McAfee issues manual fix

April 22, 2010 4:47:28 AM PDT
McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems. Corporate KnowledgeBase

False positive detection of w32/wecorl.a in 5958 DAT

Corporate KnowledgeBase ID: KB68780
Published: April 22, 2010

Environment

For details of all supported operating systems, see KB51109

Summary

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.

WARNING: If you receive a detection for w32/wecorl.a, DO NOT restart your computer until you have performed the remediation steps in this article.

Please watch for updates on this issue, which will be sent on a timely basis through Support Notification Service (SNS) and Platinum Proactive notifications.

To subscribe to SNS, visit http://my.mcafee.com/content/SNS_Subscription_Center.

This article will be updated as additional information becomes available.

Problem

DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.

Solution 1

McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.

Q: What does the SuperDAT Remediation Tool Do?

A: The tool suppresses the driver causing the false positive by applying an Extra.dat file in the C:\Program Files\Common Files\McAfee\engine folder. It then restores svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present it will attempt to restore the file from %WINDOWS%\servicepackfiles\i386\svchost.exe. If svchost.exe is not present, it will attempt to restore it from quarantine. After the tool runs, the system must be rebooted.

Recommended Recovery SuperDAT Procedure

  • 1. From a system that has Internet access, download the Recovery SuperDAT from the location below and save it to a portable media device: http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe
  • 2. Take the portable media to each affected computer and run the tool. If you are not able to run the tool on the affected computer, boot to safe mode and run it.
  • 3. After the tool finishes, restart the computer in normal mode.
  • 4. Update VirusScan Enterprise to ensure that you have the 5959 DAT.

    Solution 2

    The issue is resolved in the 5959 DAT file release (April 21, 2010), which is available from the McAfee Security Updates page at:

    http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

    IMPORTANT: If you are already affected by this issue, you must still either replace or restore svchost.exe. McAfee is continuing to work on an automated solution to fully resolve the issue for affected customers.

    Recovery procedure using DAT 5959

  • 1. Download the 5959 DAT file (5959xdat.exe) on a working computer and copy it to a removable media device such as a CD or USB stick.
  • 2. Start the affected computer in Safe Mode with networking enabled.
  • 3. Copy 5959xdat.exe to the computer, then double-click it to update the VSE DAT files.
  • 4. Launch Windows Explorer and navigate to C:\WINDOWS\system32.
  • 5. If svchost.exe exists in this folder and is not a 0 byte file, continue to Step 8.
  • 6. If svchost.exe has been deleted (or is a 0 byte file), launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).
  • If you are unable to launch the VirusScan Console, click Start, Run, type the command below (including quotes) and click OK:

    "C:\program files\mcafee\virusscan enterprise\mcconsol.exe" /standalone

  • 7. Double-click Quarantine Manager Policy, then click the Manager tab.
  • 8. Right-click the detection and select Restore.
  • 9. Restart the computer normally.
  • If you are unable to restore svchost.exe from Quarantine or if svchost.exe is 0 bytes:

  • On the affected system, copy svchost.exe from C:\windows\ServicePackFiles\i386\svchost.exe or if not present C:\WINDOWS\system32\dllcache\svchost.exe to c:\WINDOWS\system32.
  • If you are unable to use the copy and paste functions in Windows, click Start, Run, type CMD, then click OK. At the command prompt, type the command below and press ENTER:

    copy from C:\windows\ServicePackFiles\i386\svchost.exe to c:\WINDOWS\system32

    NOTE: Change the from path to match the location where svchost.exe exists on your system.

  • Copy svchost.exe from C:\WINDOWS\system32 on an unaffected system to C:\WINDOWS\system32 on the affected computer. You can copy the file to a removable media device such as a CD or USB stick.
  • IMPORTANT: The two computers must have the same version of Windows.

    Workaround

    McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.

    Apply the EXTRA.DAT to all potentially affected systems as soon as possible.

    For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.

    To apply the EXTRA.DAT locally to an affected computer:

    IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding. For instructions on how to temporarily disable Access Protection in the VirusScan Console, see KB52204.

    To apply the EXTRA.DAT locally:

  • 1. Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
  • 2. Start the affected computer in Safe Mode with networking enabled.
  • 3. Copy EXTRA.DAT to C:\Program Files\Common Files\McAfee\Engine.
  • 4. Launch Windows Explorer and navigate to C:\WINDOWS\system32.
  • 5. If svchost.exe exists in this folder and is not a 0 byte file, continue to Step 9.
  • 6. If svchost.exe has been deleted (or is a 0 byte file), launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).
  • If you are unable to launch the VirusScan Console, click Start, Run, type the command below (including quotes) and click OK:

    "C:\program files\mcafee\virusscan enterprise\mcconsol.exe" /standalone

  • 7. Double-click Quarantine Manager Policy, then click the Manager tab.
  • 8. Right-click the detection and select Restore.
  • 9. Restart the computer normally.
  • If you are unable to restore svchost.exe from Quarantine or if svchost.exe is 0 bytes:

  • On the affected system, copy svchost.exe from C:\windows\ServicePackFiles\i386\svchost.exe or if not present C:\WINDOWS\system32\dllcache\svchost.exe to c:\WINDOWS\system32.
  • If you are unable to use the copy and paste functions in Windows, click Start, Run, type CMD, then click OK. At the command prompt, type the command below and press ENTER:

    copy from C:\windows\ServicePackFiles\i386\svchost.exe to c:\WINDOWS\system32

    NOTE: Change the from path to match the location where svchost.exe exists on your system.

  • Copy svchost.exe from C:\WINDOWS\system32 on an unaffected system to C:\WINDOWS\system32 on the affected computer. You can copy the file to a removable media device such as a CD or USB stick.
  • IMPORTANT: The two computers must have the same version of Windows.

    For instructions on how to deploy the EXTRA.DAT through ePolicy Orchestrator (ePO), see:

  • ePO 4.0 - KB52977
  • ePO 4.5 - KB67602
  • Related Information

    Threat Center (McAfee Avert Labs) http://www.mcafee.com/us/threat_center/

    Search the Threat Library http://vil.nai.com/

    Submit a virus sample https://www.webimmune.net/default.asp

    Security updates and DAT files

    http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

    For additional information about EXTRA.DAT files, see KB68759.


    Load Comments