Recovering from Mcafee DAT 5958 update.

Yesterday Mcafee released a new DAT update that caused mcafee to identify svchost.exe as an infected file. Mcafee next attempts to quarantine this file which results in windows rebooting with a shutdown message some of us will remember from the Sass worm chaos.

Result of this is that the machine can be used anymore. svchost.exe is a name for general hostprocesses ran from DLLs, and pretty important for windows. If you would like to get an idea of the impact on you system this article might be all you needšŸ™‚
http://support.microsoft.com/kb/314056

Now how to recover?
1st i would advice to follow any manual mcafee brings out describing how to recover using the mcafee scanner console. In the cases where the quarantine is deleted (some of our machines) follow the instructions below…

If you are unable to restore svchost.exe from the quarantine you might follow these steps to recover your system.

0. Get the corrected Superdat from Mcafee and put it on a USB, CD or other available media, No network locations.
1. Boot from the windows CD and select the recovery console.
2. Select the correct windows partition and logon as the local administrator.
3. Browse to C:\windows\system32 using the command : cd \windows\system32\
4. open de CD-rom player using the allocated drive letter, usually D:\ by typing D:
5. Browse to the i386 directory located on the CD using : cd \i386\
6. copy the original svchost.ex_ to your windows drive using the command:
expand svchost.ex_ C: (C: is the drive you where on in step 3, this might differ,
in which case you need to change the drive letter to your system specific drive)
7. Boot the system in savemode. The selection can be done by pressing F8 repeatedly during boot.
8. While in savemode run and execute the superdat you accuired in step 0.
9. After the update reboot your system normally.

This is a pretty long road, but will fix the problem in all cases.

Thanks to Benjamin van Ditmars for suggesting the Expand option. We used a “good” copy of svchost before this suggestion. The expand option is “saver”šŸ™‚

About Chris Gralike

Momenteel ben ik manager van de afdeling business continuity bij de zakelijke IT dienstverlener AMIS Services BV. Sinds 2003 ben ik actief in de ICT branche. Tussen 2003 en nu heb ik verschillende rollen vervuld. In de rollen: systeem- en netwerkbeheer, system engineer, servicemanager en nu practice manager ben ik in contact gekomen met uiteenlopende technologieƫn, methodologieƫn, ideeƫn, oplossingen en innovaties. Een rijke ervaring waarmee ik de klanten van Conclusion en AMIS elke dag probeer te ondersteunen. Mijn credo: 'Altijd opzoek een win-win tussen business en technologie.'

Posted on April 22, 2010, in Windows XP SP2 and tagged , , , , , , , , , . Bookmark the permalink. 1 Comment.

  1. Benjamin van Ditmars

    oldschool dos, altijd weer fijn met DOS commands te werken, en ze laten je nooit in de steek

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: