Showing posts with label uninstall. Show all posts
Showing posts with label uninstall. Show all posts

Saturday, April 11, 2015

McAfee Security Center Won't Stay the **** Out of My Computer

McAfee's suite of antivirus services have come pre-installed on Windows computers for a long time. I can't speak to how efficient or not efficient their antivirus is, because I have not used it in any real capacity for any length of time. What I have done is struggle to completely remove all of the components of their software package when I want to keep the version of Windows that came with the computers I purchased.

I recently picked up a new laptop with Windows 8.1 - my first time using this version of Windows for a laptop. I was dismayed to find McAffee pre-installed, as I knew it meant having to waste time getting rid of it.

I will say this for them - they have gotten better since the last time I went through this many years ago. Better, as in uninstalling using the utility provided by McAfee did not break vital parts of the Windows operating system. Great would be if the uninstaller actually removed all of McAffee's software from the computer. Good would be if the software that was left didn't connect to the internet.

Specifically, what gets left behind is the McAfee Update Manager; a utility designed to download applications from the McAfee corporate servers and install those applications on your computer with minimal human intervention.

McAfee Security Center, Josh Wieder, registry editor, key
Registry key & path of the remaining McAfee executables

Notice the registry keys that are created:


HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",,"%45001%"
HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",0x00001000,"%45001%"



I haven't had time to look into how the application is obfuscating its registry entries, but they are in fact obfuscated:

McAfee Security Center, Josh Wieder, PingUrl, Registry, Encrypted Binary Value
Note the gobble-dee-gook appears to provide a RESTful interface for application requests.

I decompiled a few of the DLLs in the directory; nothing stood out. Unfortunately, the EXEs crashed the one 64 bit decompiler I currently have for Intel instructionsets (C4Decompiler). As a result I cannot guarantee exactly what these programs are up to. That said, given what we have seen, there is a fairly strong case that this set of programs can do the following to sum up our findings:

    - Download other applications from remote servers hosting and
    - It is likely these applications can install software it downloads without user approval, at least in some circumstances
    - The Update Manager leaves a substantial amount of registry entries behind following a complete uninstallation and reboot of everything McAfee related.
    - Fortunately, following uninstallation there do not appear to be any services left behind.

The bottom line is that at this point in the game ditching the factory-installed Operating System is a requirement for those who want to actually know what is on their computer. This can be cost-prohibitive with some Windows licensing arrangements or those not as familiar with how to install an OS, especially since most manufacturers no longer include driver disks with their computers. Stop loading up computers with spy & adware OEMs!

Saturday, September 29, 2012

Error 0x84B30002 When Uninstalling MSSQL 2008 R2

Have you encountered error 0x84B30002 when uninstalling MSSQL 2008 R2, preventing the uninstall from proceeding? I have. So far I have only encountered the issue with Express Edition, although rumor has it that the error can occur with other editions as well. The error message will be displayed in a pop-up as well as the summary.txt log file in the installation directory.

Here is how to fix it:

Launch the registry editor by typing regedit in the Run bar in the start menu. Navigate to the following registry key:


After expanding uninstall, you will need to locate each key related to the SQL instance you are attempting to remove - if there is only one instance on the server, locate each key with the word SQL in the DisplayName field. 

Within each key, locate the GUID. It will look something like this: 234A1B2C-12AB-1AB2-B1C2-A12B345678C1 and be typically contained in either the ModifyPath or UninstallString fields. 

Take each GUID, and use msiexec to manually force the uninstall from the command line like so: 

msiexec /x "{234A1B2C-12AB-1AB2-B1C2-A12B345678C1}"

Replace that string with the relevant GUID, and run the command for each GUID you have. You can automate the process a bit by dumping the list into a .bat file. When running the command, a window prompt may appear asking if you wish to proceed with uninstallation - just go ahead and authorize the uninstall where it appears. 

Once completed, you can double check the registry key where we initially found the GUID's to ensure everything has been removed. I have been forced to do this a few times now and have yet to encounter any further issues, though. After you have run these commands, you should be all set to install a new instance of MSSQL.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...