Monday, February 3, 2014

McAffee: remove host intrusion prevention

How to manually remove Host Intrusion Prevention Agent 7.0

Environment
For details of all supported operating systems, see KB51109.
Solution
CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a .REG file that is not confirmed to be a genuine registry import file.

IMPORTANT: This article recommends that you use the Microsoft Windows Installer Cleanup Utility (MSICUU2.exe), which is designed to help resolve uninstall problems in applications that use the Windows Installer technology.

Effective June 25, 2010, Microsoft retired MSICUU2.exe because of conflicts with Microsoft Office 2007. MSICUU2.exe is no longer available from the Microsoft website.

This article retains procedures involving MSICUU2.exe in case you have an existing copy of MSICUU2.exe. However, before you use it, review the advice given on the Microsoft website at: http://support.microsoft.com/kb/290301.

To completely remove the Host Intrusion Prevention agent

Step 1 - Disable the Host Intrusion Prevention agent
NOTE: Disable the Host Intrusion Prevention module from the Host Intrusion Prevention client UI before proceeding with the steps below.
  1. Click Start, Run, type cmd and click OK.
  2. At the command prompt, type each of the commands below and press ENTER after each:

    net stop hips
    net stop enterceptagent
    net stop firepm
  3. Close the Host Intrusion Prevention client interface.
  4. Press CTRL+ALT+DEL, and in the Security menu click Task Manager.
  5. Select firetray.exe and click End Process.
     
Step 2 - Unload the ePolicy Orchestrator (ePO) Plugin
  1. Click Start, Run, type regedit and click OK. 
  2. Delete the following registry key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIPS_7000]
     
  3. Click Start, Run, type cmd and click OK.
  4. Type the following command and press ENTER:

    regsvr32 -u fireepo.dll
Step 3 - Remove Talkback
  1. Click Start, Run, type cmd and click OK.
  2. Type the following command and press ENTER:

    C:\Program Files\Common Files\McAfee Inc\TalkBack\tbmon.exe -delref
  3. Click Start, Run, type explorer and click OK.
  4. Delete the folder: C:\Program Files\Common Files\McAfee Inc\TalkBack
  5. Click Start, Run, type regedit and click OK.
  6. Locate and expand the following registry key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
  7. Under SharedDlls, delete the each of the following keys:

    C:\Program Files\Common Files\McAfee Inc.\TalkBack\dbghelp.dll
    C:\Program Files\Common Files\McAfee Inc.\TalkBack\TBMon.exe
    C:\Program Files\Common Files\McAfee Inc.\TalkBack\TBMon.loc
    C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
Step 4 - Remove the firehk driver
  1. Click Start, Run, type cmd and click OK.
  2. Type the following command and press ENTER:

    C:\Program Files\McAfee\Host Intrusion Prevention\Inf\installfirehk.bat /u
  3. Click Start, Run, type regedit and click OK.
  4. Delete the following registry keys:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firehk]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FirehkMP]
  5. Navigate to: C:\windows\system32\drivers\.
  6. Delete the file firehk.sys.
     
Step 5 - Delete the HIPSCore service and remove the drivers
  1. Click Start, Run, type regedit, and click OK.
  2. Delete the following registry key:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hips]
  3. Click Start, Run, type cmd and click OK.
  4. Type the following command and press ENTER:

    C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\mfehidin.exe -u HIPK.sys HIPPSK.sys HIPQK.sys
  5. In the registry editor, delete each of the following registry keys:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPK]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPPSK]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HIPQK]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfetdik]       (see below)

    IMPORTANT: If VirusScan Enterprise 8.x is installed on the computer, do not remove the mfetdik key. This disables the VirusScan Enterprise On-Access Scanner if Host Intrusion Prevention is not reinstalled.

