karlherrick.com

McAfee deleted svchost.exe

Thursday, 22 April 2010

Wednesday afternoon I had at least two reports of workstations that were suddenly rebooting on their own. No networking and no taskbar were also symptoms. I thought it may be a virus, so I did a few scans with some of the well known Windows malware scanning tools, all the while thinking… why didn’t McAfee catch this? After two hours of scanning and no positives on the scans, I decided to rebuild the machine, but declared that I would begin on it the next day.

Well… turns out, McAfee was the issue. I got an email from them that read in part like this: “Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.” Moderate to significant? One person affected couldn’t get on the network, had no taskbar, and their computer was auto rebooting… That sounds more like extreme systemic failure! 🙂

For verification of the issue, see the following screenshot:

zero_byte_svchost.jpg

Here are some steps I took to fix it (taken mostly from the following website: http://brianseekford.com/index.php/2010/04/21/how-to-fix-the-mcafee-svchost-crash-from-the-virus-definition-update/)

  • Boot workstation in safe mode and login as an administrative user
  • Press the following keys: CTRL-ALT-DEL.
  • Click the “File > Run” menu item, type in “cmd”, and press the “Enter” key
  • Run the command: del “C:\Program Files\Common Files\McAfee\Engine\avvscan.dat”
  • Next, we have to copy a replacement svchost.exe from the system if available. Some have found it in “c:windowssystem32dllcache” and I found it in “C:\Windows\$NtServicePack\Uninstall$” so I will go with the instructions for what I had on this particular system…
  • Within the “cmd” window type the following below:
    • cd C:\Windows\$NtServicePack\Uninstall$"
    • copy svchost.exe c:Windows\System32
  • Next, restart the workstation, login, and update McAfee to the latest dat file.

As of this writing they have replaced the broken 5958 dat with 5959. Once McAfee was updated, I had to restart the workstation to get it to report as being updated.

More reading regarding the issue:


Home

About

Portfolio

Web Apps Web Enabled Applications Corporate Sites Personal Sites
Preferences Dark Theme Light Theme Notifications
Social GitHub LinkedIn RSS Feed Icon