How to Restore a Computer Affected by McAfee DAT 5958

McAfee released a virus definition file DAT 5958 today. After the virus definition file has been installed, it will identify a legit system file (svchost.exe) and move it to quarantine. As the file is an important system file, the system will not function properly without it. Major symptoms includes no network access and missing task bar.

I helped a user restore an affected computer. It was an XP computer with SP3 installed. Here are the steps to uninstall McAfee temporarily.

1. Press F8 while the computer is booting and select safe mode.
2. Press Ctrl+Alt+Del to bring up Windows Task Manager.
3. Under Windows Task Manager, click on File -> New Task(Run…)
4. Enter cmd and click on OK to bring up a command prompt.
5. Type the following to restore svchost.exe
   copy c:\windows\system32\dllcache\svchost.exe c:\windows\system32
6. Type the following to reboot the system. Remember to boot to safe mode.
   shutdown -r
7. Once the machine is booted to safe mode again. Bring up a command prompt.
8. Type the following to enable the installer under safe mode.

   REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"
   net start msiserver

9. Use Add/Remove Programs in control panel to uninstall McAfee VirusScan.
10. Reboot the machine.

When I worked on the user’s machine, I was not aware of the new DAT file. Therefore, I just uninstalled McAfee. If you still want to keep McAfee, do not follow step 8 and 9 to uninstall McAfee VirusScan. McAfee has published an official workaround. Here is the link.

False positive detection of w32/wecorl.a in 5958 DAT

You can follow the link to download the new virus definition file 5959 and update the file instead of uninstalling McAfee VirusScan.