNSS10 [10] >> RemoveVIPRE.regfix

echo "\registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9D544611-F437-4153-913E-91CE036583CC}" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\116445D9734F35141" [10] >> RemoveVIPRE.regfix

REGINI -b RemoveVIPRE.regfix

REM *** Remove x86-specific registry keys ***

REG DELETE "HKEY_CLASSES_ROOT\Installer\Products\116445D9734F351419E319EC305638CC" /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\SBAMSvc" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Sunbelt Software\Sunbelt Enterprise Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\GFI Software\GFI Business Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Sunbelt Software\Sunbelt Enterprise Agent - 4.0 Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\GFI Software\GFI Business Agent - 5.0 Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\GFI\LNSS10" /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9D544611-F437-4153-913E-91CE036583CC}" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\116445D9734F35141" /f

REM *** Change permissions on x64-specific registry keys ***

echo \registry\machine\SOFTWARE\Wow6432Node\SBAMSvc [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\Sunbelt Software\Sunbelt Enterprise Agent" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\GFI Software\GFI Business Agent" [10] >> RemoveVIPRE.regfix
echo \registry\machine\SOFTWARE\Wow6432Node\GFI\LNSS10 [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\Sunbelt Software\Sunbelt Enterprise Agent - 4.0 Agent" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\GFI Software\GFI Business Agent - 5.0 Agent" [10] >> RemoveVIPRE.regfix

echo "\registry\machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9D544611-F437-4153-913E-91CE036583CC}" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" [10] >> RemoveVIPRE.regfix
echo "\registry\machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\116445D9734F35141" [10] >> RemoveVIPRE.regfix

echo \registry\machine\software\classes\Installer\Products\116445D9734F351419E319EC305638CC [10] >> RemoveVIPRE.regfix

REGINI -b RemoveVIPRE.regfix

REM *** Remove x64-specific registry keys ***

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SBAMSvc /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sunbelt Software\Sunbelt Enterprise Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI Software\GFI Business Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI\LNSS10" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sunbelt Software\Sunbelt Enterprise Agent - 4.0 Agent" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI Software\GFI Business Agent - 5.0 Agent" /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9D544611-F437-4153-913E-91CE036583CC}" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\116445D9734F35141" /f

REG DELETE "HKEY_CLASSES_ROOT\Installer\Products\116445D9734F351419E319EC305638CC" /f

REM *** Clean up misc items from VIPRE support sessions etc. ***

DEL "%USERPROFILE%\appdata\local\temp\removevipre\sbrc.exe"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SBRegRebootCleaner" /f

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SBAMTray" /f

REM *** Finish up. ***

del RemoveVIPRE.regfix

RegSvr32 /u /s SBAMScanShellExt.DLL

RMDIR /S /Q "%SYSTEMDRIVE%\Program Files\GFI Software\GFIAgent"
RMDIR /S /Q "%SYSTEMDRIVE%\Program Files\GFI Software\LanGuard 10 Agent"
RMDIR /S /Q "%SYSTEMDRIVE%\Program Files\Sunbelt Software\SBEAgent"

RMDIR /S /Q "%SYSTEMDRIVE%\Program Files (x86)\Sunbelt Software\SBEAgent"
RMDIR /S /Q "%SYSTEMDRIVE%\Program Files (x86)\GFI Software\GFIAgent"
RMDIR /S /Q "%SYSTEMDRIVE%\Program Files (x86)\GFI Software\LanGuard 10 Agent"

RMDIR /S /Q "%AppData%\Sunbelt\Antimalware"
RMDIR /S /Q "%AppData%\Sunbelt Software\Antimalware"
RMDIR /S /Q "%AppData%\GFI Software\Antimalware"
RMDIR /S /Q "%AppData%\GFI Software\LanGuard 10"

echo ---------------------------
echo ---------------------------
echo RemoveVIPRE completed.
echo ---------------------------
echo ---------------------------

