<

Recover svchost.exe due to False Positive McAfee (april, 21 2010)

Published on
13,957 Points
6,757 Views
12 Endorsements
Last Modified:
Approved
Today McAfee released an update of their DAT files where svchost.exe was marked as a virus and therefore deleted.

This message was sent by McAfee:

================================================================
Urgent Alert:

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1), which is affecting numerous customers.

McAfee advises customers NOT to download this DAT and to disable automatic pull and update tasks.

Watch for updates on this issue, which will be sent on a timely basis.

Customer Communication

This message is being sent to customers via Support Notification Service (SNS), McAfee Labs DAT Notification List, MTIS, and a Platinum Proactive.
================================================================

Because of deletion of the svchost.exe the machine was automatically restarted.. afterwards Windows and a lot of programs give problems.

I could however start task manager by pressing Ctrl + Shift + Esc. Here you can start a new process.

The solution for my laptop was the following:

Start through the task manager a new task explorer.exe
browse to c:\program files\mcafee\Virusscan or any other McAfee directory where you're McAfee Anti virus is located.

I started Mconsole.exe where i disabled automatic updates, disabled autostart of OnAccess scanner and started the quarantine manager. Here i could select the 'virus' detected today and restored it.

afterwards everything was ok...

McAfee is still disabled until the give the world a signal that it is save to updates.

I can imagine that there are machines that delete the file without putting it in quarantine. Than you wil have to recover svchost through you're original installation files / CD. On several brand pc's there's an I386 directory in the root. start cmd through the task manager as we did with explorer in the first half of this article. then goto the i386 directory, and expand svchost.ex_ with expand.exe. i.e.: Expand svchost.ex_ C:\windows\system32

Another way is to use you're Windows XP installation Disc:
Boot from your Windows XP disk and use recovery console, follow the onscreen stuff and put the admin password in that you setup when you installed windows, you should now be at a prompt EXAMPLE: C:\WINDOWS>

At the end of the prompt type: cd F:\I386
F is the letter of the drive where your XP disk is so you will need to change it to your drive letter. The prompt should now be F:\I386>

After the prompt type: Expand svchost.ex_ C:\windows\system32
C is the letter of you HD were windows XP is installed, needs to be changed accordingly. At the prompt type: exit
Your sytem will re-boot and you will now have a copy of svchost.exe in your system32 folder again.

watch out.. try to use a version that matches you're system... It is possible that you're cd is the first Windows XP cd and you're system is upgraded to SP3 already..

Appearantly USB is not working so copying a version from another computer is difficult... Maybe you can use a burned CDor fixed card reader...

I hope this article helps you prevent and otherwise recover from this McAfee glitch.

kind regards,

Carlo van Orsouw

[Page Editor Note]:

McAfee have provided updated instructions via their Knowledge Base.
Please also review the information here:
http://vil.nai.com/vil/5958_false.htm

younghv
EE Page Editor
12
Enjoy this complimentary article view.

Get unlimited access to our entire library of technical procedures, guides, and tutorials written by certified industry professionals.

Get 7 days free
Click here to view the full article

Using this article for work? Experts Exchange can benefit your whole team.

Learn More
COLLABORATE WITH CERTIFIED PROFESSIONALS
Experts Exchange is a tech solutions provider where users receive personalized tech help from vetted certified professionals. These industry professionals also write and publish relevant articles on our site.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Learn from the best.