     
  6. Delete each of the following files:

    C:\windows\system32\drivers\HIPK.sys
    C:\windows\system32\drivers\HIPPSK.sys
    C:\windows\system32\drivers\HIPQK.sys
    C:\windows\system32\hipqa.dll
    C:\windows\system32\hipis.dll
    C:\windows\system32\mfehida.dll 
  7. From the command prompt, type the following command and press ENTER:

    C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSCoreReg.exe -u
  8. In the registry editor, delete the following key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIPSCore]
Step 6 - Delete services and drivers
  1. Click Start, Run, type regedit and click OK.
  2. Delete each of the following keys:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\enterceptAgent]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FirePM]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\firelm01]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FireTDI]
  3. Click Start, Run, type explorer and click OK.
  4. Delete each of the the following files:

    C:\WINDOWS\system32\drivers\firelm01.sys
    C:\WINDOWS\system32\drivers\FirePM.sys
    C:\WINDOWS\system32\drivers\FireTDI.sys
Step 7 - Remove the remaining Host Intrusion Prevention registry entries
  1. Click Start, Run, type regedit and click OK.
  2. Delete each of the following keys:

    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\enterceptAgent]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Entercept\EnterceptAgent]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\McAfee Fire]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\     McAfee Host Intrusion Prevention Tray]
Step 8 - Remove Host Intrusion Prevention files
  1. Click Start, Run, type explorer and click OK.
  2. Delete the folder: C:\Program Files\McAfee\Host Intrusion Prevention.
  3. Delete each of the following files:

    C:\WINDOWS\system32\FireCL.dll
    C:\WINDOWS\system32\FireCNL.dll
    C:\WINDOWS\system32\FireComm.dll
    C:\WINDOWS\system32\FireCore.dll
    C:\WINDOWS\system32\FireEpo.dll
    C:\WINDOWS\system32\FireNHC.dll
    C:\WINDOWS\system32\FireSCV.dll 
Step 9 - Remove the Host Intrusion Prevention Start Menu shortcut
  1. Click Start, Run, type explorer and click OK.
  2. Navigate to: C:\Documents and Settings\All Users\Start Menu\Programs\McAfee\.
  3. Delete the Host Intrusion Prevention shortcut.
     
Step 10 - Additional clean up
Use the Microsoft MSIZap (MSIZAP.exe) or the Microsoft Windows Installer Cleanup utility (MSICUU2.exe) to remove the MSI registry values of the Host Intrusion Prevention product.  
For information about the Microsoft MSIZap or the Windows Installer Cleanup utility, see: http://msdn.microsoft.com/en-us/library/aa370523(VS.85).aspx


Steps using Microsoft MSIZAP:
  1. Click Start, Run, type cmd, and click OK
  2. Type the following command and press ENTER:

    msizap.exe TW! {B332732A-4958-41DD-B439-DDA2D32753C5}
  3. Restart your client.
Steps using the Windows Installer Cleanup Utility:
See KB53373 for important information regarding downloading the Windows Installer Cleanup utility. For additional information, see: http://support.microsoft.com/kb/290301/en-us.

NOTE: The Microsoft Windows Installer Cleanup utility is still available at your own risk from:  http://download.microsoft.com/download/e/9/d/e9d80355-7ab4-45b8-80e8-983a48d5e1bd/msicuu2.exe
  1. Click Start, All Programs, and run Windows Install Clean Up.
  2. Select the McAfee Host Intrusion Prevention product.
  3. Click Remove.
  4. Restart your client.
     
Related Information
KB58832 - How to manually remove Host Intrusion Prevention 6.x



Read More

Posted by at
Labels: , , , , ,

3 comments:

  1. thomas HaynesAugust 14, 2018 at 5:52 AM

    I just want to say that all the information you have given here on is awesome.Thank you.
    contact Mcafee | Mcafee Contact Number

    ReplyDelete
  2. McAfee SupportSeptember 26, 2019 at 12:24 AM

    When solving issues related to McAfee you will no longer have trouble because a dedicated team of experts is available on the other side of the toll-free number to provide quick assistance on all your issues. Mcafee Tech Support is required by every McAfee software used to protect your device from any form of cyber breach.

    ReplyDelete
  3. McAfee SupportOctober 1, 2019 at 12:30 AM

    McAfee is a brand name that does not require any introduction. One of the most trusted antivirus software providers in the United States that have spread and captured all over the world. But what will you do when your antivirus encounters a problem? You don't have to do anything, just dial toll-free number and get quick tech McAfee customer service. for more information to visit our site:- http://mcafeesupportservice.com/

    ReplyDelete

Subscribe to: Post Comments (Atom)