Yesterday McAfee released an update (DAT No 5958) which incorrectly identified a vital Windows XP system file (svchost.exe) as a virus and deleted it, (http://news.bbc.co.uk/1/hi/technology/8636985.stm) resulting in some or all of the following symptoms, amongst others;
1. Repeated rebooting of the system.
2. Loss of Windows “Theme” / “Look & Feel”.
3. Missing “Taskbar”.
4. Inability to use some USB devices.
5. Inability to connect to LAN / WAN / Internet. (Yes, this means no clever network wide solution! 🙁 )
6. Inability to Copy & Paste. (To make things even harder!)
http://vil.nai.com/vil/5958_false.htm
Having tried McAfee’s suggestions and various other options I’ve found the following to be the quickest, simplest, cleanest fix, which also leaves you with the very latest (non-hazardous!) virus definitions installed!;
(This assumes you have access to another, working, computer, which you clearly do or you wouldn’t be reading this!)
1. Download http://download.nai.com/products/licensed/superdat/english/intel/5959xdat.exe (65MB)
2. Copy this file to a CD (a USB stick MAY work if your problem system already has drivers for it). If this system also has Windows XP on it copy the “svchost.exe” from inside “c:\WINDOWS\system32\” (14KB) to the CD as well. Keep both files in the “root” of the CD.
3. Copy the file onto the problem system & then install it. You will likely have to copy the file to the problem system using a command rather than cut and paste… sigh… “copy e:\5959xdat.exe c:\5959xdat.exe” (where “e” is the drive letter of your CD / DVD / USB drive) followed by “c:\5959xdat.exe” would work just fine.
4. After install, don’t shutdown as advised, you need to restore your original svchost.exe file first, to do this either;
i) Restore it from McAfee’s “Quarantine”:
a) Launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).
(If you are unable to launch the VirusScan Console, click Start -> Run & type the command below (including quotes) and click OK: “C:\program files\mcafee\virusscan enterprise\mcconsol.exe” /standalone
b) Double-click Quarantine Manager Policy, then click the Manager tab.
c) Right-click the detection and select Restore.
ii) Copy it from another location:
a) Open a Command Prompt, by typing “cmd” and pressing Enter, either via going to Start -> Run or by pressing Ctrl + Alt + Delete selecting Task Manager (if necessary) and then File -> New Task (Run).
b) Type: copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32\svchost.exe and then hit Enter.
(If that doesn’t work then try option “c)” directly below)
c) Type: copy c:\windows\system32\dllcache\svchost.exe c:\WINDOWS\system32\svchost.exe and then hit Enter.
(If that doesn’t work either then try option “d)” directly below.)
d) Copy svchost.exe from C:\WINDOWS\system32 on a similar unaffected system (i.e. they are both XP!) to C:\WINDOWS\system32 on the affected system. You may need to use the copy command again, as above, on the problem system, in which case it would look something like: copy e:\svchost.exe c:\WINDOWS\system32\svchost.exe (where “e” is the drive letter of your CD / DVD / USB drive) on the problem system.
5. Restart the system and you should be all clear to continue computing as normal!
Good luck all! 🙂
(NOTE: If 65MB is a bit too much to stomach, you can replace steps 1 & 3 above with;
1. Download: http://download.nai.com/products/mcafee-avert/wecorl/extra.dat (21.5KB)
2. Repeat 2. as above, but using the “extra.dat” file.
3. Copy it to “c:/program files/common files/mcafee/engine” of the problem system (i.e. using something like: copy e:\extra.dat “c:\program files\common files\mcafee\engine\extra.dat” (where “e” is the drive letter of your CD / DVD / USB drive)