I had a user who was haven some issues getting onto the computer each time was getting a blue screen NaiFiltr.sys. This file NaiFiltr.sys is a component of McAfee VirusScan. I was able to load the computer into safe mode and remove McAfee then was able to boot the computer in to normal mode and install and update McAfee again.
step 1 Open an Internet Explorer window. Click “Tools,” then choose “Internet Options.” This will open the Internet Options window.
Step 2 Click the “Content” tab in the Internet Options window. This will open the Content options page.
Step 3 Click the “Certificates” button on the Content options page. This will open the Certificates window.
Step 4 Click the “Untrusted Publishers” tab in the Certificates window. It may be necessary to scroll horizontally to see the tab.
Step 5 Click to highlight the security certificate that you want to trust, then click the “Remove” button. This will open a confirmation window. Click the “Yes” button in the confirmation window to complete the process.
Q: What does the SuperDAT Remediation Tool Do?
A: The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe, if not present it will attempt a restore from %WINDOWS%\servicepackfiles\i386\svchost.exe, if not present it will attempt a restore from quarantine. After the tool is run, the machine needs to be rebooted.
Recommended Recovery SuperDAT Procedure
1. From a machine that has Internet access, locate and download the Recovery SuperDAT at http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe and save it to portable media.
2. Take the portable media to each affected machine and run the tool. If you are not able to run the tool on the affected machine, boot in safe mode
3. Execute the Recovery SuperDAT tool
4. Reboot in normal mode
5. Use the product update to update to 5959
McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.
What happens
Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT.
Workaround 1
McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.
Apply the EXTRA.DAT to all potentially affected systems as soon as possible.
For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.
IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding:
Click Start, Programs, McAfee, VirusScan Console.
Right-click Access Protection and select Disable.
Apply the EXTRA.DAT as described below.
Right-click Access Protection and select Enable.
To apply the EXTRA.DAT locally:
Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
Click Start, Run, type services.msc and click OK.
Right-click the McAfee McShield service and select Stop.
Copy the EXTRA.DAT file to the following location:
In the Services window, right-click McAfee McShield and select Start.
Workaround 2
If the false detection has deleted or quarantined svchost.exe on your system:
IMPORTANT: Ensure that you have applied the EXTRA.DAT to suppress the false positive detection before restoring svchost.exe.
Copy the svchost.exe from a working system
On a computer that is not affected by the issue, navigate to the location below:
C:\WINDOWS\system32
Copy svchost.exe to a network location or removable media device.
On the affected system, copy svchost.exe to the location below:
C:\WINDOWS\system32
Restart the affected computer.
On some computer I have had to run the windows repair then 2 reboots of the computer to work.
There are two situations where detection can occur and cleaning takes place:
1. If the modified sfc_os.dll is not located in System32 or in system32\dllcache directory: in this case the cleaning proceeds in one step.
- The modified bytes are patched again to the correct values. The sfc_os.dll file is now clean
- The corrected file is copied to zfcxx.tmp. This file is also clean, but it will stay in the system.
2. If the modified file is located in System32 or in system32\dllcache: In this case, cleaning occur in two steps:
First step:
- the modified bytes are patched again with correct values. Since the file is in use by Windows, this modification fails or is delayed. The file is still infected.
- the file is then copied to zfcxx.tmp. This temporary file is also infected.
- If the system is scanned again, no detection will occur in sfc_os.dll, since it only occurs when there is no zfcxx.tmp file in the same directory.
Second step:
- Do not REBOOT the machine yet
- Scan the machine again. Only zfcxx.tmp will be detected
- the temporary file will be patched to contain the correct bytes. Zfcxx.tmp will now be clean.
- the file infected sfc_os.dll will be moved to sfc_os.dll.exe. This is a delayed move, so it will only occur AFTER reboot, since the file is in use by Windows.
- The clean file zfcxx.tmp will be copied to sfc_os.dll, restoring the original dll to its place.
- The cleaning procedure tries to remove zfcxx.tmp and sfc_os.dll.exe. This operation will be delayed until next reboot.
