Karl Herrick

A technologist and web developer | Posts about technology encountered along the journey.

McAfee deleted svchost.exe

Wednesday afternoon I had at least two reports of workstations that were suddenly rebooting on their own. No networking and no taskbar were also symptoms. I thought it may be a virus, so I did a few scans with some of the well known Windows malware scanning tools, all the while thinking… why didn’t McAfee catch this? After two hours of scanning and no positives on the scans, I decided to rebuild the machine, but declared that I would begin on it the next day.

Well… turns out, McAfee was the issue. I got an email from them that read in part like this: “Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.” Moderate to significant? One person affected couldn’t get on the network, had no taskbar, and their computer was auto rebooting… That sounds more like extreme systemic failure! 🙂

For verification of the issue, see the following screenshot:

zero_byte_svchost.jpg

Here are some steps I took to fix it (taken mostly from the following website: http://brianseekford.com/index.php/2010/04/21/how-to-fix-the-mcafee-svchost-crash-from-the-virus-definition-update/)

  • Boot workstation in safe mode and login as an administrative user
  • Press the following keys: CTRL-ALT-DEL.
  • Click the “File>Run” menu item, type in “cmd”, and press the “Enter” key
  • Run the command: del “C:Program FilesCommon FilesMcAfeeEngineavvscan.dat”
  • Next, we have to copy a replacement svchost.exe from the system if available. Some have found it in “c:windowssystem32dllcache” and I found it in “C:Windows$NtServicePackUninstall$” so I will go with the instructions for what I had on this particular system…
    • within the “cmd” window type the following below:
    • cd C:Windows$NtServicePackUninstall$”
    • copy svchost.exe c:WindowsSystem32
  • Next, restart the workstation, login, and update McAfee to the latest dat file. As of this writing they have replaced the broken 5958 dat with 5959.
  • Once McAfee has been updated, I had to restarted the workstation again to get McAfee to report as being updated.

And more reading regarding the issue: