IT Troubleshooters

step 1 Open an Internet Explorer window. Click “Tools,” then choose “Internet Options.” This will open the Internet Options window.

Step 2 Click the “Content” tab in the Internet Options window. This will open the Content options page.

Step 3 Click the “Certificates” button on the Content options page. This will open the Certificates window.

Step 4 Click the “Untrusted Publishers” tab in the Certificates window. It may be necessary to scroll horizontally to see the tab.

Step 5 Click to highlight the security certificate that you want to trust, then click the “Remove” button. This will open a confirmation window. Click the “Yes” button in the confirmation window to complete the process.

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.

What happens
Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT.

Workaround 1

McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.

Apply the EXTRA.DAT to all potentially affected systems as soon as possible.

For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.

IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding:

Click Start, Programs, McAfee, VirusScan Console.
Right-click Access Protection and select Disable.
Apply the EXTRA.DAT as described below.
Right-click Access Protection and select Enable.

To apply the EXTRA.DAT locally:

Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
Click Start, Run, type services.msc and click OK.
Right-click the McAfee McShield service and select Stop.
Copy the EXTRA.DAT file to the following location:

\Program Files\Common Files\McAfee\Engine

In the Services window, right-click McAfee McShield and select Start.

Workaround 2
If the false detection has deleted or quarantined svchost.exe on your system:

IMPORTANT: Ensure that you have applied the EXTRA.DAT to suppress the false positive detection before restoring svchost.exe.

Copy the svchost.exe from a working system

On a computer that is not affected by the issue, navigate to the location below:

C:\WINDOWS\system32

Copy svchost.exe to a network location or removable media device.
On the affected system, copy svchost.exe to the location below:

C:\WINDOWS\system32

Restart the affected computer.

On some computer I have had to run the windows repair then 2 reboots of the computer to work.

There are two situations where detection can occur and cleaning takes place:

1. If the modified sfc_os.dll is not located in System32 or in system32\dllcache directory: in this case the cleaning proceeds in one step.

- The modified bytes are patched again to the correct values. The sfc_os.dll file is now clean
- The corrected file is copied to zfcxx.tmp. This file is also clean, but it will stay in the system.

2. If the modified file is located in System32 or in system32\dllcache: In this case, cleaning occur in two steps:

First step:

- the modified bytes are patched again with correct values. Since the file is in use by Windows, this modification fails or is delayed. The file is still infected.
- the file is then copied to zfcxx.tmp. This temporary file is also infected.
- If the system is scanned again, no detection will occur in sfc_os.dll, since it only occurs when there is no zfcxx.tmp file in the same directory.

Second step:

- Do not REBOOT the machine yet
- Scan the machine again. Only zfcxx.tmp will be detected
- the temporary file will be patched to contain the correct bytes. Zfcxx.tmp will now be clean.
- the file infected sfc_os.dll will be moved to sfc_os.dll.exe. This is a delayed move, so it will only occur AFTER reboot, since the file is in use by Windows.
- The clean file zfcxx.tmp will be copied to sfc_os.dll, restoring the original dll to its place.
- The cleaning procedure tries to remove zfcxx.tmp and sfc_os.dll.exe. This operation will be delayed until next reboot.
- The user should then reboot the system. The temporary files will be removed and the DLL will be restored.
- If the system is scanned again and detection occurs on the sfc_os.dll file located in system32\dllcache, the files zfcxx.tmp and sfc_os.dll.exe will be created again. Jus reboot and they will be removed.

To clear a password, follow the steps below.

1. Turn off the computer and disconnect the power cable from the electrical outlet.
2. Remove the computer cover.
3. Locate the 2-pin password jumper (PSWD) on the system board and remove it to clear the password.
4. Close the computer cover.
5. Connect your computer and monitor to electrical outlets and turn them on.
6. After the Microsoft® Windows® desktop appears on your computer, shut it down.
7. Turn off the monitor and disconnect it from the electrical outlet.
8. Disconnect the computer power cable from the electrical outlet, and then press the power button to ground the system board.
9. Open the computer cover.
10. Locate the 2-pin password jumper on the system board and attach it to re-enable the password feature.
11. Replace the computer cover.
12. Connect your computer and devices to electrical outlets and turn them on.
13. Assign a new system and/or Administrator password.

