Don,
These are working pretty well for us, atm., I have verified these on
some serious horked up XP boxes, that had their svchost.exe chewed up.
1) Put Extra.dat and svchost.exe from directory to a CD or memory
Stick.
2) Boot to safe mode, log on as local administrator, if you get
prompted that the system is going to shutdown type shutdown -a at the
run command which will abort the shutdown.
3) Go into Mcafee and disable the protection, this will allow you
to stop the mcafee services accordingly. (Stop Mcshield, Stop Framework,
Stop Engine Service, Stop Validation Service, Stop Mcafee Task Manager)
Note: If you can't stop the services within services.msc do the
following:
Type regedit from the command line.
Go to HKLM\System\CurrentControlSet\Services\McafeeEngineService (change
the Start Value to 4 Decimal)
Go to HKLM\SYSTEM\CurrentControlSet\Services\Mcshield (Change the start
Value to 4 Decimal)
Go to HKLM\System\CurrentControlSet\Services\McTaskManager (change the
start Value to 4 Decimal)
GO to HKLM\System\CurrentControlSet\Services\mfevtp(change the start
Value to 4 decimal)
(Note after you reboot the system you will need to change the Start
Value to 2 to set it to automatic)
4) Copy the extra.dat to c:\program files\Common
Files\Mcafee\Engine directory, copy the svchost.exe to
c:\Windows\system32. (Note you might need to do this via the cmdline
from the media itself)
Example: If the media is the e: drive, it will look something like this.
Hit Start--- RUN---- TYPE CMD
At the command prompt type the following:
E:
Copy extra.dat "c:\program files\common files\Mcafee\engine"
Copy svchost.exe c:\windows\system32
5) Reboot
These are all the services running under svchost.exe that are affected.
tasklist /svc /FI "IMAGENAME eq svchost.exe"
Image Name PID Services
========================= ======
=============================================
svchost.exe 960 DcomLaunch, TermService
svchost.exe 1028 RpcSs
svchost.exe 1124 AudioSrv, Browser, CryptSvc, Dhcp,
dmserver,
ERSvc, EventSystem, helpsvc, HidServ,
LanmanServer, lanmanworkstation,
Netman,
Nla, RasMan, Schedule, seclogon, SENS,
ShellHWDetection, TapiSrv, Themes,
TrkWks,
w32time, winmgmt, WZCSVC
svchost.exe 1244 Dnscache
svchost.exe 1312 LmHosts, RemoteRegistry, SSDPSRV
svchost.exe 1576 WebClient
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
[email protected]
From: Don Guyer [mailto:[email protected]]
Sent: Wednesday, April 21, 2010 4:27 PM
To: NT System Admin Issues
Subject: RE: McAfee DAT problems
FYI.....
The only way we could fix this was to pull the HDD, copy the Extra.DAT
and a good copy of svchost.exe onto the HDD, place HDD back in infected
machine. The original svchost.exe file was there where it should be, but
0 bytes.
None of the instructions to do this while the systems were running have
worked for us so far.
Don Guyer
Systems Engineer - Information Services
Prudential, Fox & Roach/Trident Group
431 W. Lancaster Avenue
Devon, PA 19333
Direct: (610) 993-3299
Fax: (610) 650-5306
[email protected]
From: Ziots, Edward [mailto:[email protected]]
Sent: Wednesday, April 21, 2010 1:24 PM
To: NT System Admin Issues
Subject: RE: McAfee DAT problems
Got the link to the extra.dat?
What version is your Mcafee saying. 5958 or 5960?
Z
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
[email protected]
From: Maglinger, Paul [mailto:[email protected]]
Sent: Wednesday, April 21, 2010 1:09 PM
To: NT System Admin Issues
Subject: RE: McAfee DAT problems
McAfee has an EXTRA.DAT file out now that will fix it.
This is the process:
To apply the extra.DAT locally:
1. Click Start, Run, type services.msc and click OK.
2. Right-click the McAfee McShield service and select Stop.
3. Copy the extra.DAT file to the following location:
<installation drive>\Program Files\Common Files\McAfee\Engine
4. In the Services window, right-click McAfee McShield and select
Start.
We're writing a batch file and putting this on USB to expedite this
(remember this kills network connectivity).
From: Ziots, Edward [mailto:[email protected]]
Sent: Wednesday, April 21, 2010 12:01 PM
To: NT System Admin Issues
Subject: RE: McAfee DAT problems
Confirmed, this is causing widespread issues, XP and Windows 2000,
We are disabling all Mcafee Services, by setting the registry keys start
type to 0x4, and uninstalling Mcafee, and removing the the dat from the
repository.
Z
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
[email protected]
From: Maglinger, Paul [mailto:[email protected]]
Sent: Wednesday, April 21, 2010 12:33 PM
To: NT System Admin Issues
Subject: RE: McAfee DAT problems
This is nasty. It's putting the svchost.exe in quarantine and causing
the system to bomb. When the system comes back up the taskbar is
missing, no network connectivity, half the services aren't running and
can't be started. You can't even do a system restore point.
Right now we've removed the latest DAT, un-quarantined the file,
un-installed McCrappy, and go back to a restore point and that seems to
be working. We're trying to find a way to streamline it.
From: Erik Goldoff [mailto:[email protected]]
Sent: Wednesday, April 21, 2010 11:13 AM
To: NT System Admin Issues
Subject: RE: McAfee DAT problems
I've only heard through the grapevine, colleagues supporting clients
other than mine had to leave a conference call due to DAT issues with
5958, I don't know if it was shutdowns or reboots, and/or different for
servers and EUCs ... which is why I asked.
Erik Goldoff
IT Consultant
Systems, Networks, & Security
' Security is an ongoing process, not a one time event ! '
From: Don Guyer [mailto:[email protected]]
Sent: Wednesday, April 21, 2010 11:51 AM
To: NT System Admin Issues
Subject: RE: McAfee DAT problems
My clients are just starting to update, a handful already have it, no
complaints yet. What are you seeing?
Don Guyer
Systems Engineer - Information Services
Prudential, Fox & Roach/Trident Group
431 W. Lancaster Avenue
Devon, PA 19333
Direct: (610) 993-3299
Fax: (610) 650-5306
[email protected]
From: Erik Goldoff [mailto:[email protected]]
Sent: Wednesday, April 21, 2010 11:48 AM
To: NT System Admin Issues
Subject: McAfee DAT problems
Anyone else heard of problems with the latest McAfee DAT (5958) ???
Erik Goldoff
IT Consultant
Systems, Networks, & Security
' Security is an ongoing process, not a one time event ! '
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
