Trouble with Mcafee

LoLth

Hi,

A client recently had a klez infestation. Ran mcafee's klez remover and all looked fine until virusscan started reporting "invalid action".

Reinstalled virusscan and all looked fine until we updated it.

Updated to 4271 antivirus definitions and it was still looking good.

Updated the engine to 4.2.60, and the definitions to 4281 using the sdat download.

Now it is reporting
"Cannot find Central Draw tile swatch" and then "VSmain.exe caused an invalid page fualt in module central.dll"

OS: 98se
mcafee: V6.0.2
Definitions: 4281
Engine: 4.2.60

Tried applying the central.dll patch from the mcafee website but it refuses as the current central.dll is newer. Tried a FULL removal manually (searching for all relevant registry keys and removing them) and reinstalling, however, whenever the definitions get updated to 4281 the same error occurs (engine is updated at the same time).

Anyone any ideas apart from use another anti-virus?

I would call mcafee tech support but I'm still waiting for a reply to my last enquiry (two months ago) where the response was "go to this URL (he called out the wrong one) and fill in the online form", which gets submitted to america and then as far as I can tell takes a trip to the big recycling bin in the sky

Capt'n Midnight

it is still a complete pig to uninstall / upgrade

moved to another AV 'cos got sick of regedit (especially having to use regedt32 to change the permissions to get rid of the legacy entries..)

If using Xp or 2k check in device manage for View - Hidden Devices
in case some junk is there (services) . Annoying how they used so many names for the reg settings - mcafee / network associates / solomons / virusscan etc. - just in case you missed any

There used to be a utility to remove reg settings that N.A. left behind....


OK maybe there is a virus still there ?
safe mode - or boot up from a floppy and clean from it (if possible) or put the hdd in a other machine and scan it as a slave . - maybe you could delete the dll this way..

Jaden

I have found that some machines (mainly 98 ones but a couple of 2Ks too) go wonky after being updated using SDAT.

To sort this out, remove Mcafee completely, and reinstall. Instead of using SDAT, set up a folder on the network, with everyone access set to full control, and download the latest DAT-XXXX.zip files (4281 is the newest as of today). Also download the update.ini file. Point the machines on your LAN to update on the UNC path to this shared folder. Run "update now", and schedule it for 30 mins after startup, on a daily basis.

Should solve your problem. It allows all machines to update but with only one internet download required.

Or you can use AVG.

dahamsta

Virus scanners and firewalls are just an utter pain in the arse on Windows. Buy a cheap second-hand box and stick OpenBSD on it kids.

adam

Capt'n Midnight

Put one Knoppix cluster CD on it ..
(probably best to wait till they get openoffice 1.1 onto it..)

Now remove all the HDD's FDD's and CD's from every other machine on the network and set them to network boot instead....

Hang on to the best drives so you can have RAID and Spares for your OpenBSD file server / Firewall..

You can now sell the rest of the drives - self financing...

LoLth

Righty, I'll try removing and reinstalling it again and update using only the instant updater instead of an sdat.

in case it's any use to anyone here's a list of all mcafee registry entries. To remove mcafee, search the reg for each one in turn and keep hitting F3 to search again until the search is complete.



McAfee
VirusScan
Vshield
Network Associates
Safe & Sound
Helix
VSHINIT
Alogserv.exe
Avsynmgr.exe
Scan32.exe
McLogEvent
McUpdate
McShield
NaiFiltr
NaiFsRec
0267BC36324B1FB47A4E57BBB84647E0 (This is the VirusScan Key Value and is case sensitive - all caps, the 0s are zeros)
48DFEA78D0CB4D118B580005B820A215
489F71E0D0883D1128AC000CF4563660
EC26CD4E59F56D112B45000CF44F4B53
{0E17F984-880D-11D3-82CA-00C04F656306}
{63CB7620-B423-4BF1-A7E4-75BB8B64740E}
{87AEFD84-BC0D-11D4-B885-00508B022A51}
{E4DC62CE-5F95-11D6-B254-00C04FF4B435}

Capt'n Midnight

Note: - the previous list is what's left after add/remove or uninstall - you do it After rebooting from the uninstall - and reboot again before doing anything else

In program files - remove the Network Associates folder and also remove it from common files.

Use Taskmanager to make sure none of the update agents are running either
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Network Associates Man Agent"="C:\\WINDOWS\\NTME\\METHW95.EXE"


Also Delete the c:\winnt\system32\NTME folder and it's contents.
(might need to reboot - 'cos can't delete them in memory)

even then you can't be sure you have got it all..

If you are unlucky enough to have the old exchhange agent for outlook ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions]
"Exchange Scan"="4.0;C:\\Program Files\\Network Associates\\Dr Solomon's VirusScan\\emalscan.dll;1;11000000000000;1110000;"

BTW: The old program is called myciocleanup.exe !

Capt'n Midnight

Removing McAfee from Home Computers
This is just basic info from McAfee tech support. This is just for stand alone Virus Scan and not the whole e-policy orchestrator.

It is as simple as:

Go to Add/Remove Programs and then remove McAfee
Then go to Windows Explorer and remove the following two
directories:
C: programfiles/networkassociates
C: programfiles/commonfiles/networkassociates

Tech support claims this is working for 99% of all cases, unless there is something wrong with the machine. So I asked what are the steps when a machine is messed up and it won't uninstall?

Solution One: (preferred I think)

use regedit
Make backup copy (Naturally)
In Hkeylocalmachine/Software/NetworkAssociates/TVD/Sharedcomponents/onacces
sscanner/Mcshield/Configuration
remove the OAS key
That is the On Access Scanner key so removing it prevents McAfee from starting up

Solution Two: (More time consuming, but they swear it works)

use regedit
Make a backup copy
highlight Mycomputer in the left hand panel
Goto Edit and find
Search for all occurrences of Network Associates and delete
Search for all occurrences of McAfee and delete
Search for all occurrences of Virusscan and delete
Search for all occurrences of key=48DFEA and delete