Some Notes on the Machines

The batch file below will move a VIPRE agent to a new server. Be sure to change “servername.domain.xyz” to the appropriate DNS name of the new server.

sc config sbamsvc start= disabled
net stop sbamsvc
taskkill /f /im sbamsvc.exe
sc config sbamsvc start= disabled
(if exist "C:\ProgramData\GFI Software\Antimalware" CD C:\ProgramData\GFI Software\Antimalware)
(if exist "C:\Documents and Settings\All Users\Application Data\GFI Software\Antimalware" CD C:\Documents and Settings\All Users\Application Data\GFI Software\Antimalware)
del policy.xml
del agentsettings.xml
(reg add HKLM\SOFTWARE\Wow6432Node\SBAMSvc /v PolicyServiceMachineName /t REG_SZ /d "servername.domain.xyz" /f)
sc config sbamsvc start= delayed-auto
net start sbamsvc

This one removes toolbars and other junkware:

http://thisisudax.org/

Recommending by the bleepingcomputer.com people.

You can change the server which a VIPRE agent talks to without removal/reinstall!!!

1. Browse to C:\ProgramData\GFI Software\AntiMalware, C:\ProgramData\Sunbelt\AntiMalware, C:\Documents and Settings\All Users\Application Data\GFI Software\Antimalware, or C:\Documents and Settings\All Users\Application Data\Sunbelt\Antimalware, depending on version of VIPRE.

2. Delete Policy.xml and Agentsettings.xml

3. Using this registry entry key:

x32:

HKLM\SOFTWARE\SBAMSvc\PolicyServiceMachineName

x64:

HKLM\SOFTWARE\Wow6432Node\SBAMSvc\PolicyServiceMachineName

change the string in PolicyServiceMachineName to the IP or working DNS name of your VIPRE server, then restart service SBAMSvc, and you are in! It will automatically drop the object into default policy of the replacement server.

Try this:

http://threattrack.force.com/articles/SkyNet_Article/How-to-manually-remove-a-VIPRE-Business-agent/?q=remove&l=en_US&c=All_Products%3AVIPRE_Business&fs=Search&pn=1

A great command line for silent install of VIPRE agents:

AgentInstaller-SITE-NAME-Workstations-General-EN.MSI /q /qn /promptrestart

An excellent article:

http://cleanbytes.net/the-new-boot-record-viruses-tdl4-how-to-fix-the-master-boot-record-mbr

And resources:

UnHackMe

TDL4 Remover

TDSSKiller from Kaspersky

A most recommended method, is to boot from a Windows LiveCD, then download or copy over the current Kaspersky’s TDSSKiller, and do a scan/cleanout with that. Then reboot, and run Hitman Pro for confirmation of deletion.

Here is a tool:

http://esupport.trendmicro.com/solution/en-us/1057237.aspx

It can be done remotely using pexec, as follows.

First, start a shell:

psexec \\PCNAME -u DOMAIN_OR_PCNAME\login -p password -h -high CMD

Then, in the shell, do thusly:

net use Q: \\SERVER\zip_unpack_location /P:No
Q:\UNINSTALL
Exit

If your usual methods haven’t worked, try all of these:

http://www.securityxploded.com/spydllremover.php

http://www.securityxploded.com/bhoremover.php

http://www.securityxploded.com/streamarmor.php

This page will contain an ongoing list of items to check for agent installs, especially in the case of failure to install.

1. Under XP, is Simple File Sharing enabled? If so, disabled it.
2. Can telnet to the server (per name specified in the policy!) at port 18082? If not, there is a networking problem need fixing.
3. Logs showing 1606 errors? Try this: http://support.microsoft.com/kb/886549
4. A few others here: http://kb.gfi.com/articles/Skynet_Article/Agent-installation-failed

Here is AVG’s page which includes the AVG removal tool:

http://www.avg.com/us-en/utilities

A good command line for it is thus:

removeavg.exe /norestart /skipask /silent /deletedirforcehard

You’ll want to replace “removeavg.exe” with the current name of the executable. Also, you will still need to do manual removals of services, possibly toolbars, etcetera; it does not get everything.