Thank you for your patience and quick response. All I know is that I went through this a year ago for months after a McAfee update and it went away after a McAfee update. And I never had problems running a Malwarebytes scan with McAfee real time scanner running in the background except during that time and now. It's the exact same problem, happens in the exact same way and has the exact files involved again. I'm thinking that it's only affecting certain systems. I'm running Windows XP Media Center Edition Service Pack 3, all up to date. Maybe the reason a lot aren't complaining is because they've moved on to more recent Wndows. All my scans are coming up clean so do you think it would be ok to do as I said - disable McAfee real time scanning when I run a Malwarebytes scan and quit worrying?
Peter, This problem manifests itself in a number of ways depending on which files have been affected. Take a look at last year's discussion (32 pages) to see the various symptoms. For instance, I don't use Malwarebytes (so that's ruled out as a cause) but my display driver is always affected. The replaced file is not compatible with my current graphics and so the display become hopeless. I reload the right graphics driver from CD but it gets replaced again at the next boot up. There is no doubt that the file is virus free etc because it came from the manufacturer. I have other files being replaced (as seen in event viewer) but because the replacements work ok there is apparently no issue in their respect. I suspect many people will be in this latter situation and so are oblivious to the issue.
Problems with WFP are a serious cause for concern because the WFP mechanism is about maintaining the integrity of the OS files. If McAfee is disturbing the WFP mechanism, which I believe it is, then we/they should be worried.
Technical Support may have a fix for it although I can't promise that. At least they need examples to work on a fix if one is needed as it's only being seen by certain people. It's free to contact them by phone or online chat and linked under Useful Links at the top of this page.
This is all very familiar to me from last year also. As a few others have in common, I'm running Win XP Media Edition SP3, and my problems recommenced this month. N.B. I don't have Malwarebytes.
The problems have persisted since earlier this month, but I took action today. Instead of trying McAfee Tech, I simply went for the Windows System Restore. I wasn't able to select anything earlier than the 14th November (my WFP error logs started on the 9th November, you may recall), so I went for that, after doing a backup. Once restored, McAfee was still at the new versions, but shutting down the PC resulted in McAfee apps not closing properly, and having to be forcibly terminated, each time that I tried it, until the Microsoft updates had all been reinstalled. Since the Windows System Restore earlier today, I have not had any more WFP messages, whereas up until that point, they were quite common.
Not sure if anyone else can confirm this approach solves things for them, but it is far less stressful than the harrowing experience that I went through with McAfee Tech previously that ended up taking one of my machines back to its Out of the Box clean installation, and thereafter reloading all the apps and data that I could be bothered with. For me the System Restore was a walk in the park in comparison, but it could do with being verified that it works as well for others.
*** Update27-11-2012 : it hasn't solved the problem. The WFP messages are back. ***
Message was edited by: hud_engineer on 26/11/12 16:47:55 CSTMessage was edited by: hud_engineer on 27/11/12 11:13:00 CST
I've been seeing WFP messages in the Event Logs on the XP machine since 14 November. Before that date there were very few of these; after that date lots of them.
The warnings are Event 64008 and are for a number of different Windows files -
"The protected system file c:\windows\system32\wups.dll could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time."
I also have a few 64001 Events -
File replacement was attempted on the protected system file c:\windows\system32\odbcint.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 3.525.1132.0, the version of the system file is 3.525.1132.0.
And a number of Event 64004 messages which I can ignore because the all refer to the same 3 files - oembios.bin/.sig/.dat
The protected system file oembios.sig could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject.].
These all started appearing on November 14th and according to Security Center / About there was a major McAfee update on that day - the date is in the time-stamps for Firewall, Anti-Spam, Parental Controls and QuickClean (today's mega-update has put new dates on Security Center and VirusScan).
That coincidence points to the McAfee update of 14 November as being responsible.
Edit - winlogon.exe is in charge of Windows File Protection, specifically the threads "sfc_os.dll". Increased cpu activity in that program (which I sometimes see, and at least one other poster has reported) is associated in this case with problems with WFP. That's a giveaway symptom of an underlying problem. Why it's occurring I don't know.Message was edited by: Hayton on 15/12/12 00:41:20 GMT
We all see things in the Event Viewer that could, if we were so inclined, allow us to get really worried. personally I ignore it completely unless something starts malfunctioning or annoying popups keep appearing. Is this the case here?
Well, since you ask, there are several annoyances which started at around that time but may have nothing to do with WFP. Mostly I regard the WFP messages as merely informational, but I keep an eye on the 64001 messages because the reason for WFP attempting to replace a protected system file is not at all obvious.
The main reason for the previous post was to point out the apparent connection between those messages appearing and a McAfee program (as opposed to DAT) update in November.
One other thing which does perhaps connect with the WFP messages is unexpected behaviour from mcsvhost. mcsvhost frequently crashes after the PC comes out of standby or hibernation, but that's okay because it just auto-restarts after a short interval. This too has only started in the past month or so, after that update.
There is also odd behaviour from mfevtps (McAfee Process Validation Service) : straight after I downloaded an optional Microsoft Update (KB931125) which updated the list of root certificates, mfevtps went into overdrive and took all the cpu for about ten minutes and at the same time initiated a massive amount of network i/o. This was not a McAfee auto-update because that function is disabled.
Oh, and there have also been a few BSODs. Nothing to worry about, I investigated each one and took remedial action where required.
I'm not too fussed about Event Viewer messages except where they indicate either a continuing problem or a critical one. Much more interesting is the Dr Watson log (drwtsn32.log) which has the state dumps and stack back traces for the mcsvhost failure - although it helps to know a bit of Assembler if you want to look at those.
I hear you. Well we'll we say what is said on our call on Monday. By 'is this case here' I meant is McAfee causing problems other than warnings in Event Viewer.Message was edited by: Ex_Brit on 15/12/12 12:44:54 EST PM