How to restore svchost.exe for those affected by the w32/wecorl.a McAfee update.

A new update released by McAfee for their anti-virus software contains a false positive that can potentially cause Windows XP with Service Pack 3 computers to not be able to boot up again. This problem is caused by a false positive for the w32/wecorl.a worm in their 5958 DAT update, which would cause the C:\Windows\System32\svchost.exe file to be mistakenly deleted. This file is an Windows system file required to start many critical services. Therefore, once this file is deleted, Windows will no longer be able to start.If you are one of the people affected by this false positive, then you most likely will not be able to start your computer. Don't worry, though, we can fix it using the Windows XP Recovery Console or a Windows boot CD, such as UBCD4Win. For some people, the Windows Recovery Console may be installed on their computer by the manufacturer. If not, then you will need to use the Windows XP CD to access it. In order to access the Recovery Console, please follow the steps in this tutorial:

How to install and use the Windows XP Recovery Console

Once in the recovery console, you would type the following commands in the console prompt and then press Enter on your keyboard.

copy \windows\system32\dllcache\svchost.exe \windows\system32

Please note that there is a space between copy and \windows and between svchost.exe and \windows. Otherwise there are no other spaces in the above command.

Once you type that command and press Enter, you should see that 1 file has been copied. You can then type Exit and press Enter to reboot your computer. Now that the C:\Windows\System32\svchost.exe file has been restored, your computer should boot up properly.

If you do not have access to the Windows XP Recovery Console, then you can use any bootable CD to access your files. Once you can access your files, simply copy the svchost.exe from the C:\Windows\System32\Dllcache folder to the C:\Windows\System32\ folder to restore the file.

When your computer restarts, McAfee may attempt to delete it again. Please make sure you do not allow that or you will need to repeat the above steps. You should also have McAfee check for new updates to resolve this false positive. If none exist, then you can go to the knowledgebase article linked below and manually update the DAT file.

Please feel free to ask in the forums if you need assistance with these steps.

I am trying to fix this very problem and can copy the svchost.exe file from another computer but it will not be moved from a memory stick into the system 32 folder on the affected computer.
Neither computer has a system 32 dll cache folder

I have an older XP version that doesn't seem to have this file

Any thoughts??

I am trying to fix this very problem and can copy the svchost.exe file from another computer but it will not be moved from a memory stick into the system 32 folder on the affected computer.

Same here. I can't copy and paste files or drag them with the mouse from my affected computer.

Also installed the XP recovery console and tried copy \windows\system32\dllcache\svchost.exe \windows\system32 but it told me the file can't be found.

man McAfee is just not having a good year so far haha.

I am trying to fix this very problem and can copy the svchost.exe file from another computer but it will not be moved from a memory stick into the system 32 folder on the affected computer.

Same here. I can't copy and paste files or drag them with the mouse from my affected computer.

Also installed the XP recovery console and tried copy \windows\system32\dllcache\svchost.exe \windows\system32 but it told me the file can't be found.

when you boot the computer with a CD support USUALLY not always CD drive is recognized as the D drive and your local disk which has the operating system is the C drive; so try this instead.
copy D:\windows\system32\dllcache\svchost.exe C:\windows\system32

I am trying to fix this very problem and can copy the svchost.exe file from another computer but it will not be moved from a memory stick into the system 32 folder on the affected computer.

Same here. I can't copy and paste files or drag them with the mouse from my affected computer.

Also installed the XP recovery console and tried copy \windows\system32\dllcache\svchost.exe \windows\system32 but it told me the file can't be found.

Get SVCHOST.EXE file and
goto http://vil.nai.com/vil/5958_false.htm and get extra.dat file.

Start in safe mode by continuously pressing F8 as computer reboots.

To copy: press and hold the windows key (between CTRL and ALT) and press R. Type CMD in the run window. Type COPY e:\svchost.exe c:\windows\system32 (if e:\ is your flash drive where the file is located.)

Extract the extra.dat file into C:\Program Files\Common Files\McAfee\Engine

Restart in normal mode.

Just out of curiosity, but what is the guarantee McAfee will not delete the new svchost? Should you boot in safe-mode and turn off McAfee?

What worked for my company was the following steps:

-- boot in to Safe Mode. Virus Scan is disabled while in safe mode.

-- Use the Virus Scan Console's Quarantine Manager to do a restore (Manager Tab, right click on threat and select restore). Your SVCHost.exe file has been restored at this point, but not active.

-- Reboot in to Safe Mode with networking. Virus Scan still needs to be disabled because it still had the 5958 DAT file.

-- Down load the last DAT file from McAfee website or whatever.

-- Reboot normally.

-- Verify everything is working as it did before.


