So, I have been working with a new client recently. They switched from another IT vendor with a “lack of communication skills”. The other provider would never tell them if they were going to reboot the server, did not provide ANY antivirus, on the server or clients, and several other issues that I don’t really care about(seem personal). During the transition, I told my client to request all passwords from their previous vendor(PIX fw password, domain admin, local admin pw if different, and pw to wireless router) The vendor gave the domain administrator password up(although they had some GPO’s restricting it from adding new users and other things because they used custom admin accounts instead), but “didn’t remember” the Cisco PIX pw. Either they really are a horrible IT provider or they are assholes… you choose. Although this really isn’t as uncommon as I wish it was, I had having to dick with resetting passwords and trying to pry information out of people. Anyway, before the April 1 Conficker was supposed to hit, they had provided them with a free trial of Trend’s newest worry-free small business client/security. I thought this was a huge sign that the vendor was trying, since they didn’t have av for the previous 2 years and the event viewer was flooded with errors and the clients just though IT didn’t work altogether. Shortly after this 30-day trial was installed, the transition was made. I ordered the client Symantec Endpoint Protection 11.0 (MR4) w/ SEPM (my preferred av). I went to install the new av and realized, since they never had av before, I had not had my clients ask for an uninstall password for the av. I called the company and asked them for the uninstall password. Of course, they “forgot” this password as well…
Off I go on one of my favorite tasks: removing av from an entire office without a management console to expedite or a password to even do it remotely fast on each machine. First, I decided to take it off of the server and put SEPM on the server. I wanted to make sure the server was taken care of first. I used this page (update 5/10/2011, looks like Trend removed this site. Let me know if you find an updated link) to take care of it. Worked ok, except when the server came back online, it could not pick up a network connection. Of course it is set with a static IP. I tried WinSockFix, which I would not recommend to use on a server, but by the time i used it, I was somewhat desperate. I checked all services. Removed some updates that I had known to cause issues before on SBS 2003(951746 and 951748, if ipsec service wont start and these were recently installed, remove and reboot. they cause issues on SBS ’03 and kill networking). Finally, downloaded the newest drivers for the NIC from dell and moved over on my flash drive. installed them, with no effect, so I rolled back the driver and… it worked. That was my dumb ass not realizing right off the bat to just reinstall the driver. We all make mistakes I guess. Anyway, I got SEP and SEPM on the server, but now had to uninstall trend from all of the clients. What a nightmare. It isn’t a big company, but I didn’t want to go through and kick anyone off of their machines unnecessarily and have to manually do each machine. Here’s what I did to remove trend from the clients:
First, remote registry service must be running on the clients and you must be using a domain administrator account. By default, remote registry is enabled on XP. Here is what to do: to allow uninstall of clients without a password, you can modify with regedit and connect to remote computer, but if working with multiple machines, I use multi-remote registry change. The trial version does everything you need, but only 10 clients at a time. This is worth it for me to save some cash. i had multiple pcs, but not enough to pay for the product, although i may purchase it now, just to support the company in hopes of a tool for vista. select the client computers and modify the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\Allow Uninstall
change the value to 1.
(do a “replace” in multi remote changing value from 0 to 1)
Now, we are able to uninstall the application without the password. We need the path to the uninstaller for Trend. This is found by going to the
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ WINDOWS\CURRENT VERSION\UNINSTALL
registry key and looking for the subkey dealing with uninstalling trend client\server. I only put this section in, because you can find the manual uninstall for any application this way. I have the path for trend’s for you already, though.
“C:\Program Files\Trend Micro\Client Server Security Agent\ntrmv.exe”
Now, we know how to uninstall it, but to remotely run the uninstaller, we need a tool called psexec. This is part of the PsTools Suite from sysinternals(now microsoft). Use the psexec command from the command prompt like so:
psexec \\computer_name "C:\Program Files\Trend Micro\Client Server Security Agent\ntrmv.exe"
Now it will uninstall from that machine. You could make a quick batch file to have it run through every machine on the domain doing this, but I don’t feel like writing that out here. leave a comment if you want more detail. Anyway, there is no restart required for this uninstall, so you are good to install whatever new AV you have… next time, brute forcing a Pix 501 because jerks won’t give you passwords.