Recover svchost.exe due to False Positive McAfee (april, 21 2010)

Published:
Updated:
Today McAfee released an update of their DAT files where svchost.exe was marked as a virus and therefore deleted.

This message was sent by McAfee:

================================================================
Urgent Alert:

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1), which is affecting numerous customers.

McAfee advises customers NOT to download this DAT and to disable automatic pull and update tasks.

Watch for updates on this issue, which will be sent on a timely basis.

Customer Communication

This message is being sent to customers via Support Notification Service (SNS), McAfee Labs DAT Notification List, MTIS, and a Platinum Proactive.
================================================================

Because of deletion of the svchost.exe the machine was automatically restarted.. afterwards Windows and a lot of programs give problems.

I could however start task manager by pressing Ctrl + Shift + Esc. Here you can start a new process.

The solution for my laptop was the following:

Start through the task manager a new task explorer.exe
browse to c:\program files\mcafee\Virusscan or any other McAfee directory where you're McAfee Anti virus is located.

I started Mconsole.exe where i disabled automatic updates, disabled autostart of OnAccess scanner and started the quarantine manager. Here i could select the 'virus' detected today and restored it.

afterwards everything was ok...

McAfee is still disabled until the give the world a signal that it is save to updates.

I can imagine that there are machines that delete the file without putting it in quarantine. Than you wil have to recover svchost through you're original installation files / CD. On several brand pc's there's an I386 directory in the root. start cmd through the task manager as we did with explorer in the first half of this article. then goto the i386 directory, and expand svchost.ex_ with expand.exe. i.e.: Expand svchost.ex_ C:\windows\system32

Another way is to use you're Windows XP installation Disc:
Boot from your Windows XP disk and use recovery console, follow the onscreen stuff and put the admin password in that you setup when you installed windows, you should now be at a prompt EXAMPLE: C:\WINDOWS>

At the end of the prompt type: cd F:\I386
F is the letter of the drive where your XP disk is so you will need to change it to your drive letter. The prompt should now be F:\I386>

After the prompt type: Expand svchost.ex_ C:\windows\system32
C is the letter of you HD were windows XP is installed, needs to be changed accordingly. At the prompt type: exit
Your sytem will re-boot and you will now have a copy of svchost.exe in your system32 folder again.

watch out.. try to use a version that matches you're system... It is possible that you're cd is the first Windows XP cd and you're system is upgraded to SP3 already..

Appearantly USB is not working so copying a version from another computer is difficult... Maybe you can use a burned CDor fixed card reader...

I hope this article helps you prevent and otherwise recover from this McAfee glitch.

kind regards,

Carlo van Orsouw

[Page Editor Note]:

McAfee have provided updated instructions via their Knowledge Base.
Please also review the information here:
http://vil.nai.com/vil/5958_false.htm

younghv
EE Page Editor
12
6,944 Views

Comments (13)

CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Administrative

Commented:
All - further information and procedure details are available here:
http://vil.nai.com/vil/5958_false.htm
Bob StoneIT Guru
CERTIFIED EXPERT

Commented:
>>computer on which McAfee has deleted svchost.exe is no longer able to access any network

Then they are keeping their promises, hard to catch any nasties when you're completely offline, right? =o)
Willy Van den HoutenNetwork and Security Assistant

Commented:
Solution :

Uninstall McAfee with MVSUninst.exe from McAfee site downloadable.

Restart

Copy the svchost.exe from another computer on the affected computer

Restart

Reinstall the McAfee Antivirus Scanner and update.

CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
All:
McAfee has been updating their advice for this problem as quickly as they make changes.

I think we all do well to monitor this link for additional authoritative advice:
http://vil.nai.com/vil/5958_false.htm
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Best advice ?

Uninstall McAfee with MVSUninst.exe from McAfee site.

Restart

Replace svchost.exe from another computer or the Windows CD-ROM

Restart

Reinstall a different Anti-Virus product : )

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community