Yesterday Mcafee released a new DAT update that caused mcafee to identify svchost.exe as an infected file. Mcafee next attempts to quarantine this file which results in windows rebooting with a shutdown message some of us will remember from the Sass worm chaos.
Result of this is that the machine can be used anymore. svchost.exe is a name for general hostprocesses ran from DLLs, and pretty important for windows. If you would like to get an idea of the impact on you system this article might be all you need 🙂
Now how to recover?
1st i would advice to follow any manual mcafee brings out describing how to recover using the mcafee scanner console. In the cases where the quarantine is deleted (some of our machines) follow the instructions below…
If you are unable to restore svchost.exe from the quarantine you might follow these steps to recover your system.
0. Get the corrected Superdat from Mcafee and put it on a USB, CD or other available media, No network locations.
1. Boot from the windows CD and select the recovery console.
2. Select the correct windows partition and logon as the local administrator.
3. Browse to C:\windows\system32 using the command : cd \windows\system32\
4. open de CD-rom player using the allocated drive letter, usually D:\ by typing D:
5. Browse to the i386 directory located on the CD using : cd \i386\
6. copy the original svchost.ex_ to your windows drive using the command:
expand svchost.ex_ C: (C: is the drive you where on in step 3, this might differ,
in which case you need to change the drive letter to your system specific drive)
7. Boot the system in savemode. The selection can be done by pressing F8 repeatedly during boot.
8. While in savemode run and execute the superdat you accuired in step 0.
9. After the update reboot your system normally.
This is a pretty long road, but will fix the problem in all cases.
Thanks to Benjamin van Ditmars for suggesting the Expand option. We used a “good” copy of svchost before this suggestion. The expand option is “saver” 🙂