Scribd Logo
Upload

Welcome to Scribd!

  • Steps To Recover SVCHOST

    Uploaded by

    califbob51
    344 views3 pages
    This document provides steps to recover the SVCHOST.EXE file if it has been deleted or quarantined by antivirus software. There are four steps with increasing levels of difficulty: 1) update antivirus definitions if SVCHOST.EXE is still present but flagged, 2) restore from quarantine if flagged but still running, 3) replace file if deleted but still running, or 4) boot to safe mode and replace file if not booting. The steps involve updating antivirus, copying backup files and renaming SVCHOST.EXE to restore normal operation.

    Original Description:

    How to recover from McAfee's VirusScan DAT 5958 false positive of the SVCHOST.EXE Windows File

    Original Title

    Steps to Recover SVCHOST

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides steps to recover the SVCHOST.EXE file if it has been deleted or quarantined by antivirus software. There are four steps with increasing levels of difficulty: 1) update antivirus definitions if SVCHOST.EXE is still present but flagged, 2) restore from quarantine if flagged but still running, 3) replace file if deleted but still running, or 4) boot to safe mode and replace file if not booting. The steps involve updating antivirus, copying backup files and renaming SVCHOST.EXE to restore normal operation.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    344 views3 pages

    Steps To Recover SVCHOST

    Uploaded by

    califbob51
    This document provides steps to recover the SVCHOST.EXE file if it has been deleted or quarantined by antivirus software. There are four steps with increasing levels of difficulty: 1) update antivirus definitions if SVCHOST.EXE is still present but flagged, 2) restore from quarantine if flagged but still running, 3) replace file if deleted but still running, or 4) boot to safe mode and replace file if not booting. The steps involve updating antivirus, copying backup files and renaming SVCHOST.EXE to restore normal operation.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Steps to recover/replace Windows SVCHOST.

    EXE VirusScan warning or deletion

    SVCHOST.EXE is a necessary Windows file and if deleted prevents Windows from


    booting. The following steps will cover some options to recover from this problem.
    Follow the instructions starting in Step-1 as each step requires more effort to resolve.

    1. If SVCHOST.EXEC has NOT been deleted and Windows is running:


    a. If asked by VirusScan – Select the option to “Do Nothing” so it does not
    delete this file. Exit VirusScan window
    b. Copy the attached EXTRA.DAT file to:
    C:\Program Files\Common Files\McAfee\Engine
    c. Restart Windows (reboot)
    d. Right-click on the VirusScan icon on the bottom Windows status bar
    1) Select “Update Now” to update VirusScan to current updates.
    e. VirusScan should no longer report SVCHOST.EXE as infected
    f. DONE.

    2. If SVCHOST.EXE has been quarantined and Windows is still running:


    a. If running, close the VirusScan scanning window
    b. Copy the attached EXTRA.DAT file to:
    C:\Program Files\Common Files\McAfee\Engine
    c. Check the C:\quarantine folder for the SVCHOST.EXE file
    d. Copy or Move the SVCHOST.EXE file to:
    C:\WINDOWS\system32
    e. Restart Windows (reboot)
    f. Right-click on the VirusScan icon on the bottom Windows status bar
    1) Select “Update Now” to update VirusScan to current updates.
    g. VirusScan should no longer report SVCHOST.EXE as infected
    h. DONE.

    3. If SVCHOST.EXE was deleted and Windows is still running:


    a. If running, close the VirusScan scanning window
    b. Copy the attached EXTRA.DAT file to:
    C:\Program Files\Common Files\McAfee\Engine
    c. Copy the attached SVCHOST-EXE file to:
    C:\WINDOWS\system32
    d. !! Rename the file as SVCHOST.EXE  IMPORTANT!
    e. Restart Windows (reboot)
    f. Right-click on the VirusScan icon on the Windows status bar
    1) Select “Update Now” to update VirusScan to current updates.
    g. VirusScan should no longer report SVCHOST.EXE as infected
    h. DONE.

    4. If Windows will not start, reporting that SVCHOST.EXE is missing


    a. Copy the attached EXTRA.DAT and SVCHOST-EXE files to a USB
    memory stick.
    1) !! Rename SVCHOST-EXE to SVCHOST.EXE !!
    b. Starting PC in Safe Mode
    1) Restart PC and hold-down the [F8] function key (top of
    keyboard)
    2) Windows will start in “Advanced Options Mode”
    3) Select “Safe Mode with Command Prompt”
    4) Select Microsoft Windows XP Prof. operating system
    5) Wait for Windows Welcome screen – Press Ctrl-Alt-Del keys
    6) Enter User Name: administrator
    7) Enter Password: (contact you local site administrator for this
    password or Corporate IT Help Desk)
    8) You should now see a C:\ prompt followed by a directory name
    c. Option-1: Copy files from USB memory stick
    1) Insert USB memory stick (next steps assumes it became drive
    “D”
    2) Enter: D:
    3) Enter: copy extra.dat C:\Program Files\Common
    Files\McAfee\Engine
    4) Enter: copy svchost.exe C:\windows\system32
    5) Enter: Ctrl-Alt-Del keys and select Shutdown
    6) Select Restart
    7) Windows should start normally
    8) Login to Windows
    9) If VirusScan again reports SVCHOST.EXE is infected, select the
    option to “Do Nothing” – DO NOT SELECT DELETE!
    10) Right-click on the VirusScan icon on the bottom Windows
    status bar
    • Select “Update Now” to update VirusScan to current
    updates. Wait for update to complete
    11) !! VirusScan should no longer report SVCHOST.EXE as infected
    12) DONE.

    d. Option-2: Extract SVCHOST.EXE from C:\I386 directory


    (Only if you cannot copy files from a USB memory stick)
    1) At the C:\ prompt enter: CD C:\i386
    2) Enter: expand svchost.ex_ c:\windows\system32\svchost.exe
    (note the underscore in first svchost.ex_ file name)
    3) Should get the following reply:
    “c:\i386\svchost.ex_: 7276 bytes expanded to 14336 bytes, 97%
    increase.”
    4) Enter: Ctrl-Alt-Del keys and select Shutdown
    5) Select Restart
    6) Windows should start normally
    7) Login to Windows
    8) !! If VirusScan again reports SVCHOST.EXE is infected, select
    the option to “Do Nothing” – DO NOT SELECT DELETE!
    9) Right-click on the VirusScan icon on the bottom Windows
    status bar
    • Select “Update Now” to update VirusScan to current
    updates. Wait for update to complete
    10) VirusScan should no longer report SVCHOST.EXE as infected
    11) DONE.

    You might also like