Category: Antivirus/Antimalware Tools and Issues

Change VIPRE agent server live!!!
article #571, updated 2458 days ago

You can change the server which a VIPRE agent talks to without removal/reinstall!!!

1. Browse to C:\ProgramData\GFI Software\AntiMalware, C:\ProgramData\Sunbelt\AntiMalware, C:\Documents and Settings\All Users\Application Data\GFI Software\Antimalware, or C:\Documents and Settings\All Users\Application Data\Sunbelt\Antimalware, depending on version of VIPRE.

2. Delete Policy.xml and Agentsettings.xml

3. Using this registry entry key:

x32:

HKLM\SOFTWARE\SBAMSvc\PolicyServiceMachineName

x64:

HKLM\SOFTWARE\Wow6432Node\SBAMSvc\PolicyServiceMachineName

change the string in PolicyServiceMachineName to the IP or working DNS name of your VIPRE server, then restart service SBAMSvc, and you are in! It will automatically drop the object into default policy of the replacement server.

Categories:      

==============

Manual removal of VIPRE Business agent
article #572, updated 2488 days ago

Try this:

http://threattrack.force.com/articles/SkyNet_Article/How-to-manually-remove-a-VIPRE-Business-agent/?q=remove&l=en_US&c=All_Products%3AVIPRE_Business&fs=Search&pn=1

Categories:      

==============

Silent VIPRE agent MSI install
article #468, updated 2499 days ago

A great command line for silent install of VIPRE agents:

AgentInstaller-SITE-NAME-Workstations-General-EN.MSI /q /qn /promptrestart

Categories:      

==============

Handling Boot Record Viruses
article #521, updated 2620 days ago

An excellent article:

http://cleanbytes.net/the-new-boot-record-viruses-tdl4-how-to-fix-the-master-boot-record-mbr

And resources:

UnHackMe

TDL4 Remover

TDSSKiller from Kaspersky

A most recommended method, is to boot from a Windows LiveCD, then download or copy over the current Kaspersky’s TDSSKiller, and do a scan/cleanout with that. Then reboot, and run Hitman Pro for confirmation of deletion.

Categories:      

==============

Remove Trend Micro Worry-Free Business Security Agent
article #505, updated 2669 days ago

Here is a tool:

http://esupport.trendmicro.com/solution/en-us/1057237.aspx

It can be done remotely using pexec, as follows.

First, start a shell:

psexec \\PCNAME -u DOMAIN_OR_PCNAME\login -p password -h -high CMD

Then, in the shell, do thusly:

net use Q: \\SERVER\zip_unpack_location /P:No
Q:\UNINSTALL
Exit

Categories:      

==============

Antimalware LiveCDs
article #400, updated 2708 days ago

As a result of a number of recent failures, things have changed here. I’m now listing the Avira AntiVir Rescue System as number one:

http://www.avira.com/en/download/product/avira-antivir-rescue-system

and second, the venerable Trinity Rescue Kit:

http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT_DOWNLOAD&front_id=12&lang=en&locale=en

TRK has five different antivirus scanners configured; of the five, F-PROT and Clam are working very well, BitDefender’s auto-download site kept stalling for me, Avast needs a license, and Vexira is not working right now.

Softpedia gives us this list for reference:

http://www.softpedia.com/hubs/Rescue-Disks

Categories:      

==============

Three Semi-Manual Antimalware Tools
article #470, updated 2814 days ago

If your usual methods haven’t worked, try all of these:

http://www.securityxploded.com/spydllremover.php

http://www.securityxploded.com/bhoremover.php

http://www.securityxploded.com/streamarmor.php

Categories:      

==============

VIPRE Business agent checklist
article #469, updated 2815 days ago

This page will contain an ongoing list of items to check for agent installs, especially in the case of failure to install.

  1. Under XP, is Simple File Sharing enabled? If so, disabled it.
  2. Can telnet to the server (per name specified in the policy!) at port 18082? If not, there is a networking problem need fixing.
  3. Logs showing 1606 errors? Try this: http://support.microsoft.com/kb/886549
  4. A few others here: http://kb.gfi.com/articles/Skynet_Article/Agent-installation-failed

Categories:      

==============

AVG removal tool
article #119, updated 2817 days ago

Here is AVG’s page which includes the AVG removal tool:

http://www.avg.com/us-en/utilities

A good command line for it is thus:

removeavg.exe /norestart /skipask /silent /deletedirforcehard

You’ll want to replace “removeavg.exe” with the current name of the executable. Also, you will still need to do manual removals of services, possibly toolbars, etcetera; it does not get everything.

Categories:      

==============

Silently Uninstalling Symantec Antivirus 11 and 12
article #451, updated 2850 days ago

For Symantec, rolling one’s own seems usual. I have been doing it using psexec and LabTech command prompt, running the msiexec lines below remotely. One has to get the long code first via regedit. Examples are below under major subversions. But before you do that, make sure there’s no password protection on the client. There are two locations.

First in here:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

and make sure SmcGuiHasPassword is 0.

Second, in here:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\Security

make sure UseVPUninstallPassword is 0.

And now for some example msiexec lines. The /q is apparently needed just as the /qn, and the last two (very sparsely documented) items appear helpful as well. The GUID (the long code) is the tough part. It comes from:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

searching for “Symantec Endpoint Protection”, and it is possible to have more than one sub-subversion — and therefore more than one GUID — needed within a given LAN, mostly depending on update status.

for 12.1:

MsiExec.exe /X {EFCC6FA1-8F3F-46E6-B7BF-8336CCD3DA67} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {BCE5F3B0-8407-42DB-8073-1812F7D2D1E6} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL

for 12.0:

MsiExec.exe /X {895665D9-6614-4930-9D39-3567283DD424} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {D350A6A1-044F-4E19-8267-F1C44775CFC2} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {84B70C16-7032-41EE-965C-3C8D9D566CBB} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL

for 11.0:

MsiExec.exe /X {26624215-248C-4F88-A415-35301812FB75} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
MsiExec.exe /X {AAE221D5-C3DD-4FE2-A063-C1368FE730A5} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
msiexec.exe /X {84B70C16-7032-41EE-965C-3C8D9D566CBB} /q /qn /norestart /REBOOT=ReallySuppress REMOVE=ALL

It can take a while — but it happens very silently.

Categories: