Browse All Articles > Recover svchost.exe due to False Positive McAfee (april, 21 2010)
Today McAfee released an update of their DAT files where svchost.exe was marked as a virus and therefore deleted.
This message was sent by McAfee:
================================================================
Urgent Alert:
McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1), which is affecting numerous customers.
McAfee advises customers NOT to download this DAT and to disable automatic pull and update tasks.
Watch for updates on this issue, which will be sent on a timely basis.
Customer Communication
This message is being sent to customers via Support Notification Service (SNS), McAfee Labs DAT Notification List, MTIS, and a Platinum Proactive.
================================================================
Because of deletion of the svchost.exe the machine was automatically restarted.. afterwards Windows and a lot of programs give problems.
I could however start task manager by pressing Ctrl + Shift + Esc. Here you can start a new process.
The solution for my laptop was the following:
Start through the task manager a new task explorer.exe
browse to c:\program files\mcafee\Virusscan or any other McAfee directory where you're McAfee Anti virus is located.
I started Mconsole.exe where i disabled automatic updates, disabled autostart of OnAccess scanner and started the quarantine manager. Here i could select the 'virus' detected today and restored it.
afterwards everything was ok...
McAfee is still disabled until the give the world a signal that it is save to updates.
I can imagine that there are machines that delete the file without putting it in quarantine. Than you wil have to recover svchost through you're original installation files / CD. On several brand pc's there's an I386 directory in the root. start cmd through the task manager as we did with explorer in the first half of this article. then goto the i386 directory, and expand svchost.ex_ with expand.exe. i.e.: Expand svchost.ex_ C:\windows\system32
Another way is to use you're Windows XP installation Disc:
Boot from your Windows XP disk and use recovery console, follow the onscreen stuff and put the admin password in that you setup when you installed windows, you should now be at a prompt EXAMPLE: C:\WINDOWS>
At the end of the prompt type: cd F:\I386
F is the letter of the drive where your XP disk is so you will need to change it to your drive letter. The prompt should now be F:\I386>
After the prompt type: Expand svchost.ex_ C:\windows\system32
C is the letter of you HD were windows XP is installed, needs to be changed accordingly. At the prompt type: exit
Your sytem will re-boot and you will now have a copy of svchost.exe in your system32 folder again.
watch out.. try to use a version that matches you're system... It is possible that you're cd is the first Windows XP cd and you're system is upgraded to SP3 already..
Appearantly USB is not working so copying a version from another computer is difficult... Maybe you can use a burned CDor fixed card reader...
I hope this article helps you prevent and otherwise recover from this McAfee glitch.
kind regards,
Carlo van Orsouw
[Page Editor Note]:
McAfee have provided updated instructions via their Knowledge Base.
Please also review the information here:
http://vil.nai.com/vil/5958_false.htm
younghv
EE Page Editor
This message was sent by McAfee:
==========================
Urgent Alert:
McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1), which is affecting numerous customers.
McAfee advises customers NOT to download this DAT and to disable automatic pull and update tasks.
Watch for updates on this issue, which will be sent on a timely basis.
Customer Communication
This message is being sent to customers via Support Notification Service (SNS), McAfee Labs DAT Notification List, MTIS, and a Platinum Proactive.
==========================
Because of deletion of the svchost.exe the machine was automatically restarted.. afterwards Windows and a lot of programs give problems.
I could however start task manager by pressing Ctrl + Shift + Esc. Here you can start a new process.
The solution for my laptop was the following:
Start through the task manager a new task explorer.exe
browse to c:\program files\mcafee\Virusscan or any other McAfee directory where you're McAfee Anti virus is located.
I started Mconsole.exe where i disabled automatic updates, disabled autostart of OnAccess scanner and started the quarantine manager. Here i could select the 'virus' detected today and restored it.
afterwards everything was ok...
McAfee is still disabled until the give the world a signal that it is save to updates.
I can imagine that there are machines that delete the file without putting it in quarantine. Than you wil have to recover svchost through you're original installation files / CD. On several brand pc's there's an I386 directory in the root. start cmd through the task manager as we did with explorer in the first half of this article. then goto the i386 directory, and expand svchost.ex_ with expand.exe. i.e.: Expand svchost.ex_ C:\windows\system32
Another way is to use you're Windows XP installation Disc:
Boot from your Windows XP disk and use recovery console, follow the onscreen stuff and put the admin password in that you setup when you installed windows, you should now be at a prompt EXAMPLE: C:\WINDOWS>
At the end of the prompt type: cd F:\I386
F is the letter of the drive where your XP disk is so you will need to change it to your drive letter. The prompt should now be F:\I386>
After the prompt type: Expand svchost.ex_ C:\windows\system32
C is the letter of you HD were windows XP is installed, needs to be changed accordingly. At the prompt type: exit
Your sytem will re-boot and you will now have a copy of svchost.exe in your system32 folder again.
watch out.. try to use a version that matches you're system... It is possible that you're cd is the first Windows XP cd and you're system is upgraded to SP3 already..
Appearantly USB is not working so copying a version from another computer is difficult... Maybe you can use a burned CDor fixed card reader...
I hope this article helps you prevent and otherwise recover from this McAfee glitch.
kind regards,
Carlo van Orsouw
[Page Editor Note]:
McAfee have provided updated instructions via their Knowledge Base.
Please also review the information here:
http://vil.nai.com/vil/5958_false.htm
younghv
EE Page Editor
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (12)
Commented:
SneakerNet time.
Boy-oh-boy, events such as this make me really glad I'm on the retired rolls.
Commented:
Then they are keeping their promises, hard to catch any nasties when you're completely offline, right? =o)
Commented:
Uninstall McAfee with MVSUninst.exe from McAfee site downloadable.
Restart
Copy the svchost.exe from another computer on the affected computer
Restart
Reinstall the McAfee Antivirus Scanner and update.
Commented:
McAfee has been updating their advice for this problem as quickly as they make changes.
I think we all do well to monitor this link for additional authoritative advice:
http://vil.nai.com/vil/5958_false.htm
Commented:
Uninstall McAfee with MVSUninst.exe from McAfee site.
Restart
Replace svchost.exe from another computer or the Windows CD-ROM
Restart
Reinstall a different Anti-Virus product : )
View More