Categories:      

==============

ESET Antivirus Deployment Issues
article #697, updated 2117 days ago

If the installer does not complete, but rolls back:

  1. Check Windows services, see if the Base Filtering Engine is present. If not, the ESETSIRefefCleaner tool must be run to restore it. See this KB article for steps and download.
  2. Open RegEdit, backup the registry.
  3. Search for: 6BDD1FC6-810F-11D0-BEC7-08002BE2092F
  4. If there is a value named “UpperFilters”, delete it.
  5. If there is a value named “LowerFilters”, delete it.
  6. Shutdown and restart.

The above provided by the excellent Jared Dexter.

Categories:      

==============

Create a Ticket for ESET
article #698, updated 2117 days ago

A good bit of time can be saved using this procedure:

  1. Collect the SysInspector log using these instructions
  2. Collect the installation error logs using these instructions
  3. Attach them both to the ticket you will create at this location.
    Select Customer Care – Business Support, Installing/activating an endpoint product, I am trying to install ESET endpoint antivirus or ESET endpoint security.

The above provided by the excellent Jared Dexter.

Categories:      

==============

Manual install of server-based ESET
article #701, updated 2117 days ago

  1. Run the MSI (at this writing, eea_nt64_enu.msi) directly.
  2. Once the GUI populates, it will list any conflicts detected, address accordingly.
  3. After install completes, open ESET. Navigate to Setup, and choose “Import and export settings…”
  4. Import the XML provided by the server.

The above provided by the excellent Jared Dexter.

Categories:      

==============

Repair Windows after infections
article #685, updated 2170 days ago

Interesting tool:

http://www.tweaking.com/content/page/windows_repair_all_in_one.html

Categories:      

==============

Move VIPRE Agent to New Server
article #667, updated 2223 days ago

The batch file below will move a VIPRE agent to a new server. Be sure to change “servername.domain.xyz” to the appropriate DNS name of the new server.

sc config sbamsvc start= disabled
net stop sbamsvc
taskkill /f /im sbamsvc.exe
sc config sbamsvc start= disabled
(if exist "C:\ProgramData\GFI Software\Antimalware" CD C:\ProgramData\GFI Software\Antimalware)
(if exist "C:\Documents and Settings\All Users\Application Data\GFI Software\Antimalware" CD C:\Documents and Settings\All Users\Application Data\GFI Software\Antimalware)
del policy.xml
del agentsettings.xml
(reg add HKLM\SOFTWARE\Wow6432Node\SBAMSvc /v PolicyServiceMachineName /t REG_SZ /d "servername.domain.xyz" /f)
sc config sbamsvc start= delayed-auto
net start sbamsvc

Categories:      

==============

Antivirus Exceptions: File Extensions Etc.
article #190, updated 2330 days ago

It is either essential or highly recommendable, to insert the following file extensions as exceptions to antimalware products, most especially on servers.

Exchange & Windows Search Indexing:

*.edb
*.stm

Microsoft SQL server and others (FTDATA is a filename, not an extension):

*.mdf
*.ldf
*.ndf
FTDATA
*.bak
*.trn
*.trc
*.sqlaudit
*.sql

StorageCraft:

*.spf
*.spi
*.spk

Acronis:

*.TIB

BlackBerry Enterprise Server:

*.pdb

Microsoft virtual machine:

*.vhd
*.vpc
*.vmc
*.vhdx
*.avhd
*.vsv

VMware:

*.nvram
*.vmdk
*.vmsd
*.vmsn
*.vmss
*.vmtm
*.vmx
*.vmxf

QuickBooks:

*.DES
*.IIF
*.ND
*.QBA
*.TLG
*.QBB
*.QBM
*.QBR
*.QBW
*.QBX
*.QBY

Quicken:

*.QDF
*.QEL
*.QPH
*.IDX
*.QSD
*.QDB

AutoCAD Inventor:

*.ipt
*.iam
*.idw
*.dwg
*.ipn
*.ide
*.prt
*.g
*.asm
*.neu
*.dxf

Borland Paradox, Pervasive SQL, SQLIte, AutoCAD, and others:

*.db
*.sdf
*.ddf
*.mkd
*.pvsw
*.s3db
*.s3db-journal

For Pervasive databases, in addition to the above, you can load the Monitor to see files and folders in use.

