FWIW, rebooting the computers in safe mode and copying the files via command line worked for us. We did not stop the services prior to copying the files over and everything is working just fine.
On Wed, Apr 21, 2010 at 1:39 PM, Ziots, Edward <[email protected]> wrote: > Don, > > > > These are working pretty well for us, atm., I have verified these on some > serious horked up XP boxes, that had their svchost.exe chewed up. > > > > 1) Put Extra.dat and svchost.exe from directory to a CD or memory > Stick. > > 2) Boot to safe mode, log on as local administrator, if you get > prompted that the system is going to shutdown type shutdown –a at the run > command which will abort the shutdown. > > 3) Go into Mcafee and disable the protection, this will allow you to > stop the mcafee services accordingly. (Stop Mcshield, Stop Framework, Stop > Engine Service, Stop Validation Service, Stop Mcafee Task Manager) > > Note: If you can’t stop the services within services.msc do the following: > > Type regedit from the command line. > > Go to HKLM\System\CurrentControlSet\Services\McafeeEngineService (change > the Start Value to 4 Decimal) > > Go to HKLM\SYSTEM\CurrentControlSet\Services\Mcshield (Change the start > Value to 4 Decimal) > > Go to HKLM\System\CurrentControlSet\Services\McTaskManager (change the > start Value to 4 Decimal) > > GO to HKLM\System\CurrentControlSet\Services\mfevtp(change the start Value > to 4 decimal) > > *(Note after you reboot the system you will need to change the Start Value > to 2 to set it to automatic)* > > 4) Copy the extra.dat to c:\program files\Common Files\Mcafee\Engine > directory, copy the svchost.exe to c:\Windows\system32. (Note you might need > to do this via the cmdline from the media itself) > > Example: If the media is the e: drive, it will look something like this. > > Hit Start--- RUN---- TYPE CMD > > At the command prompt type the following: > > E: > > Copy extra.dat “c:\program files\common files\Mcafee\engine” > > Copy svchost.exe c:\windows\system32 > > > > 5) Reboot > > > > These are all the services running under svchost.exe that are affected. > > tasklist /svc /FI "IMAGENAME eq svchost.exe" > > > > Image Name PID Services > > ========================= ====== > ============================================= > > svchost.exe 960 DcomLaunch, TermService > > svchost.exe 1028 RpcSs > > svchost.exe 1124 AudioSrv, Browser, CryptSvc, Dhcp, > dmserver, > > ERSvc, EventSystem, helpsvc, HidServ, > > LanmanServer, lanmanworkstation, Netman, > > Nla, RasMan, Schedule, seclogon, SENS, > > ShellHWDetection, TapiSrv, Themes, TrkWks, > > w32time, winmgmt, WZCSVC > > svchost.exe 1244 Dnscache > > svchost.exe 1312 LmHosts, RemoteRegistry, SSDPSRV > > svchost.exe 1576 WebClient > > > > > > > > Edward Ziots > > CISSP,MCSA,MCP+I,Security +,Network +,CCA > > Network Engineer > > Lifespan Organization > > 401-639-3505 > > [email protected] > > > > * > * > -- -- Michael S. White [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
