<

Recover svchost.exe due to False Positive McAfee (april, 21 2010)

Published on
13,827 Points
6,627 Views
12 Endorsements
Last Modified:
Approved
Today McAfee released an update of their DAT files where svchost.exe was marked as a virus and therefore deleted.

This message was sent by McAfee:

================================================================
Urgent Alert:

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1), which is affecting numerous customers.

McAfee advises customers NOT to download this DAT and to disable automatic pull and update tasks.

Watch for updates on this issue, which will be sent on a timely basis.

Customer Communication

This message is being sent to customers via Support Notification Service (SNS), McAfee Labs DAT Notification List, MTIS, and a Platinum Proactive.
================================================================

Because of deletion of the svchost.exe the machine was automatically restarted.. afterwards Windows and a lot of programs give problems.

I could however start task manager by pressing Ctrl + Shift + Esc. Here you can start a new process.

The solution for my laptop was the following:

Start through the task manager a new task explorer.exe
browse to c:\program files\mcafee\Virusscan or any other McAfee directory where you're McAfee Anti virus is located.

I started Mconsole.exe where i disabled automatic updates, disabled autostart of OnAccess scanner and started the quarantine manager. Here i could select the 'virus' detected today and restored it.

afterwards everything was ok...

McAfee is still disabled until the give the world a signal that it is save to updates.

I can imagine that there are machines that delete the file without putting it in quarantine. Than you wil have to recover svchost through you're original installation files / CD. On several brand pc's there's an I386 directory in the root. start cmd through the task manager as we did with explorer in the first half of this article. then goto the i386 directory, and expand svchost.ex_ with expand.exe. i.e.: Expand svchost.ex_ C:\windows\system32

Another way is to use you're Windows XP installation Disc:
Boot from your Windows XP disk and use recovery console, follow the onscreen stuff and put the admin password in that you setup when you installed windows, you should now be at a prompt EXAMPLE: C:\WINDOWS>

At the end of the prompt type: cd F:\I386
F is the letter of the drive where your XP disk is so you will need to change it to your drive letter. The prompt should now be F:\I386>

After the prompt type: Expand svchost.ex_ C:\windows\system32
C is the letter of you HD were windows XP is installed, needs to be changed accordingly. At the prompt type: exit
Your sytem will re-boot and you will now have a copy of svchost.exe in your system32 folder again.

watch out.. try to use a version that matches you're system... It is possible that you're cd is the first Windows XP cd and you're system is upgraded to SP3 already..

Appearantly USB is not working so copying a version from another computer is difficult... Maybe you can use a burned CDor fixed card reader...

I hope this article helps you prevent and otherwise recover from this McAfee glitch.

kind regards,

Carlo van Orsouw

[Page Editor Note]:

McAfee have provided updated instructions via their Knowledge Base.
Please also review the information here:
http://vil.nai.com/vil/5958_false.htm

younghv
EE Page Editor
12
Comment
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 11

Expert Comment

by:slemmesmi
Dear Carlo,

thank you very much for your post.
Another solution that we apply is (now that McAfee have stopped deploying the faulty 5958)
1. Burn a CD with three files:
    REPAIR.CMD
    svchost.exe (from XP SP3 and orKB958644)
    SDAT5957.exe (from McAfee)
2. On an impacted computer (as local admin) run the REPAIR.CMD from the CD.

The REPAIR.CMD is:
@echo off
echo.
echo Repair of deleted svchost.exe
echo.
echo Attempting to copy svchost.exe into C:\Windows\System32
echo.
copy .\svchost.exe %systemroot%\system32
echo.
echo Applying correct McAfee DAT file
echo.
.\sdat5957.exe /LOGFILE C:\SDAT5957.log /SILENT /F
echo Copying svchost.exe into C:\Windows\System32
echo.
copy .\svchost.exe %systemroot%\system32
echo.
echo Repair completed.
echo.
echo Remove the CD from CD-Drive and restart the computer!
echo.
pause

Kind regards,
Soren
0
 
LVL 5

Author Comment

by:carlo_vanorsouw
Thanks Soren,

great addition..

kind regards from the Netherlands,

Carlo
0
 
LVL 9

Expert Comment

by:Bob Stone
I am so glad I stopped using McAfee over a decade ago.
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
LVL 38

Expert Comment

by:younghv
stone5150:
We all have our favorites...and our "rather nots".
McAfee ePO was always my favorite after getting severely burned by that other very large AV company.
Of course, when there is a glitch (GLITCH??!!) like this, it is especially painful - since the pull technology of the ePO Agent makes it so damn effective.
Most networks in the 8,000-10,000 host range will be completely updated within about 20 minutes - which means that a whole bunch of SysAdmins are going to be working overtime tonight.

slemmesmi:
It has been a while since I ran with the big dogs, but I think your help shown above can be run using "PSEXEC".
A text file with all of the host names, plus a network folder with those files and this entire process could be completed in minutes - even for a very large network.

Before I forget - big "Yes" vote above for Carlo putting this together so quickly.
0
 
LVL 11

Expert Comment

by:slemmesmi
Dear younghv,

an "impacted" computer on which McAfee has deleted svchost.exe is no longer able to access any network, and "PSEXEC" will this not be useful. Hence we must manually resolve.

P.S. The reason we do (attempt) the copy twice, is that the SDAT5957.exe may restart the computer (in which case the second copy will not occur). The script can be executed on a computer more than once if necessary.

Kind regards,
Soren
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Oh Joy - the support calls are already coming in to us and it's only 9:47am on the 22nd April and this is the second call I have had!

Great Article - got a vote from me.
0
 
LVL 11

Expert Comment

by:slemmesmi
Dear all,

please note that the eventual/potential "shutdown" counting down for 60 seconds before restarting the computer, can be aborted from a command prompt by running (when the "shutdown" counting down has occurred): shutdown -a

Hence what we do is right after logging on is:
1. Open Task Manager (by pressing CTRL+SHIFT+Esc)
2. Selecting: File > New Task (Run...)
3. Entering (and then selecting OK): cmd
4. Entering (but not yet running/pressing enter): shutdown -a

Kind regards,
Soren
0
 
LVL 38

Expert Comment

by:younghv
"...no longer able to access any network,..."

SneakerNet time.
Boy-oh-boy, events such as this make me really glad I'm on the retired rolls.
0
 
 

Administrative Comment

by:younghv
All - further information and procedure details are available here:
http://vil.nai.com/vil/5958_false.htm
0
 
LVL 9

Expert Comment

by:Bob Stone
>>computer on which McAfee has deleted svchost.exe is no longer able to access any network

Then they are keeping their promises, hard to catch any nasties when you're completely offline, right? =o)
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
Solution :

Uninstall McAfee with MVSUninst.exe from McAfee site downloadable.

Restart

Copy the svchost.exe from another computer on the affected computer

Restart

Reinstall the McAfee Antivirus Scanner and update.

0
 
LVL 38

Expert Comment

by:younghv
All:
McAfee has been updating their advice for this problem as quickly as they make changes.

I think we all do well to monitor this link for additional authoritative advice:
http://vil.nai.com/vil/5958_false.htm
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Best advice ?

Uninstall McAfee with MVSUninst.exe from McAfee site.

Restart

Replace svchost.exe from another computer or the Windows CD-ROM

Restart

Reinstall a different Anti-Virus product : )
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month