For PostGres databases, the files don’t have extensions; their names are all numbers, and they are in a single hierarchy per database. So find that hierarchy, and set up an exception for the topmost level, and you’re in.

For Oracle databases:

*.sql
*.lst
*.pls
*.plb
*.pks
*.pkb
*.pck
*.dbf
*.log
*.rdo
*.arc
*.ctl
*.dat
*.bad
*.dsc
*.ora
*.fmb
*.fmt
*.fmx
*.rdf
*.rep
*.rex

For MySQL databases:

*.frm
*.myd
*.myi

All the extensions above, in one swell foop:

*.edb
*.stm
*.mdf
*.ldf
*.ndf
FTDATA
*.bak
*.trn
*.trc
*.sqlaudit
*.sql
*.spf
*.spi
*.spk
*.TIB
*.pdb
*.vhd
*.vpc
*.vmc
*.vhdx
*.avhd
*.vsv
*.nvram
*.vmdk
*.vmsd
*.vmsn
*.vmss
*.vmtm
*.vmx
*.vmxf
*.DES
*.IIF
*.ND
*.QBA
*.TLG
*.QBB
*.QBM
*.QBR
*.QBW
*.QBX
*.QBY
*.QDF
*.QEL
*.QPH
*.IDX
*.QSD
*.QDB
*.ipt
*.iam
*.idw
*.dwg
*.ipn
*.ide
*.prt
*.g
*.asm
*.neu
*.dxf
*.db
*.sdf
*.ddf
*.mkd
*.pvsw
*.s3db
*.s3db-journal
*.sql
*.lst
*.pls
*.plb
*.pks
*.pkb
*.pck
*.dbf
*.log
*.rdo
*.arc
*.ctl
*.dat
*.bad
*.dsc
*.ora
*.fmb
*.fmt
*.fmx
*.rdf
*.rep
*.rex
*.frm
*.myd
*.myi

A different swell foop, better suited for some antivirus software:

*.edb;*.stm;*.mdf;*.ldf;*.ndf;FTDATA;*.bak;*.trn;*.trc;*.sqlaudit;*.sql;*.spf;*.spi;*.spk;*.TIB;*.pdb;*.vhd;*.vpc;*.vmc;*.vhdx;*.avhd;*.vsv;*.nvram;*.vmdk;*.vmsd;*.vmsn;*.vmss;*.vmtm;*.vmx;*.vmxf;*.DES;*.IIF;*.ND;*.QBA;*.TLG;*.QBB;*.QBM;*.QBR;*.QBW;*.QBX;*.QBY;*.QDF;*.QEL;*.QPH;*.IDX;*.QSD;*.QDB;*.ipt;*.iam;*.idw;*.dwg;*.ipn;*.ide;*.prt;*.g;*.asm;*.neu;*.dxf;*.db;*.sdf;*.ddf;*.mkd;*.pvsw;*.s3db;*.s3db-journal;*.sql;*.lst;*.pls;*.plb;*.pks;*.pkb;*.pck;*.dbf;*.log;*.rdo;*.arc;*.ctl;*.dat;*.bad;*.dsc;*.ora;*.fmb;*.fmt;*.fmx;*.rdf;*.rep;*.rex;*.frm;*.myd;*.myi

Categories:      

==============

New antijunkware tool
article #588, updated 2394 days ago

This one removes toolbars and other junkware:

http://thisisudax.org/

Recommending by the bleepingcomputer.com people.

Categories: