McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.

Posted by Allen on April 23rd, 2010

Q: What does the SuperDAT Remediation Tool Do?

A: The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe, if not present it will attempt a restore from %WINDOWS%\servicepackfiles\i386\svchost.exe, if not present it will attempt a restore from quarantine. After the tool is run, the machine needs to be rebooted.

Recommended Recovery SuperDAT Procedure

1. From a machine that has Internet access, locate and download the Recovery SuperDAT at http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe and save it to portable media.
2. Take the portable media to each affected machine and run the tool. If you are not able to run the tool on the affected machine, boot in safe mode
3. Execute the Recovery SuperDAT tool
4. Reboot in normal mode
5. Use the product update to update to 5959

Security, Software, Tips & Tricks, Troubleshooting No Comments »

W32.Wecorl.a (or Variant) Infection across enterprise

Posted by Allen on April 21st, 2010

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.

What happens
Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT.

Workaround 1

McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.

Apply the EXTRA.DAT to all potentially affected systems as soon as possible.

For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.

IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding:

Click Start, Programs, McAfee, VirusScan Console.
Right-click Access Protection and select Disable.
Apply the EXTRA.DAT as described below.
Right-click Access Protection and select Enable.

To apply the EXTRA.DAT locally:

Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
Click Start, Run, type services.msc and click OK.
Right-click the McAfee McShield service and select Stop.
Copy the EXTRA.DAT file to the following location:

\Program Files\Common Files\McAfee\Engine

In the Services window, right-click McAfee McShield and select Start.

Workaround 2
If the false detection has deleted or quarantined svchost.exe on your system:

IMPORTANT: Ensure that you have applied the EXTRA.DAT to suppress the false positive detection before restoring svchost.exe.

Copy the svchost.exe from a working system

On a computer that is not affected by the issue, navigate to the location below:

C:\WINDOWS\system32

Copy svchost.exe to a network location or removable media device.
On the affected system, copy svchost.exe to the location below:

C:\WINDOWS\system32

Restart the affected computer.

On some computer I have had to run the windows repair then 2 reboots of the computer to work.

Microsoft Vista, Microsoft XP, Security, Software, Tips & Tricks, Troubleshooting, Windows 7 3 Comments »

Missing global address book in outlook

Posted by Allen on April 15th, 2010

When rolling back from office 2007 to 2003 I have noticed that the Global Address Book (GAL) is missing when in Outlook the GAL is missing. The only fix I have managed to work was to recreate the profile in outlook. The other option is to reinstall Outlook 2007.

Software, Tips & Tricks, Troubleshooting No Comments »

McAfee SFC_os.dll Error

Posted by Allen on April 3rd, 2010

There are two situations where detection can occur and cleaning takes place:

1. If the modified sfc_os.dll is not located in System32 or in system32\dllcache directory: in this case the cleaning proceeds in one step.

- The modified bytes are patched again to the correct values. The sfc_os.dll file is now clean
- The corrected file is copied to zfcxx.tmp. This file is also clean, but it will stay in the system.

2. If the modified file is located in System32 or in system32\dllcache: In this case, cleaning occur in two steps:

First step:

- the modified bytes are patched again with correct values. Since the file is in use by Windows, this modification fails or is delayed. The file is still infected.
- the file is then copied to zfcxx.tmp. This temporary file is also infected.
- If the system is scanned again, no detection will occur in sfc_os.dll, since it only occurs when there is no zfcxx.tmp file in the same directory.

Second step:

- Do not REBOOT the machine yet
- Scan the machine again. Only zfcxx.tmp will be detected
- the temporary file will be patched to contain the correct bytes. Zfcxx.tmp will now be clean.
- the file infected sfc_os.dll will be moved to sfc_os.dll.exe. This is a delayed move, so it will only occur AFTER reboot, since the file is in use by Windows.
- The clean file zfcxx.tmp will be copied to sfc_os.dll, restoring the original dll to its place.
- The cleaning procedure tries to remove zfcxx.tmp and sfc_os.dll.exe. This operation will be delayed until next reboot.
- The user should then reboot the system. The temporary files will be removed and the DLL will be restored.
- If the system is scanned again and detection occurs on the sfc_os.dll file located in system32\dllcache, the files zfcxx.tmp and sfc_os.dll.exe will be created again. Jus reboot and they will be removed.

Microsoft Vista, Microsoft XP, Security, Software, Tips & Tricks, Troubleshooting, Windows 7 1 Comment »
Copyright © 2010 IT Troubleshooters. iPod video converter. Laptops. Antivirus protection.