First, verify that you cannot uninstall the 2007 Microsoft Office system by using Add or Remove Programs

For Windows XP:
Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER.
Click to select the 2007 Office system product from the application list, and then click Remove.

For Windows Vista:
Click Start, type prgrams and features in the Search box, and then press ENTER.
Click to select the product to be uninstalled from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks.

If you were able to uninstall the 2007 Microsoft Office system by using Add or Remove Programs, you are finished. If you were unable to uninstall the 2007 Microsoft Office system, you may have issues with the Add or Remove Programs dialog box, or some 2007 Microsoft Office components may not be uninstalled. In these cases, you may be unable to reinstall the 2007 Microsoft Office system.

To uninstall the existing 2007 Microsoft Office system if you cannot uninstall it by using the Add or Remove Programs feature, follow these steps:
Step 1: Remove any remaining Windows Installer packages of the 2007 Microsoft Office system:
Click Start, click Run, type installer, and then click OK.

This process opens the %windir%\Installer folder.
On the View menu, click Details.

Important To use the View menu in Windows Vista, you must press the ALT key first to display the menu bar, and then click the View menu.
On the View menu, click Choose Details.
Click to select the Subject check box, type 340 in the Width of selected column (in pixels) box, and then click OK.
Note It may take several minutes for the subjects to appear next to each .msi file.
For Windows XP, on the View menu, point to Arrange icons by, and then click Subject.
For Windows Vista, on the View menu, point to Sort By, and then click Subject.
For each .msi file where the subject is “Microsoft Office Product_Name 2007,” right-click the .msi file, and then click Uninstall.

Step 2: Stop the Office Source Engine service:
For Windows XP, click Start, click Run, type services.msc in the Open box, and then click OK.

For Windows Vista, click Start, click Start Search, type services.msc, and then press ENTER.
In the Services window, determine whether the Office Source Engine service is running. If this service is running, right-click Office Source Engine, and then click Stop.
Close the Services window.
Step 3: Remove any remaining 2007 Microsoft Office installation folders
For Windows XP and Windows Server 2003, click Start, click Run, type %CommonProgramFiles%\Microsoft Shared in the Open box, and then click OK.

For Windows Vista, click Start, click Start Search, type %CommonProgramFiles%\Microsoft Shared, and then press ENTER.
Note On a computer that is running a 64-bit version of Windows Vista, type %CommonProgramFiles(x86)%\Microsoft Shared, and then press ENTER.
If the following folders are present, delete them:
Office12
Source Engine
For Windows XP, click Start, click Run, type %ProgramFiles%\Microsoft Office, and then click OK.
On the root folder of each hard disk drive, locate and then open the MSOCache folder. If you cannot see the MSOCache folder, follow these steps:
Open Windows Explorer, and then on the Tools menu click Folder Options.
Click the View tab.
In the Advanced settings pane under Hidden files and folders, click Show hidden files and folders.
Click to clear the Hide protected operating system files check box, and then click OK.
Open the drive_letter:\MSOCache\All Users folder, and then delete every folder that has the following text in the folder name:
0FF1CE)

Step 4: Remove any remaining 2007 Microsoft Office installation files
For Windows XP and Windows Server 2003, click Start, click Run, type %appdata%\microsoft\templates, and then click OK.

For Windows Vista, click Start, click Start Search, type %appdata%\microsoft\templates, and then press ENTER.
Delete the following files:
Normal.dotm
Normalemail.dotm
For Windows XP, click Start, click Run, type %appdata%\microsoft\document building blocks\Language_ID, and then click OK.

For Windows Vista, click Start, click Start Search, type %appdata%\microsoft\document building blocks\Language ID, and then press ENTER.

Notes
If you cannot open this folder because the folder does not exist, go to step 6.
Language_ID is a placeholder for the four-digit number that represents the language of the 2007 Microsoft Office system. For example, if you use the English version of the 2007 Microsoft Office system, the Language_ID value is 1033. If the Language_ID is not known, type %appdata%\microsoft\document building blocks, and then open the subfolder in that location.
Delete the Building blocks.dotx file.
For Windows XP, click Start, click Run, type %temp%, and then click OK.