- The user should then reboot the system. The temporary files will be removed and the DLL will be restored.
- If the system is scanned again and detection occurs on the sfc_os.dll file located in system32\dllcache, the files zfcxx.tmp and sfc_os.dll.exe will be created again. Jus reboot and they will be removed.
Download free software called TrueCrypt
To encrypt your USB drive; open TrueCrypt and click Create Volume.
Select the ‘Encrypt a non-system partition/drive’ option and click Next.
Select the ‘Standard TrueCrypt volume’ and click Next.
Click Select Device and highlight the USB drive making sure you select the partition rather than the entire device (the one with the drive letter).
Select ‘Create encrypted volume and format it’ and click Next. Make sure you have a copy of the data on the USB drive saved elsewhere.
Leave the Encryption Options as they are and click Next and then Next again at the Volume Size screen.
Put a password in and click Next.
click on Format.
Click OK and Next to complete the wizard.
To mount the drive; open TrueCrypt and click Select Device.
Highlight the device and click OK.
Highlight a drive letter above and click Mount
Put in the password and you should be able to use the drive as normal.
To clear a password, follow the steps below.
1. Turn off the computer and disconnect the power cable from the electrical outlet.
2. Remove the computer cover.
3. Locate the 2-pin password jumper (PSWD) on the system board and remove it to clear the password.
4. Close the computer cover.
5. Connect your computer and monitor to electrical outlets and turn them on.
6. After the Microsoft® Windows® desktop appears on your computer, shut it down.
7. Turn off the monitor and disconnect it from the electrical outlet.
8. Disconnect the computer power cable from the electrical outlet, and then press the power button to ground the system board.
9. Open the computer cover.
10. Locate the 2-pin password jumper on the system board and attach it to re-enable the password feature.
11. Replace the computer cover.
12. Connect your computer and devices to electrical outlets and turn them on.
13. Assign a new system and/or Administrator password.
104-bit WEP, a very common security for 802.11b/g/n home and office WiFi networks can now be cracked in a few minutes with a standard computer. That the security could be broken easily is not new news, but that it can be done so quickly, with standard hardware, is.
If you want to secure your home network, consider using WPA or WPA2. Use WPA2 if your hardware supports it. Look through the documentation for your wireless router and wireless network card to figure out how to implement WPA.
1.Start Outlook.
2.Select ‘Tools > Options’
3.Click on the ‘Mail Setup’ tab
4.In Mail Setup click on ‘Data Files’
5.Click ‘Add’
6.Highlight ‘Personal Folders file (.pst)’ and click on ‘OK’
7.Click ‘OK’. In the next screen you can give it a new display name if you wish (This just changes how it appears in your Outlook but does not rename the actual file) or just accept the default name. Click ‘OK’ -> ‘Close’ -> ‘OK’.
8.The Personal folder will now appear in your folder list (If this list is not visible go to ‘View’ and select ‘Folder List’).
What is the difference between a Virus, Trojan, and Worm?
Basically, they all fall under the generally category of “viruses”. However, there are a few differences.
Virus – A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. Technically, a virus infects another file. They usually infect program files or MS Office documents. From there, it can replicate, do damage, etc. Unlike a worm, these do not function as a stand alone (except possibly to infect a given file).
Worm – Technically, a worm is a virus. In reality, worms can cause a great deal of trouble merely by getting passed from one computer to many others, and can clog up a network very quickly. Worms copy themselves using e-mail, networks, disks, etc. Again, these are very close to a true virus, and can do the same kind of damage.
Trojan Horse - A program that claims to be one thing, but is, in fact, another. A trojan horse is not a virus, but may carry them. For example many people consider Kazaa, the music sharing software, a trojan horse because it carries with it a bunch of spyware. There are trojans that claim to be patches for a problem, often arriving in email, that are in fact spyware and virus installers. The idea is to make the program look like it’s something harmless, like a screen saver or joke, so it gets sent around.
Recent Comments