McAfee frozen PC lowdown

Everything you wanted to know about how to get that PC working again

Yesterday we heard that a McAfee automated virus update had caused PCs to freeze up - something that wasn't appreciated by sys admin and those wishing to, say, use their computer. Details were sketchy but you readers have come up trumps and emailed us all the relevant info. A McAfee employee also helped explain how to fix the problem.

Basically, an update file to inform the virus scanner of new variants caused an outdated version of the scanning software (its "engine") to continuously scan files on your computer (looks like a file override problem). Since virus scanning is a priority task, this activity managed to consume 99 per cent of processor power, leaving the computer completely frozen for any other tasks you may want to do. Apparently you can still do some work on the machine but it will be very, very slow.

The old engine, version 4.0.02, is a year-and-a-half old and should really have been updated to the new 4.0.70 version, which apparently works fine with the latest update. Now, some have said that people are daft to not have updated the engine and this is true enough but of course nothing is as simple as it seems. One sys admin informed us that he'd been trying to upgrade his companies virus engines for months but neither he nor McAfee could find a way to do it. We don't know the full reasons why this might be so, but it does demonstrate that there may be many users who legitimately have the old engine and presumably aren't terribly happy at the moment.

So what's the solution? Well, you're gonna have to stop the scanning software. Then you can either delete it and reinstall it, preferably with the new and latest versions or download McAfee's superdat fix file (sdat4103.exe - the offending dat file that has caused all the problems is 4102.dat) and install it. This is a bit of a pain in the arse and we'd advise only those happy with mucking about with a PC's inner workings to do it. If you're a layman, the IT support boys will probably be around sometime today.

If you're running Win 9x, you could sort it out yourself, but with NT, it'll most likely need administrator access to get at the relevant files. Below therefore are a range of suggestions. We'll put McAfee's first: ®



If this document does not answer your questions, you may contact the following website: www.mcafeehelp.com. This site specializes in support for our retail products. However, many of the issues also apply to our corporate products. You will be able to search for a solution or information regarding your program. If you do not find what you are searching for, you will be given other support options such as Email Express, Forums, and Phone support. You may also obtain online technical support at by visiting http://support.nai.com.


4102 Dat resource Issue

Symptoms
Win 95/98 & Win NT

All system resources are being used up showing approximately at 99%. Some have difficulties in getting into alternate modes to fix the issue. This occurs only after installing the 4102 dats.

Solution For WIN 9x & Win Me

Restart the Computer in MS-DOS Mode
1. Shut the computer down so the power is off.
2. Wait 20 seconds or so.
3. Turn the computer on and immediately begin pressing the F8 key on the keyboard once every second repeatedly. Do this until the Windows Startup Menu appears. If you get a keyboard error, press F1 to resume and then continue pressing the F8 key once every second.
4. Select "Safe Mode Command Prompt Only" (usually option #6) from the Windows Startup Menu, then press the Enter key on the keyboard.
5. Windows will then boot into MS-DOS Mode. You will be left with a screen with a black background. The last line will have a DOS prompt that looks like C:\> (followed by a blinking cursor).

Rename the Conflicting File
1. Type the following command into the keyboard, pressing Enter after each line.
AT the C: type DIR names.dat /s ( enter )
It will tell you what directory the file is in. Then navigate to that directory.
REN NAMES.DAT NAMES.OLD

Then apply the super dat
Then rename names.old to names.dat

If you use Windows NT

Here is a way to get into NT to make the following changes below: (Renaming the conflicting files)

Hit Control-Alt-Delete and click on Task Manager
Click on File and New Task (Run)
Type "Net Stop Mcshield" and hit Enter
(NOTE: IT might be necessary to type net stop Mcshield.exe)
For NTFS you will have to use a third Party DOS utility we suggest the link below. http://downloads.mediadna.zdnet.com/info/com.zdnet_downloads_0016ZF_0016ZF.html?se=ink

Rename the Conflicting File
1. Type the following command into the keyboard, pressing Enter after each line.
At the C: type DIR names.dat /s ( enter )
It will tell you what directory the file is in. Then navigate to that directory.
REN NAMES.DAT NAMES.OLD

At the C: type DIR mcshield.exe /s ( enter )
It will tell you what directory the file is in. Then navigate to that directory.
REN MCSHIELD.exe MCSHIELD.OLD
Then apply the super dat
Then rename names.old to names.dat
Then rename mcshield.old to mcshield.exe
At this point the Issue should be resolved.



When the machine is running like treacle it is faster and more reliable to use the Windows key to get the start menu, rather than the mouse. You can also choose Programs | Command Prompt as an alternative to Run "cmd". As a technicality, you do not "get to Dos" - NT does not run on Dos in the manner of Win9x. You get to the NT command prompt. To the novice user, it looks the same and functions the same, however.


If the command net stop "Dr Solomon's McShield" (the /y is not actually needed) does not work, try
net stop "Network Associates McShield" On my system, this is the name of the service. You can also type
net start to see a list of the currently running services.

You most certainly do *not* want to restart the system at this point - the scanner is stopped, and restarting will only cause it to start up again!

At this point, you can now use you machine normally, albeit without the virus scanner. You can download the latest sdat4103.exe and install it. I can't seem to get the file at the moment - maybe their server is overloaded with downloads for some reason.



I ran the "superdat" update to update the scan engine it did fix the problem. The only stumbling block in this solution is that we have a WAN with over 5000 computers connected to it. Each with an old scan engine. They have made an updated DAT file that should work with our version of the scan engine. Right as I was leaving I downloaded the new DAT file and ran my Perl script to update all the BDC's in our domain. In theory tomorrow when people log in they should automatically get the new definition and our problems will be over. In the mean time we still have an old scan engine that most likely will not get updated untill McAfee can figure out their own software.




The easiest way to get your 95 or 98 computer running is boot in DOS, go to the McAfee directory, then rename vshwin.exe to something else. You'll have to reinstall VirusScan (if you dare) but at least you can get your computer running.




There are some registry keys that load McAfee Antivirus in normal mode in Windows 9x. To view these keys, run the program c:\windows\regedit.exe. This can be done in safe mode.


The keys are:
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

And

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The values under each section are applications that are run when windows starts. The ones related to McAfee are Vshwin32EXE, VsStatEXE, and possibly one that contains "WebScanX" under the Run Key. Under RunServices, the values are Vshwin32EXE and possibly the "WebScanX".

These keys can be saved by selecting the key (Run or RunServices) and choosing the Export Registry File option from the Registry menu. Then, the offending keys or values can be modified. After rebooting and running the updated .dat file, The keys may be restored to normal by opening the registry key files that were previously exported. Rebooting one more time should put the system back to normal.

Additionally, I have found it VERY useful to modify these two registry keys to eliminate unnecessary programs loading at startup. It's amazing what kind of performance increase you can get out of your system by doing this (as well as finding out how many programs INVADE your computer by installing something that loads in startup). There are other ways that things are loaded when starting Windows, but this is the most common and most commonly overlooked.

Related Story

McAfee virus update freezes PCs

Sponsored: Designing and building an open ITOA architecture