How to manually remove VirusScan Enterprise

Reading Time: 3 minutes

How to manually remove VirusScan Enterprise 8.0i

You come across an issue, where you are unable to start the McAfee McShield service and receive error access denied.

You are unable to install a newer version of McAfee as you receive a message to say you have insufficient priveleges.

You have tried removing McAfee but unable to remove the McAfee McShield Service.
I found the below instructions from McAfee helpful.

IMPORTANT: 

  • The following instructions are intended to be used as a last resort for removing VirusScan Enterprise. Before attempting a manual removal, try all other methods first. Administrators should use discretion when employing this solution.
  • These steps do not include instruction for removing the McAfee Error Reporting Service and Common Framework Service as these components may be shared with other McAfee products. 
CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986
  • Do not run a .REG file that is not confirmed to be a genuine registry import file.

Manual removal procedure

Step 1 – Stop and Disable running McAfee and other services

 

  1. Click Start, Run, type services.msc and press ENTER.
  2. Right-click McAfee Framework and select Stop.
  3. For each of the following services, right-click, select Properties, set the Startup type to Disabled, click Stop, and click OK.Network Associates McShield (McShield.exe)
    Network Associates Task Manager (VsTskMgr.exe) 
  4. If Simple Network Management Protocol (SNMP) service is running it will lock the VSE80i Mcvssnmp.dll. To unlock the file and allow it to be deleted please stop the following servicesSNMP Service
    SNMP Trap Service

Step 2 – Remove components

  1. Click Start, Run, type cmd and press ENTER.
  2. Change directory to:  \Program Files\Common Files\Network Associates\Talkback.
    Type TBMON -Delref and hit Enter to decrement the counter for the McAfee Error Reporting Service.
  3. Change directory to: \Program Files\Network Associates\VirusScan.
  4. Type Naiavfin -u and press Enter to flag the McAfee Filter (naiavfnx.sys) and TDI (mvstdinx.sys) drivers for removal after a system restart.
  5. Type cd \Program Files\Network Associates\Common Framework and press ENTER.
  6. Type Frminst /remove=updater and press ENTER to decrement the counter for the Common Framework service.
  7. Type cd \Program Files\Network Associates\VirusScan and press ENTER.
  8. Type Regsvr32 /u Scriptproxy.dll and press ENTER to unregister the .DLL for Script Scanning.
  9. If the McAfee AntiSpyware Enterprise Module 8.0 is installed, type CSSCAN /UninstallMAS and press ENTER to remove it.


Step 3 –
Delete registry values

  1. Click Start, Run, type regedit and press ENTER.
  2. Navigate to [HKEY_CLASSES_ROOT\*\ShellEx\ContextMenuHandlers\VirusScan].
  3. Right-click the VirusScan key and select Delete.
  4. Navigate to [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run].
  5. Right-click the value ShStatEXE and select Delete.
  6. Restart your computer.NOTE:  At this time, VirusScan Enterprise (VSE) components are no longer running and your system is unprotected. For security, you may want to disconnect from your network to continue working.

Step 4 – Remove Registry Keys

  1. Click Start, Run, type regedit and press ENTER.
  2. Select Edit, Find.
  3. Delete language dependent registry key:For VSE 8.0i English, type BB1D3FD5E498DCD4285751A99C28B934
    For VSE 8.0i German, type B1D6580FEE1125641847AE3F5DBAC666

    For VSE 8.0i Japanese, type 2CE70B0B82FF434458D8D84333E8734F

     
  4. Click Find Next.
  5. Delete any matching entries found.
  6. Repeat until no further entries are found.
  7. Navigate to each of the following keys, right-click each, and select Delete:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McTaskManager]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NaiAvFilter1]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NaiAvFilter10n] (where n is any number]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EntDrvnn] (where nn is any number)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NaiAvTdi1]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\Epolicy Orchestrator\Application Plugins\VIRUSCAN8000]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\Alert Client\VSE]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\Detect]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\Entercept]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\McPAL]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\McVSSNMP]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\NVP]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\On Access Scanner]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\On Demand Scanner]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\VirusScan Engine]
    [HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\VirusScan Enterprise]For VSE 8.0i English delete:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
    \{5DF3D1BB-894E-4DCD-8275-159AC9829B43}]For VSE 8.0i German delete,

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
    \{F0856D1B-11EE-4652-8174-EAF3D5AB6C66}]

    If the AntiSpyware Enterprise Module was installed then also delete:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\VSEMAS__8000]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\McAfee Anti-Spyware Enterprise Module]

     

  8. Navigate to the following key, right-click the value Exchange Scan and select  Delete:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions] 
  9. Navigate to the following key, right-click the value C:\WINDOWS\System32\EntAPI.dll, and select Delete:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\SharedDLLs]

Remove Directory Structure

Step 5 –

Use Windows Explorer to navigate to each of the following folders. Right click each, and select Delete:

\Program files\Network Associates\VirusScan
\Program files\Common files\Network Associates\Engine
\Documents and Settings\All Users\Start Menu\Programs\Network Associates
\Documents and settings\All Users\Application Data\Network Associates\BOPDATA
\Documents and settings\All Users\Application Data\Network Associates\VirusScan

Step 6 – Remove Files

  1. Use Windows Explorer to navigate to C:\WINDOWS\System32.
  2. Right-click EntAPI.dll and select Delete.
  3. Navigate to C:\WINDOWS\System32\Drivers.
  4. Locate the following files, right-click each one and select Delete.MVSTDInn.SYS
    NAIAVFnn.SYS
    EntDrvnn.SYS
    NOTE: nn will be two alphanumeric characters such as 5x.


If the Lotus Notes Client is installed:

  1. Open each copy of NOTES.INI and remove the following two lines:AddInMenus=NCMenu
    EXTMGR_ADDINS=NCExtMgr 
     
  2. Delete the following files from the Lotus Notes Program Files folder (default location C:\Program Files\Lotus\Notes)NCInstall.dll
    NCDaemon.exe
    NCTrace.dll
    NCScan.dll
    NCExtMgr.dll
    NCMenu.dll

McAfee recommends the following to ensure a complete cleanup of VirusScan Enterprise:

Empty all files from the following TEMP folders:

C:\Documents and Settings\<User>\Local Settings\Temp
C:\WINDOWS\Temp

Remove previous .MSI file:

  1. Navigate to C:\WINDOWS\Installer.
  2. Right-click each .MSI file and select Properties.
  3. Click the the Summary tab.
  4. If the Summery shows VirusScan, click OK, right-click the file and select Delete.

Remove the VirusScan Enterprise icons folder:

  1. Navigate to C:\WINDOWS\Installer\VSE 8.0i English Right click the {5DF3D1BB-894E-4DCD-8275-159AC9829B43} folder and select Delete.VSE 8.0i German,  Right click the {F0856D1B-11EE-4652-8174-EAF3D5AB6C66} folder and select Delete. VSE 8.0i Japanese, Right click the {B0B07EC2-FF28-4434-858D-8D34338E37F4} folder and select Delete
  2. Restart your computer.

See details at: https://kc.mcafee.com/corporate/index?page=content&id=KB58597
Source: McAfee

4 thoughts on “How to manually remove VirusScan Enterprise

  1. Very long process..

    That’s a great info. Thanks for sharing, really like your view. I can see that you are putting a lot of time and effort into your blog.

    Keep posting the good work.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.