For Windows Vista, click Start, click Start Search, type %temp%, and then press ENTER.
On the Edit menu, click Select All.
On the File menu, click Delete.
For Windows XP, click Start, click Run, type %AllUsersprofile%\Application Data\Microsoft\Office\Data, and then click OK.

For Windows Vista, click Start, click Start Search, type %AllUsersprofile%\Application Data\Microsoft\Office\Data, and then press ENTER.
Delete only the Opa12.dat file.

Step 5: Remove the registry subkeys of the 2007 Microsoft Office system

Locate and then delete the registry subkeys of the 2007 Microsoft Office system if they are present. To do this, follow these steps:
For Windows XP, click Start, click Run, type regedit, and then click OK.

For Windows Vista, click Start, click Start Search, type regedit, and then click OK.
Click the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0
On the File menu, click Export, type DeletedKey01, and then click Save.
On the Edit menu, click Delete, and then click Yes to confirm the deletion.
For each registry subkey in the following list, repeat steps 1a through 1d. Change the name of the exported key by one for each subkey.

For example, type DeletedKey02 for the second key, type DeletedKey03 for the third key, and so on.

32-bit versions of Microsoft Windows:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Delivery\SourceEngine\Downloads\*0FF1CE}-*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*0FF1CE*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\*F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*F01FEC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose
HKEY_CLASSES_ROOT\Installer\Features\*F01FEC
HKEY_CLASSES_ROOT\Installer\Products\*F01FEC
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\*F01FEC
HKEY_CLASSES_ROOT\Installer\Win32Assemblies\*Office12*
64-bit versions of Microsoft Windows:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Delivery\SourceEngine\Downloads\*0FF1CE}-*
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*0FF1CE*
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\*F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*F01FEC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose
HKEY_CLASSES_ROOT\Installer\Features\*F01FEC
HKEY_CLASSES_ROOT\Installer\Products\*F01FEC
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\*F01FEC
HKEY_CLASSES_ROOT\Installer\Win32Assemblies\*Office12*
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

On the File menu, click Export, type UninstallKey01, and then click Save.
Under the Uninstall subkey that you located in step 2, click each subkey, and then determine whether the subkey has the following value assigned to it:
Name: UninstallString
Data: file_name path\Office Setup Controller\Setup.exe path

Note In this example, file_name is a placeholder for the name of an installation program, and path is a placeholder for the file path.
Close Registry Editor.
Restart the computer

When Windows crashes a small memory dump file records the smallest set of useful information that may help identify why your computer has stopped unexpectedly the file can be found here c:\windows\minidump\.

This dump file type includes the following information:
The Stop message and its parameters and other data
A list of loaded drivers
The processor context (PRCB) for the processor that stopped
The process information and kernel context (EPROCESS) for the process that stopped
The process information and kernel context (ETHREAD) for the thread that stopped
The Kernel-mode call stack for the thread that stopped
The small memory dump file can be useful when hard disk space is limited. However, because of the limited information that is included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.

Tools to read the small memory dump file
You can load small memory dump files by using the Dump Check Utility (Dumpchk.exe). You can also use Dumpchk.exe to verify that a memory dump file has been created correctly. The Dump Check Utility does not require access to debugging symbols. The Dump Check Utility is included with the Microsoft Windows 2000 Support Tools and the Microsoft Windows XP Support Tools.

Install the debugging tools
To download and install the Windows debugging tools, visit the following Microsoft Web site:
http://www.microsoft.com/whdc/devtools/debugging/default.mspx (http://www.microsoft.com/whdc/devtools/debugging/default.mspx)
Select the Typical installation. By default, the installer installs the debugging tools in the following folder:
C:\Program Files\Debugging Tools for Windows

Open the dump file
To open the dump file after the installation is complete, follow these steps:
Click Start, click Run, type cmd, and then click OK.
Change to the Debugging Tools for Windows folder. To do this, type the following at the command prompt, and then press ENTER:
cd c:\program files\debugging tools for windows
To load the dump file into a debugger, type one of the following commands, and then press ENTER:
windbg -y SymbolPath -i ImagePath -z DumpFilePath
kd -y SymbolPath -i ImagePath -z DumpFilePath

I have been trying to remove the SMS Advanced Client from a Windows XP machine using Ccmclean tool (Ccmclean tool can be found in SMS toolkit). But unfortunately, it failed to remove the client by using Ccmclean.

