Wednesday 21 April 2010

Mcafee DAT 5958 Fix

As many people are already aware, McAfee released DAT 5958 today. This DAT contained a fault, which caused issues in hosts running Windows XP SP3. The fault led to a false detection of the W32/Wecorl.A worm, which was an MS08-067 based worm. This resulted in McAfee nuking svchost.exe killing all win32 services on the machine. This results in a laundry list of problems. The way to fix machines impacted by this is simple:

1. Boot the machine into safe mode
2. Take the extra.dat file mcafee is providing and load it into c:\program files\common files\mcafee\engine
3. Copy svchost.exe from c:\windows\servicepackfiles\i386\svchost.exe to c:\windows\system32\svchost.exe and c:\windows\system32\dllcache\svchost.exe
4. Reboot

This should remove the faulty signature and replace the damaged svchost from the the servicepack files. This test has been tested and works within our company. We have rolled it into a quick exe package for ease of use.

33 comments:

  1. Do you have a md5 of the detected file?

    ReplyDelete
  2. So if the machine has lost svchost.exe it cannot boot nor access the network. Your solution assumes you have a non affected system.

    ReplyDelete
  3. I wonder if you can share the .exe file? For some reason on all our affected systems copy and paste is disabled on safe mode...

    ReplyDelete
  4. Is it possible for you to put the exe online? Many thanks for this.

    ReplyDelete
  5. Magic! I spent hours trying to figure out why some PC's in the office went mad, this fix helped immensely.

    ReplyDelete
  6. So are you going to post your EXE that you created?

    ReplyDelete
  7. >>>I wonder if you can share the .exe file? For some reason on all our affected systems copy and paste is disabled on safe mode...

    Get to a command prompt to copy the files.

    ReplyDelete
  8. Anonymous, the machine will still boot into safe mode. It will not be able to run any services. Once you are booted in, you can run the fix, and reboot.

    ReplyDelete
  9. You can take svchost from another XP SP3 machine.

    The version I have is 5.1.2600.5512 - i copied it from another machine, works in the short term until a reinstall can be scheduled.

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. the .dat is posted on the mcafee site:
    http://vil.nai.com/vil/5958_false.htm

    you can easily make a .bat file to copy over the necessary files:
    copy extra.dat "c:\program files\common files\mcafee\engine\"
    copy svchost.exe c:\windows\system32\
    copy svchost.exe c:\windows\system32\dllcache\

    ReplyDelete
  12. Yes, as everyone said you can do it from command prompt, or you can write a batch script to do this. Either solution works great. we just put it into an exe to make it easy for people to run around with disks and just double clcik, hit okay, and watch their machine reboot back into goodness.

    ReplyDelete
  13. curious where the extra.dat is i just see the .dat and super dat, any idea?

    ReplyDelete
  14. Try this as a batch file...

    rem RUN IN SAFE MODE
    rem run from same folder that has extra.dat
    pause

    sc config McAfeeFramework start= disabled
    sc config McShield start= disabled
    sc config McTaskManager start= disabled
    sc config McAfeeEngineService start= disabled

    xcopy extra.dat c:\program files\common files\mcafee\engine /Y
    c:\windows\servicepackfiles\i386\svchost.exe c:\windows\system32\ /Y
    c:\windows\servicepackfiles\i386\svchost.exe c:\windows\system32\ /Y

    rem NOW REBOOT

    ReplyDelete
  15. c:\program files\common files\mcafee\engine\"
    BUT : I haven't the map engine.
    And I cannot copy and past
    Anybody can help?

    ReplyDelete
  16. If your machine don't boot, use Ultimate Boot Cd for Windows...

    ReplyDelete
  17. Thanks mate, you are a legend. Your fix worked really well for us. Had to use safe mode at bootup and command line copy to get some systems working. But the main thing is they all work now. Thanks again.

    ReplyDelete
  18. Aaron, very glad to hear it. Cheers!

    ReplyDelete
  19. would you kindly post the easy .exe fix? I'm computer illiterate and just don't really understand what to do.

    ReplyDelete
  20. I'm renting a bus and will come pick up anyone that wants to drive to McAfee headquarters with me. They're going to at least buy us lunch. :) What a day...

    ReplyDelete
  21. what if you cant cut and paste? still havent seen an answer for that question

    ReplyDelete
  22. Anonymous: I believe that question has already been answered, but here it is again. You can't copy/paste from within the gui shell. You have to go into command prompt and use the actual copy or xcopy command. Easiest thing is probably to write a batch script.

    ReplyDelete
  23. what if you can't boot into safe mode AND you already uninstalled mcafee (in a fit of frustration before even knowing about this issue)

    yark!

    ReplyDelete
  24. if you completely lost the "svchost.exe" file, just copy it from another computer (from: c:\windows\system32\) and paste it into the same folder (c:\windows\system32\) of your computer... it worked for me

    ReplyDelete
  25. Where can I find a backup of the svchost.exe? I don't have the neither the dllcahe-folder nor the servicepack-folder. (I am running windows XP on a mac via bootcamp/vmware fusion)

    ReplyDelete
  26. Anonymous:
    You need to be careful doing that. If it is the wrong version of svchost you could create some serious problems.

    ReplyDelete
  27. jonast,
    I would think you should still have both those folders. dllcache is a rather important system folder, and if you have installed sp3 on the image it should have the servicepack files folder as well. As i said in the update psot, you should be able to release svchost.exe from the quarantine as it turns out. Just open up the quarantine panel and release it, and reboot.

    ReplyDelete
  28. I copied from the same version (windows xp sp3) no problems yet... I've never found the dllcache folder, even before the crash, never had problems thou...

    ReplyDelete
  29. see here's your problem your using a OS that is 2 genertions out of date if you had been using vista or win 7 you would not be in this situation. please note that windows XP is EOL (thats end of life) microsoft do not serport it any more

    ReplyDelete
  30. anonymous: yeah good luck getting large global companies to transition that easily. A) A new EA for that many machines is costed in the millions, I know because my company is looking at a new EA. B)All of the legacy system that a big corporation acrues have to be tested to make sure they work on the new paltform, and appropriate actions need to be taken for those systems that don't. In other words it is extremely costly to upgrade in time and money.

    Also check your facts. XP SP2 and prior were EOLed however XP SP3 is still supported, and 64 bit SP2 is supported. These are to remain supported for quite some time still, probably due to the reasons listed above.

    http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs?os=other

    ReplyDelete
  31. i said the OS was EOL not the SP i saw that the SP's are still supported until 2014 and it still does not change the fact the xp is 2 generations out of date and it’s full of vulnerabilities and no im not say that vista or win 7 does not have any because they do that why we have companies like mcafee and Symantec ECT. ECT

    ReplyDelete
  32. Anonymous,
    If you're relying on Mcafee of Symantec to provide security to you, you're already in bad shape my friend. The fact is, as I said before, Enterprises do not update that fast, especially not large global corporations like the one I work for. There are a number of reasons for this, which I have already out some of. Also I'm not sure what your point about the os is anymore as you said it was EOLed then say you know the SPs aren't EOL. XP is not out of support if you have an updated SP, which you should have anyways. Should companies have updated to Windows ME because it was newer than 2000? You say that we should switch to windows 7 or vista because xp has vulns, then immediately say that 7 and vista have vulns but that's okay because we have security software? I'm sorry but I just really don't see where you are going with this at all.

    ReplyDelete
  33. Great post. One of my colleagues was facing a lot of problem with his system this fixed it.

    ReplyDelete