W32.Wecorl.a (or Variant) Infection across enterprise
Microsoft Vista, Microsoft XP, Security, Software, Tips & Tricks, Troubleshooting, Windows 7 April 21st, 2010McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.
What happens
Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT.
Workaround 1
McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.
Apply the EXTRA.DAT to all potentially affected systems as soon as possible.
For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.
IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding:
Click Start, Programs, McAfee, VirusScan Console.
Right-click Access Protection and select Disable.
Apply the EXTRA.DAT as described below.
Right-click Access Protection and select Enable.
To apply the EXTRA.DAT locally:
Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
Click Start, Run, type services.msc and click OK.
Right-click the McAfee McShield service and select Stop.
Copy the EXTRA.DAT file to the following location:
In the Services window, right-click McAfee McShield and select Start.
Workaround 2
If the false detection has deleted or quarantined svchost.exe on your system:
IMPORTANT: Ensure that you have applied the EXTRA.DAT to suppress the false positive detection before restoring svchost.exe.
Copy the svchost.exe from a working system
On a computer that is not affected by the issue, navigate to the location below:
C:\WINDOWS\system32
Copy svchost.exe to a network location or removable media device.
On the affected system, copy svchost.exe to the location below:
C:\WINDOWS\system32
Restart the affected computer.
On some computer I have had to run the windows repair then 2 reboots of the computer to work.
© 2010, IT Troubleshooters. All rights reserved.
April 22nd, 2010 at 1:03 am
For Anyone that doesn’t know there is a NASTY virus going around with the latest round of McAfee updates. I heard that If you use the McAfee antivirus software and get prompted to update to the latest version PLEASE do not update, reports around the internet say that an Update to Dat 5958 is killing SVCHOST.exe. Many numerous reports are coming up, mainly across Twitter and Facebook with people saying that they are not able to access their computers after the update because of this problem, and others get Blue Screen Of Death’s as soon as the McAfee antivirus software has started running. Currently it seems to be only Windows XP SP3 systems that are affected by this problem with no reports of problems with Windows Vista and 7 users.
May 2nd, 2010 at 11:29 am
great post as usual!
June 9th, 2010 at 12:28 am
Hi, I’m very interested in Linux but Im a Super Newbie and I’m having trouble deciding on the right distribution for me (Havent you heard this a million times?) anyway here is my problem, I need a distribution that can switch between reading and writing in English and Japanese (Japanese Language Support) with out restarting the operating system.