For people who can't get this fix to work and are getting messages that the file can't be found, it's because you don't have a copy of svchost.exe
in your dllcache
folder. I just checked my own XP SP3 system and I don't have one there either. The dllcache
folder is where a spare copy of svchost.exe
(and some other system files) are usually kept, but for some reason the spare copy is kept in a different folder on some systems. On mine it is kept in C:\WINDOWS\ServicePackFiles\i386\svchost.exe
. If you have one there also check the properties of the file--mine is 14.0 KB (as is the one in System32 folder)--so if yours is the same size then it should be the correct version and you can copy it to your System32 folder. According to McAfee (and as pointed out by Peter Luger
), you can manually replace the svchost.exe
file in safe mode--their responsible driver is disabled there. I suggest you boot into safe mode and, if you are running SP3
, look in your WINDOWS\ServicePackFiles\i386
folder for svchost.exe
. I would think a simple copy and paste would work, but if you are following the step by step instructions, when you get to the step of typing in the command, substitute ServicePackFiles\i386\
McAfee's instructions for home users utilizing the safe mode method is here: http://service.mcafee.com/FAQDocument.aspx...amp;id=TS100970
If you can't find svchost.exe
, while in safe mode, search your Windows folder and post back and let us know if you found another copy, it's location (what folder it's in) and the size of the file and when it was last modified.
What worked for my company was the following steps:
-- boot in to Safe Mode. Virus Scan is disabled while in safe mode.
-- Use the Virus Scan Console's Quarantine Manager to do a restore (Manager Tab, right click on threat and select restore). Your SVCHost.exe file has been restored at this point, but not active.
-- Reboot in to Safe Mode with networking. Virus Scan still needs to be disabled because it still had the 5958 DAT file.
-- Down load the last DAT file from McAfee website or whatever.
-- Reboot normally.
-- Verify everything is working as it did before.
Not sure why McAfee didn't post something similar to this; it's using their own tools!
They do actually attempt to restore from Quarantine as part of the SuperDAT Remediation Tool
. It's used in their instructions for home users here (Step 1
What does the SuperDAT Remediation Tool Do?
The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:
The above is quoted from the page Grinler referred to in Post #1. It is supposed to be for corporate users only, but I don't know why it wouldn't work for anyone. The instructions for home users is a bit simpler and more user friendly tho. I would suggest everyone try the home user instructions first, using the SuperDAT Remediation Tool
. If that doesn't work, try the instructions for manually restoring the svchost.exe