There is another method to remove the SMS Advanced Client from the machine which is msiexec /x command.

Before executing that command, you must know what is the GUID for the SMS Advanced Client, the GUID value can be found inside the Registry editor under following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Uninstall

The correct GUID has SMS Advanced Client as the Display Name value.

After you get the SMS Advanced Client GUID value, execute the msiexec /x command at command prompt.

Msiexec /x {D8EF2D11-47CF-45E5-B423-47B29706DE12}
(the value behind Msiexec /x indicate the GUID of SMS Advanced Client)

After you execute the Msiexec /x on the machine, you may need to manually remove the VPCache folder for SMS Advanced Client. Below is the step by step how to complete the task:

1. Locate the following registry key in registry editor:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\VPCache

2. The Path value for VPCache is the location of the VPCache folder on the system drive. For example, %Windir%\System32\VPCache.

3. Locate the VPCache folder and then delete it from the hard drive.

4. Lastly, delete VPCache registry key from the registry editor.

Although this method need to spend more time to complete it, but it is a alternative for you to remove the SMS Advanced Client from the machine.

The Blue Screen of Death, or more properly the ‘Windows stop message’ occurs when Windows detects a problem or error from which it cannot recover. The operating system halts and diagnostic information is displayed on a blue screen. In newer versions of the operating system, the contents of the PC’s memory are dumped to a file for later analysis.

All Windows XP stop errors are numbered according to the circumstances that caused the error, which assists enormously in troubleshooting them.

A typical Windows XP stop message, is divided into four parts, and actually does display some helpful clues as to what caused its appearance. Reading a BSOD is not an everyday task, but if we take a moment to dissect it, you’ll see it can help us to resolve the conflict which is stopping Windows from operating correctly.

The bugcheck information shows the number of the stop error (in hexadecimal format), information on why the system has stopped and the friendly (text-based) name for the stop error. A typical one is DRIVER_IRQI_NOT_LESS_OR_EQUAL.

The second section, ‘recommended user action,’ is pretty generic and contains advice for the user on possible troubleshooting steps. This tends to be the same for just about every stop error, though the main advice ‘try restarting your computer’ is the best possible first step to take.

The third section, ‘driver information,’ may contain vital info. If an actual driver file is associated with the blue screen, it will be listed here. This can give you something to work on in the case of a reoccurring error.

The final part of the stop error screen is the ‘debug port and status information’ section. Windows XP will attempt to dump the contents of system memory either to a file on the hard drive or to one of the COM ports in the case of a stop error.

When you uninstall Windows Internet Explorer 7, Internet Explorer 6 is automatically restored on your computer. If you install Internet Explorer 8 then Internet Explorer 7 is automatically restored on your computer.

Uninstall Internet Explorer 7 & 8
Click Start, and then click Run.
In the Open box, type appwiz.cpl, and then click OK. It may take several seconds for your computer to compile a list of programs.
Scroll down through the list and click Windows Internet Explorer 7 or 8, and then click Remove.

If method 1 did not uninstall Internet Explorer 7 or 8, try using the Spuninst.exe executable wizard on your computer.

Make hidden files and hidden folders visible
Click Start, and then click My Documents.
On the Tools menu, click Folder Options.
Click the View tab.
In the Advanced settings list, under Hidden files and folders, click Show hidden files and folders, and then click OK.

Uninstall Internet Explorer 7
Click Start, and then click Run.
In the Open box, type %windir%\ie7\spuninst\spuninst.exe, and then click OK.
Follow the wizard instructions to uninstall Internet Explorer 7.
Uninstall Internet Explorer 8
Click Start, and then click Run.
In the Open box, type %windir%\ie8\spuninst\spuninst.exe, and then click OK.
Follow the wizard instructions to uninstall Internet Explorer 8.