Fixing McAfee’s mess

Got a phone call from my Dad today.   Apparently overnight, his Dell laptop decided to kill itself.

Symptoms

When he started his computer today, he saw these things:

  1. The Windows task bar at the bottom of the screen wasn’t showing up correctly or at all and no networking was working
  2. When logging in, he got this message:
    HP AiO Device Object Server
    RegisterClassObjects failed: hRes = 0x800706BA
    The RPC server is unavailable.
    Maximum retry attempts exceeded
  3. He also got this message:
    Application Error
    Exception EOleSysError in module Skype.exe at 0008963D
    The RPC server is unavailable.

At first I thought, “Crap! He’s gone to some weird website, or someone’s hacked into this PC!”

But then, I heard the news today about McAfee’s blunder last night – http://blogs.zdnet.com/Bott/?p=2003&tag=col1;post-6001.

Yep, Dad confirmed he had McAfee Total Protection on his laptop.   That was probably it.

Trying to fix it properly

So tonight, I sat down to try to fix it.   Seems that the problem is not just confined to corporate users only.  It also affects some home users of McAfee Antivirus software.

First thing I did was boot up into Safe Mode and take a peek around.   No weird exe’s running.  Everything looked OK.    I did see this in the System Log at around 4AM:

The protected system file svchost.exe could not be restored to its original,
valid version.  The file version of the bad file is unknown. 
The specific error code is 0x00000426 [The service has not been started.]

Ah yes, this really confirms it’s the McAfee bug, as I had read that it deletes svchost.exe, a key process in Windows.   I couldn’t find any svchost.exe in the c:\windows\system32\ directory.   A search of the whole drive only found it in these locations:

  • C:\windows\$NtServicePackUninstall$
  • C:\windows\Prefetch
  • C:\Windows\ServicePackFiles\i386

Unfortunately, right clicking on the McAfee tray icon didn’t do anything.  The icon was unresponsive.  Using my trusty MacBook Pro, I googled around and found these instructions on the McAfee site for home users:

http://service.mcafee.com/FAQDocument.aspx?lc=&id=TS100969

But I couldn’t click on the McAfee tray icon.  So I decided to try these instructions here:

http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS100970

But the instructions didn’t quite work for me as there was no svchost.exe in the dllcache directory.

I ended up copying in svchost.exe from the ServicePackFiles\i386 folder, deleted the dat directory as instructed then rebooted.

But things weren’t working again!  Aaarghhh!!   It seems that the svchost.exe was gone again!  WTF?!?

I rebooted into Safe Mode and then tried to run the SDAT5958_EM.EXE file from McAfee.  But this wouldn’t even execute correctly!  What the?!?

Trying to fix it the brute force way

I rebooted into Safe Mode again, and this time I just deleted everything I could under the McAfee VirusScan directory.   I just wanted it gone!!!  There has to be no way that it will try to kill svchost.exe again.  I’d rather a working XP system with corrupted/missing McAfee than a corrupted XP system with working McAfee.  I restored svchost.exe and rebooted.   And the good news is that all was good!   No error messages on boot up, Skype started fine, and the wireless network adapter was detected and connected successfully.

Except now for some messages about McAfee missing files!   I reinstalled it and it downloaded the latest definitions, and all is OK now.

This took me just under 2 hours, mostly due to extra paranoid investigation at the start in case it was a virus.  I really wonder how many hours everyone around the world has spent fixing this problem!

Actually, I really pity the standard home user with minimal computer knowledge.  I don’t see how they could fix this without some help.   As they may not even be able to connect to the internet or use their computer to find out what to do!!

Advertisements

2 thoughts on “Fixing McAfee’s mess”

  1. Hey Jase,

    Great post, might come in useful over the coming days when family/friends call me up for some free tech support… 🙂

    I’ve been using Microsoft Security Essentials for all the recent installs I’ve been helping out with family/friends, and it seems to be quite solid, but haven’t done any qualitative analysis against the main virus scanning/protection vendors.

    Anyways, I’m sure next time McAfee will do a proper test before pushing it out into the wild, and I’m sure corporations will now think twice about doing an auto-update, and go through a quick Test to Production promotion exercise… 🙂 It’s a tough call between ease of maintenance of SOE’s vs time consuming regression testing prior to applying updates/patches…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s