1. Boot the machine into safe mode
2. Take the extra.dat file mcafee is providing and load it into c:\program files\common files\mcafee\engine
3. Copy svchost.exe from c:\windows\servicepackfiles\i386\svchost.exe to c:\windows\system32\svchost.exe and c:\windows\system32\dllcache\svchost.exe
4. Reboot
This should remove the faulty signature and replace the damaged svchost from the the servicepack files. This test has been tested and works within our company. We have rolled it into a quick exe package for ease of use.
Do you have a md5 of the detected file?
ReplyDeleteSo if the machine has lost svchost.exe it cannot boot nor access the network. Your solution assumes you have a non affected system.
ReplyDeleteI wonder if you can share the .exe file? For some reason on all our affected systems copy and paste is disabled on safe mode...
ReplyDeleteIs it possible for you to put the exe online? Many thanks for this.
ReplyDeleteMagic! I spent hours trying to figure out why some PC's in the office went mad, this fix helped immensely.
ReplyDeleteSo are you going to post your EXE that you created?
ReplyDelete>>>I wonder if you can share the .exe file? For some reason on all our affected systems copy and paste is disabled on safe mode...
ReplyDeleteGet to a command prompt to copy the files.
Anonymous, the machine will still boot into safe mode. It will not be able to run any services. Once you are booted in, you can run the fix, and reboot.
ReplyDeleteYou can take svchost from another XP SP3 machine.
ReplyDeleteThe version I have is 5.1.2600.5512 - i copied it from another machine, works in the short term until a reinstall can be scheduled.
This comment has been removed by the author.
ReplyDeletethe .dat is posted on the mcafee site:
ReplyDeletehttp://vil.nai.com/vil/5958_false.htm
you can easily make a .bat file to copy over the necessary files:
copy extra.dat "c:\program files\common files\mcafee\engine\"
copy svchost.exe c:\windows\system32\
copy svchost.exe c:\windows\system32\dllcache\
Yes, as everyone said you can do it from command prompt, or you can write a batch script to do this. Either solution works great. we just put it into an exe to make it easy for people to run around with disks and just double clcik, hit okay, and watch their machine reboot back into goodness.
ReplyDeletecurious where the extra.dat is i just see the .dat and super dat, any idea?
ReplyDeleteTry this as a batch file...
ReplyDeleterem RUN IN SAFE MODE
rem run from same folder that has extra.dat
pause
sc config McAfeeFramework start= disabled
sc config McShield start= disabled
sc config McTaskManager start= disabled
sc config McAfeeEngineService start= disabled
xcopy extra.dat c:\program files\common files\mcafee\engine /Y
c:\windows\servicepackfiles\i386\svchost.exe c:\windows\system32\ /Y
c:\windows\servicepackfiles\i386\svchost.exe c:\windows\system32\ /Y
rem NOW REBOOT
c:\program files\common files\mcafee\engine\"
ReplyDeleteBUT : I haven't the map engine.
And I cannot copy and past
Anybody can help?
If your machine don't boot, use Ultimate Boot Cd for Windows...
ReplyDeleteThanks mate, you are a legend. Your fix worked really well for us. Had to use safe mode at bootup and command line copy to get some systems working. But the main thing is they all work now. Thanks again.
ReplyDeleteAaron, very glad to hear it. Cheers!
ReplyDeletewould you kindly post the easy .exe fix? I'm computer illiterate and just don't really understand what to do.
ReplyDeleteI'm renting a bus and will come pick up anyone that wants to drive to McAfee headquarters with me. They're going to at least buy us lunch. :) What a day...
ReplyDeletewhat if you cant cut and paste? still havent seen an answer for that question
ReplyDeleteAnonymous: I believe that question has already been answered, but here it is again. You can't copy/paste from within the gui shell. You have to go into command prompt and use the actual copy or xcopy command. Easiest thing is probably to write a batch script.
ReplyDeletewhat if you can't boot into safe mode AND you already uninstalled mcafee (in a fit of frustration before even knowing about this issue)
ReplyDeleteyark!
if you completely lost the "svchost.exe" file, just copy it from another computer (from: c:\windows\system32\) and paste it into the same folder (c:\windows\system32\) of your computer... it worked for me
ReplyDeleteWhere can I find a backup of the svchost.exe? I don't have the neither the dllcahe-folder nor the servicepack-folder. (I am running windows XP on a mac via bootcamp/vmware fusion)
ReplyDeleteAnonymous:
ReplyDeleteYou need to be careful doing that. If it is the wrong version of svchost you could create some serious problems.
jonast,
ReplyDeleteI would think you should still have both those folders. dllcache is a rather important system folder, and if you have installed sp3 on the image it should have the servicepack files folder as well. As i said in the update psot, you should be able to release svchost.exe from the quarantine as it turns out. Just open up the quarantine panel and release it, and reboot.
I copied from the same version (windows xp sp3) no problems yet... I've never found the dllcache folder, even before the crash, never had problems thou...
ReplyDeletesee here's your problem your using a OS that is 2 genertions out of date if you had been using vista or win 7 you would not be in this situation. please note that windows XP is EOL (thats end of life) microsoft do not serport it any more
ReplyDeleteanonymous: yeah good luck getting large global companies to transition that easily. A) A new EA for that many machines is costed in the millions, I know because my company is looking at a new EA. B)All of the legacy system that a big corporation acrues have to be tested to make sure they work on the new paltform, and appropriate actions need to be taken for those systems that don't. In other words it is extremely costly to upgrade in time and money.
ReplyDeleteAlso check your facts. XP SP2 and prior were EOLed however XP SP3 is still supported, and 64 bit SP2 is supported. These are to remain supported for quite some time still, probably due to the reasons listed above.
http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs?os=other
i said the OS was EOL not the SP i saw that the SP's are still supported until 2014 and it still does not change the fact the xp is 2 generations out of date and it’s full of vulnerabilities and no im not say that vista or win 7 does not have any because they do that why we have companies like mcafee and Symantec ECT. ECT
ReplyDeleteAnonymous,
ReplyDeleteIf you're relying on Mcafee of Symantec to provide security to you, you're already in bad shape my friend. The fact is, as I said before, Enterprises do not update that fast, especially not large global corporations like the one I work for. There are a number of reasons for this, which I have already out some of. Also I'm not sure what your point about the os is anymore as you said it was EOLed then say you know the SPs aren't EOL. XP is not out of support if you have an updated SP, which you should have anyways. Should companies have updated to Windows ME because it was newer than 2000? You say that we should switch to windows 7 or vista because xp has vulns, then immediately say that 7 and vista have vulns but that's okay because we have security software? I'm sorry but I just really don't see where you are going with this at all.
Great post. One of my colleagues was facing a lot of problem with his system this fixed it.
ReplyDelete