Not sure why McAfee didn't post something similar to this; it's using their own tools!

im in a real bind with this, i think i have made it worse than it was as im not that clued up with computers
i like everyone else am missing the svchost.exe, how ever i cant restore it from the disc as i cant find them:(
i followed some of mcafees instructions last night and run some of the programs they suggested the first solution required internet access which was blocked so i could do that. the second one ended up removing mcafee.
now im stuck as i dont have another xp sp3 svchost.exe to put on it even if i did then i would be abe to copy it on as that seems disabled and now that it has removed mcafee im guessing that the quarentine will be gone too?
any help would be really appreciated

I am trying to fix this very problem and can copy the svchost.exe file from another computer but it will not be moved from a memory stick into the system 32 folder on the affected computer.

Same here. I can't copy and paste files or drag them with the mouse from my affected computer.

Also installed the XP recovery console and tried copy \windows\system32\dllcache\svchost.exe \windows\system32 but it told me the file can't be found.

when you boot the computer with a CD support USUALLY not always CD drive is recognized as the D drive and your local disk which has the operating system is the C drive; so try this instead.
copy D:\windows\system32\dllcache\svchost.exe C:\windows\system32

Apologies in advance for stating the bleeping obvious

When you go into recovery console and you get to the c:\windows prompt type cd .. and hit return. This takes you the root directory witht the c:\ prompt

Then try the "copy \windows\system32\dllcache\svchost.exe \windows\system32"

All the best

For people who can't get this fix to work and are getting messages that the file can't be found, it's because you don't have a copy of svchost.exe in your dllcache folder. I just checked my own XP SP3 system and I don't have one there either. The dllcache folder is where a spare copy of svchost.exe (and some other system files) are usually kept, but for some reason the spare copy is kept in a different folder on some systems. On mine it is kept in C:\WINDOWS\ServicePackFiles\i386\svchost.exe. If you have one there also check the properties of the file--mine is 14.0 KB (as is the one in System32 folder)--so if yours is the same size then it should be the correct version and you can copy it to your System32 folder. According to McAfee (and as pointed out by Peter Luger), you can manually replace the svchost.exe file in safe mode--their responsible driver is disabled there. I suggest you boot into safe mode and, if you are running SP3, look in your WINDOWS\ServicePackFiles\i386 folder for svchost.exe. I would think a simple copy and paste would work, but if you are following the step by step instructions, when you get to the step of typing in the command, substitute ServicePackFiles\i386\ for dllcache\.

McAfee's instructions for home users utilizing the safe mode method is here: http://service.mcafee.com/FAQDocument.aspx...amp;id=TS100970

If you can't find svchost.exe in ServicePackFiles\i386\svchost.exe, while in safe mode, search your Windows folder and post back and let us know if you found another copy, it's location (what folder it's in) and the size of the file and when it was last modified.

What worked for my company was the following steps:

-- boot in to Safe Mode. Virus Scan is disabled while in safe mode.

-- Use the Virus Scan Console's Quarantine Manager to do a restore (Manager Tab, right click on threat and select restore). Your SVCHost.exe file has been restored at this point, but not active.

-- Reboot in to Safe Mode with networking. Virus Scan still needs to be disabled because it still had the 5958 DAT file.

-- Down load the last DAT file from McAfee website or whatever.

-- Reboot normally.

-- Verify everything is working as it did before.


Not sure why McAfee didn't post something similar to this; it's using their own tools!

They do actually attempt to restore from Quarantine as part of the SuperDAT Remediation Tool. It's used in their instructions for home users here (Step 1 under Solution): http://service.mcafee.com/faqdocument.aspx?id=TS100969

What does the SuperDAT Remediation Tool Do?
The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:

* %WINDOWS%\servicepackfiles\i386\svchost.exe
* Quarantine.

The above is quoted from the page Grinler referred to in Post #1. It is supposed to be for corporate users only, but I don't know why it wouldn't work for anyone. The instructions for home users is a bit simpler and more user friendly tho. I would suggest everyone try the home user instructions first, using the SuperDAT Remediation Tool. If that doesn't work, try the instructions for manually restoring the svchost.exe file.

Is there a way to fix the Mcafee update issue without another computer..and without downloading the SuperDAT or the extra.dat file or doing a clean reinstallation or doing a parallel installation...????

Our school computers thankfully were fixed, but we have realized that the sound cards or audio devices are not working. Has anyone else had this problem and how does one go about fixing that?

I cant get any of these fixes to work! can anyone help me?? I dont have the file in the dllcache but I do have it in the service pack files. I tried entering it in manually from the command prompt but it says path not found. I also tried downloading the SuperDat Remediation tool and I cant get that to copy onto my desktop or anywhere for that matter. If anyone has any suggestions to fix this, it is really appreciated. Would reinstalling windows help? I dont really want to do that but will if there is no other option.
Thanks
Ok, I found the solution! Thanks anyway!

i have the svchost.exe in my servicepackfiles on my pc buti cant move it to system32?
i cant manually do it copy/paste or move and when i try and do it through run task it says it cant find the file?