Configuration Manager 2007 Task Sequence to assist in resolving McAfee Antivirus deleting svchost.exe

Configuration Manager 2007 Task Sequence to assist in resolving McAfee Antivirus deleting svchost.exe

  • Comments 9
  • Likes

GrayAndYellowGears By now I'm sure you all heard about the false positive detection of w32/wecorl.a in 5958 DAT issue with McAfee and how it can cause a no-boot situation in Windows XP SP3.  McAfee themselves as well as some of our colleagues on the Windows team have a resolution posted that describes how to fix this one a one-by-one basis, but what if you have a lot of clients experiencing the issue?  Well if you're running System Center Configuration Manager 2007 then your life just got a whole lot easier.  Using ConfigMgr 2007, this issue can be remediated by a SCCM 2007 Task Sequence by booting into WinPE via PXE or Boot Media and copying svchost.exe from the DLLCache back to its proper location. The EXTRA.DAT file from the above McAfee article can also be copied over to its proper location to prevent the issue from occurring again.  Here are the details:

Symptoms

When McAfee virus definition 5958 DAT file dated April 21, 2010 is applied in Windows XP SP3, svchost.exe is removed from C:\Windows\System32 causing the machine to go into a reboot loop and possibly blue-screen.

Cause

When McAfee virus definition 5958 DAT file is applied in Windows XP SP3, it incorrectly identifies svchost.exe as the w32/wecorl.a virus causing the file to be quarantined and removed from C:\Windows\System32. For more information please see the following McAfee article:

False positive detection of w32/wecorl.a in 5958 DAT : https://kc.mcafee.com/corporate/index?page=content&id=KB68780

Resolution

This issue can be remediated by via an SCCM 2007 Task Sequence by booting into WinPE via PXE or Boot Media and copying svchost.exe from the DLLCache back to its proper location. The EXTRA.DAT file from the above McAfee article can also be copied over to its proper location to prevent the issue from occurring again.

To create the Task Sequence:

1) Download and unzip the EXTRA.zip file from the above McAfee link. The ZIP file should contain one file called EXTRA.DAT.

2) In the SCCM 2007 Admin console, navigate to "Computer Management" --> "Software Distribution" --> "Packages" node.

3) In the "Packages" node create a package that contains the EXTRA.DAT file downloaded from Step 1. A program does not need to be created with the package.  Make sure to copy the package to the DPs.

4) In the SCCM 2007 Admin console, navigate to the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node.

5) Right click on the "Task Sequences" node and choose "New" --> "Task Sequence"

6) In the "New Task Sequence Wizard", select "Create a new custom task sequence" and then click on the "Next >" button.

7) In the "Task Sequence name:" field, give the Task Sequence an appropriate name such as "McAfee Fix".

8) Next to "Boot image:", click on the "Browse..." button and choose an appropriate x86 Boot Image. Click on the "OK" button and then the "Next >" button.

9) Click on the "Next >" button and then the "Close" button.

10) Right click on the newly created Task Sequence and select "Edit".

11) Click on the "Add" menu and choose "General" --> "Run Command Line".

12) In the "Run Command Line" task fill out the following fields appropriately:

Name:
Copy svchost.exe

Command line:
xcopy "C:\Windows\System32\dllcache\svchost.exe" "C:\Windows\System32\*.*" /Y

13) Click on the "Options" tab.

14) Select "Add Condition", and then "Task Sequence Variable".

15) In the "Task Sequence Variable" window, enter the following information:

Variable:
_SMSTSInWinPE

Condition:
equals

Value:
true

16) Click on the "OK" button.

17) Click on the "Add" menu and choose "General" --> "Run Command Line".

18) In the "Run Command Line" task fill out the following fields appropriately:

Name:
Copy McAfee Extra.dat file

Command line:
xcopy ".\EXTRA.DAT" "C:\Program Files\Common Files\McAfee\Engine\*.*" /Y

Package
Click on the "Package" option, then click on the "Browse..." button and select the package created in Step 3. Click on the "OK" button.

19) Click on the "OK" button to save the Task Sequence.

20) Advertise the Task Sequence to a Collection of the affected computers. When creating the advertisement, make sure to choose the option "Make this task sequence available to boot media and PXE". To prevent the Task Sequence from accidently running on unintended PCs, it is advisable NOT to set a Mandatory assignment on the Advertisement.

The above Task Sequence assumes that drive where Windows and McAfee are installed will populate as C: while in WinPE. In some circumstances, the C: drive may populate as another drive letter such as E:. In these circumstances, the above Task Sequence will need to be modified to accommodate for such scenarios. Additional tasks could be added to the Task Sequence and all tasks could be marked with "Continue On Error" to account for multiple scenarios.

Frank Rojas | Support Escalation Engineer

Follow MSManageability on Twitter

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • How does microsoft an you people expect ordinary computer users to understand and follow what has been written above, you people are crasy.

  • I quite agree with Vincent because I don't understand one word of it and I find the computer world full of con-artists and people who just want the money, not how to fix any problem.

  • How can you find out if this will occur on your PC? I have XP with service pack 3 but haven't experienced this problem yet. If it is going to happen I would like to fix the problem before it occures.

  • This post is targeted at the experienced Configuration Manager enterprise administrator so I understand how it could be confusing to a regular end user.  Sorry about that, I probably should have included a link to our KB that is much easier to follow if you're only fixing one or two computers.  The link for that is here:

    support.microsoft.com/.../2025695

    Oh, and if you haven't run into this issue yet you probably won't.  McAfee has fixed it so any updates will no longer have this problem.

  • if your so clever why cant you make a fix that dose it itself for thickies

  • I have weekly crash that I related to McAfee.  I removed McAfee and replaced with Norton 360. One week later, same problem.  I use remote access and I'm virtually always away and needing my pc when this occurs.  Ant ideas?

  • please help me find the wright downloads to bring my pc update.georgeeddie41@yahoo.com windowsxp.

  • DAHHHH? witch way did he go george?

  • you fools, how an ordinary man understand these technical words??????