April 21, 2010
On April 21st, McAfee sent out a definitions (DAT) update that falsely detected the file SVCHOST.EXE as the w32/wecorl.a worm.
McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file and has resolved the issue with the 5959 DAT file as of April 21 at 2:00pm.
The current workaround and fix is shown below, but should only be performed by someone technical and familiar with Windows System Files:
Solution 1
McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.
The tool suppresses the driver causing the false positive by applying an Extra.dat file in the C:\Program Files\Common Files\McAfee\engine folder. It then restores svchost.exe After the tool runs, the system must be rebooted.
Recommended Recovery SuperDAT Procedure
- From a system that has Internet access, download the Recovery SuperDAT from the location below and save it to a portable media device:
http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe
- Take the portable media to each affected computer and run the tool. If you are not able to run the tool on the affected computer, boot to safe mode and run it.
- After the tool finishes, restart the computer in normal mode.
- Update VirusScan Enterprise to ensure that you have the 5959 DAT.
Solution 2
1. Boot the machine into safe mode (hit F8 at boot) (not safe mode with networking)
2. Open the following folder: C:\Program Files\Common Files\McAfee\Engine
3. Delete the following file: avvscan.dat
4. Open the VirusScan Console (Click start -> Programs -> Mcafee -> VirusScan Console)
5. Double-click Quarantine Manager Policy.
6. Click the Manager tab.
7. Right-click the SVCHOST.EXE Quarantined item and select Restore
8. Reboot
9. Right-click mcafee shield and click “update now”
Please follow this link for additional updates which will be posted throughout the day:
http://www.ccex.com/newsandalerts/alertItem.php?ItemNo=132 | 