Advertisement
joemccray

Kill McAfee

Feb 24th, 2016
1,908
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. #########################
  3. # Kill McAfee AV & HIPS #
  4. #########################
  5.  
  6. 1. Stop the services
  7. ====================
  8.  
  9. Stop the overall AV Framework
  10. net stop "McAfee Framework Service"
  11.  
  12.  
  13. Stop the HIPS
  14. net stop hips
  15. net stop enterceptagent
  16. net stop firepm
  17.  
  18.  
  19.  
  20. 2. Kill the processes
  21. =====================
  22.  
  23. McAfee Processes
  24. pskill -t UdaterUI
  25. pskill -t TBMon
  26. pskill -t Mcshield
  27. pskill -t VsTskMgr
  28. pskill -t shstat
  29.  
  30.  
  31. HIPS Processes
  32. pskill -t firetray
  33.  
  34.  
  35.  
  36. Altiris Processes
  37. pskill -t AeXNSAgent
  38.  
  39.  
  40. Hercules Processes
  41. pskill -t HercUserAgent
  42. pskill -t HercClient
  43.  
  44.  
  45. 3. Unload DLLs
  46. ==============
  47.  
  48. Unload EPO HIPS plugin
  49. regsvr32 -u fireepo.dll
  50.  
  51.  
  52. #####################################
  53. # Everything below this is research #
  54. #####################################
  55.  
  56.  
  57.  
  58. 4. Remove Drivers
  59. =================
  60.  
  61. Note:
  62. Somehow the "mfebopk.sys" driver needs to be unloaded. This is the Buffer Overflow protection Driver. This file should be located in "c:\windows\system32\drivers".
  63.  
  64. naiavf5x.sys is the Anti-Virus file system driver.
  65. mvstdi5x.sys is the Anti-Virus mini-Firewall driver.
  66.  
  67.  
  68. Research devcon.exe: http://support.microsoft.com/kb/311272
  69.  
  70. Research:
  71. https://knowledge.mcafee.com/article/469/614226_f.SAL_Public.html
  72.  
  73.  
  74. 5. Remove the IPS Agent
  75. =======================
  76. To completely remove the Host IPS agent:
  77.  
  78. Disable the Host IPS agent:
  79.  
  80. 1.
  81. Open a command line session Click Start, Run, type CMD and press ENTER.
  82. 2.
  83. At the command line issue the following commands:
  84. net stop hips
  85. net stop enterceptagent
  86. net stop firepm
  87. 3.
  88. Close the ClientUI
  89. 4.
  90. Press CTRL+ALT+DEL, in the Security menu click Task Manager.
  91. Select firetray.exe and click End Process
  92.  
  93. Unload the epo Plugin:
  94.  
  95. 1.
  96. Open regedit: Click Start, Run, type regedit and press ENTER.
  97. 2.
  98. Delete the registry key:
  99. HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIPS_7000
  100. 3.
  101. At the command-line, run:
  102. regsvr32 -u fireepo.dll
  103.  
  104. Remove Talkback:
  105.  
  106. 1.
  107. At the command-line run:
  108. C:\Program Files\Common Files\McAfee Inc\TalkBack\tbmon.exe -delref
  109. 2.
  110. Delete the folder:
  111. C:\Program Files\Common Files\McAfee Inc\TalkBack
  112. 3.
  113. Using Regedit delete the following registry entries.
  114. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls
  115. C:\Program Files\Common Files\McAfee Inc.\TalkBack\dbghelp.dll
  116. C:\Program Files\Common Files\McAfee Inc.\TalkBack\TBMon.exe
  117. C:\Program Files\Common Files\McAfee Inc.\TalkBack\TBMon.loc
  118. C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
  119.  
  120. Remove firehk driver
  121.  
  122. 1.
  123. At the command-line run:
  124. C:\Program Files\McAfee\Host Intrusion Prevention\Inf\installfirehk.bat /u
  125. 2.
  126. Using Regedit delete the following registry entries:
  127. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firehk
  128. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FirehkMP
  129. 3.
  130. Delete the file: C:\windows\system32\drivers\firehk.sys
  131.  
  132. Delete the hipscore service and remove the drivers:
  133.  
  134. 1.
  135. Using Regedit delete the following registry entry:
  136. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hips
  137. 2.
  138. From the command-line run:
  139. C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\mfehidin.exe -u HIPK.sys HIPPSK.sys HIPQK.sys
  140. 3.
  141. Using Regedit delete the following registry entries:
  142. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPK
  143. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPSK
  144. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPQK
  145. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk
  146. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfetdik
  147. 4.
  148. Delete the files:
  149. C:\windows\system32\drivers\HIPK.sys
  150. C:\windows\system32\drivers\HIPPSK.sys
  151. C:\windows\system32\drivers\HIPQK.sys
  152. C:\windows\system32\hipqa.dll
  153. C:\windows\system32\hipis.dll
  154. C:\windows\system32\mfehida.dll
  155. 5.
  156. From the command-line, run:
  157. C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSCoreReg.exe -u
  158. Using Regedit delete the following registry entries:
  159. HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIPSCore
  160.  
  161. Delete services and drivers:
  162.  
  163. 1.
  164. Using Regedit delete the following registry entries:
  165. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\enterceptAgent
  166. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FirePM
  167. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\firelm01
  168. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FireTDI
  169. 2.
  170. Delete the files:
  171. C:\WINDOWS\system32\drivers\firelm01.sys
  172. C:\WINDOWS\system32\drivers\FirePM.sys
  173. C:\WINDOWS\system32\drivers\FireTDI.sys
  174.  
  175. Remove the Host IPS registry
  176.  
  177. 1.
  178. Using Regedit delete the following registry entries:
  179. HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP
  180. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\enterceptAgent
  181. HKEY_LOCAL_MACHINE\SOFTWARE\Entercept\EnterceptAgent
  182. HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\McAfee Fire
  183. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ McAfee Host Intrusion Prevention Tray
  184.  
  185. Remove Host IPS files
  186.  
  187. 1.
  188. Delete the folder
  189. C:\Program Files\McAfee\Host Intrusion Prevention
  190. 2.
  191. Delete the files:
  192. C:\WINDOWS\system32\FireCL.dll
  193. C:\WINDOWS\system32\FireCNL.dll
  194. C:\WINDOWS\system32\FireComm.dll
  195. C:\WINDOWS\system32\FireCore.dll
  196. C:\WINDOWS\system32\FireEpo.dll
  197. C:\WINDOWS\system32\FireNHC.dll
  198. C:\WINDOWS\system32\FireSCV.dll
  199.  
  200. Remove the shortcut:
  201.  
  202. 1. Navigate to: C:\Documents and Settings\All Users\Start Menu\Programs\McAfee\
  203. 2. Delete the Host Intrusion Prevention shortcut.
  204.  
  205. Clean up:
  206.  
  207. 1.
  208. Use msizap.exe to remove the MSI registry values.
  209. From the command line execute:
  210. msizap.exe TW! {B332732A-4958-41DD-B439-DDA2D32753C5}.
  211. 2.
  212. Alterntively install the Windows Installer Cleanup Utility (msicuu.exe) and use this to remove the registry keys. This displays all the MSI based products that are installed allowing selection of the product to have it's MSI data removed. For further information: http://support.microsoft.com/kb/290301/en-us
  213. 3.
  214. Restart the client.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement