Browse All Articles
> Recover svchost.exe due to False Positive McAfee (april, 21 2010)
Today McAfee released an update of their DAT files where svchost.exe was marked as a virus and therefore deleted.
This message was sent by McAfee:
McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1), which is affecting numerous customers.
McAfee advises customers NOT to download this DAT and to disable automatic pull and update tasks.
Watch for updates on this issue, which will be sent on a timely basis.
This message is being sent to customers via Support Notification Service (SNS), McAfee Labs DAT Notification List, MTIS, and a Platinum Proactive.
Because of deletion of the svchost.exe the machine was automatically restarted.. afterwards Windows and a lot of programs give problems.
I could however start task manager by pressing Ctrl + Shift + Esc. Here you can start a new process.
The solution for my laptop was the following:
Start through the task manager a new task explorer.exe
browse to c:\program files\mcafee\Virusscan or any other McAfee directory where you're McAfee Anti virus is located.
I started Mconsole.exe where i disabled automatic updates, disabled autostart of OnAccess scanner and started the quarantine manager. Here i could select the 'virus' detected today and restored it.
afterwards everything was ok...
McAfee is still disabled until the give the world a signal that it is save to updates.
I can imagine that there are machines that delete the file without putting it in quarantine. Than you wil have to recover svchost through you're original installation files / CD. On several brand pc's there's an I386 directory in the root. start cmd through the task manager as we did with explorer in the first half of this article. then goto the i386 directory, and expand svchost.ex_ with expand.exe. i.e.: Expand svchost.ex_ C:\windows\system32
Another way is to use you're Windows XP installation Disc:
Boot from your Windows XP disk and use recovery console, follow the onscreen stuff and put the admin password in that you setup when you installed windows, you should now be at a prompt EXAMPLE: C:\WINDOWS>
At the end of the prompt type: cd F:\I386
F is the letter of the drive where your XP disk is so you will need to change it to your drive letter. The prompt should now be F:\I386>
After the prompt type: Expand svchost.ex_ C:\windows\system32
C is the letter of you HD were windows XP is installed, needs to be changed accordingly. At the prompt type: exit
Your sytem will re-boot and you will now have a copy of svchost.exe in your system32 folder again.
watch out.. try to use a version that matches you're system... It is possible that you're cd is the first Windows XP cd and you're system is upgraded to SP3 already..
Appearantly USB is not working so copying a version from another computer is difficult... Maybe you can use a burned CDor fixed card reader...
I hope this article helps you prevent and otherwise recover from this McAfee glitch.
Carlo van Orsouw
[Page Editor Note]:
McAfee have provided updated instructions via their Knowledge Base.
Please also review the information here:
EE Page Editor