This one removes toolbars and other junkware:
Recommending by the bleepingcomputer.com people.
This one removes toolbars and other junkware:
Recommending by the bleepingcomputer.com people.
You can change the server which a VIPRE agent talks to without removal/reinstall!!!
1. Browse to C:\ProgramData\GFI Software\AntiMalware
, C:\ProgramData\Sunbelt\AntiMalware
, C:\Documents and Settings\All Users\Application Data\GFI Software\Antimalware
, or C:\Documents and Settings\All Users\Application Data\Sunbelt\Antimalware
, depending on version of VIPRE.
2. Delete Policy.xml and Agentsettings.xml
3. Using this registry entry key:
x32:
HKLM\SOFTWARE\SBAMSvc\PolicyServiceMachineName
x64:
HKLM\SOFTWARE\Wow6432Node\SBAMSvc\PolicyServiceMachineName
change the string in PolicyServiceMachineName to the IP or working DNS name of your VIPRE server, then restart service SBAMSvc, and you are in! It will automatically drop the object into default policy of the replacement server.
A great command line for silent install of VIPRE agents:
AgentInstaller-SITE-NAME-Workstations-General-EN.MSI /q /qn /promptrestart
An excellent article:
http://cleanbytes.net/the-new-boot-record-viruses-tdl4-how-to-fix-the-master-boot-record-mbr
And resources:
A most recommended method, is to boot from a Windows LiveCD, then download or copy over the current Kaspersky’s TDSSKiller, and do a scan/cleanout with that. Then reboot, and run Hitman Pro for confirmation of deletion.
Here is a tool:
http://esupport.trendmicro.com/solution/en-us/1057237.aspx
It can be done remotely using pexec, as follows.
First, start a shell:
psexec \\PCNAME -u DOMAIN_OR_PCNAME\login -p password -h -high CMD
Then, in the shell, do thusly:
net use Q: \\SERVER\zip_unpack_location /P:No Q:\UNINSTALL Exit
If your usual methods haven’t worked, try all of these:
http://www.securityxploded.com/spydllremover.php
This page will contain an ongoing list of items to check for agent installs, especially in the case of failure to install.
Here is AVG’s page which includes the AVG removal tool:
http://www.avg.com/us-en/utilities
A good command line for it is thus:
removeavg.exe /norestart /skipask /silent /deletedirforcehard
You’ll want to replace “removeavg.exe” with the current name of the executable. Also, you will still need to do manual removals of services, possibly toolbars, etcetera; it does not get everything.
For Symantec, rolling one’s own seems usual. I have been doing it using psexec and LabTech command prompt, running the msiexec lines below remotely. One has to get the long code first via regedit. Examples are below under major subversions. But before you do that, make sure there’s no password protection on the client. There are two locations.
First in here:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
and make sure SmcGuiHasPassword is 0.
Second, in here:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\Security
make sure UseVPUninstallPassword is 0.
And now for some example msiexec lines. The /q is apparently needed just as the /qn, and the last two (very sparsely documented) items appear helpful as well. The GUID (the long code) is the tough part. It comes from:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
searching for “Symantec Endpoint Protection”, and it is possible to have more than one sub-subversion — and therefore more than one GUID — needed within a given LAN, mostly depending on update status.
for 12.1:
MsiExec.exe /X {EFCC6FA1-8F3F-46E6-B7BF-8336CCD3DA67} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL MsiExec.exe /X {BCE5F3B0-8407-42DB-8073-1812F7D2D1E6} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
for 12.0:
MsiExec.exe /X {895665D9-6614-4930-9D39-3567283DD424} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL MsiExec.exe /X {D350A6A1-044F-4E19-8267-F1C44775CFC2} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL MsiExec.exe /X {A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL MsiExec.exe /X {84B70C16-7032-41EE-965C-3C8D9D566CBB} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL
for 11.0:
MsiExec.exe /X {26624215-248C-4F88-A415-35301812FB75} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL MsiExec.exe /X {AAE221D5-C3DD-4FE2-A063-C1368FE730A5} /q /qn /norestart REBOOT=ReallySuppress REMOVE=ALL msiexec.exe /X {84B70C16-7032-41EE-965C-3C8D9D566CBB} /q /qn /norestart /REBOOT=ReallySuppress REMOVE=ALL
It can take a while — but it happens very silently.