• Home
  • About 404TS
  • Contact

404 Tech Support

Where IT Help is Found

  • Articles
    • Code
    • Entertainment
    • Going Green
    • Hardware, Gadgets, and Products
    • Management
    • Network
    • News
    • Operating Systems
    • Security and Privacy
    • Software
    • System Administration
    • Talking Points
    • Tech Solutions
    • Web
    • Webmaster
  • Reviews
  • Media
    • Infographics
    • Videos
  • Tech Events
  • Tools
    • How do I find my IP address?
    • Browser and plugin tests
  • Get a Technical Consultation
You are here: Home / Articles / Security and Privacy / McAfee Nukes Windows XP Computers World-Wide

McAfee Nukes Windows XP Computers World-Wide

2010-04-21 by Jason

McAfee’s definitions for today, 5958 dated April 21st, has a false positive that is detrimentally affecting computers around the world. The definitions are detecting C:WindowsSystem32svchost.exe as W32/Wecorl.a virus. Svchost.exe, as you may be aware is a critical Windows files that is required for network/Internet communication to work.

More info as the story breaks and I have a second to sit down.

Update:

To get around the ‘in use’ message and repair things, I’ve been following this process:

  1. Boot up into safe mode.
  2. Copy the extra.dat to C:program filescommon filesMcafeeengine
  3. Go to C:WindowsSystem32 and move svchost.exe to the desktop (or somewhere temporarily).
  4. Inside McAfee VirusScan Console go into the Quarantine Manager and restore all of the instances from today.
  5. Reboot.

Machine is then Ok for normal use.

McAfee’s “DAT” file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of “ePolicyOrchestrator”, which is used to update virus definitions across a network, appears to have lead to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update “DAT” files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity.

The problem is a false positive which identifies a regular Windows binary, “svchost.exe”, as “W32/Wecorl.a”, a virus. If you are affected, you will see a message like:

The file C:WINDOWSsystem32svchost.exe contains the W32/Wecorl.a Virus.
Undetermined clean error, OAS denied access and continued.
Detected using Scan engine version 5400.1158 DAT version 5958.0000.

McAfee released an updated DAT file, and an “EXTRA.DAT” file to fix the problem. An EXTRA.DAT file is a patch to just fix the bad signature. McAfee’s support web sites currently respond slowly and are down at times, likely due to the increased load caused by this issue.

Several readers reported that this procedure worked to recover:

1 – Boot the system in “Safe Mode”
2 – copy extra.dat in c:/program files/common files/mcafee/engine
3 – reboot.

If you lost “svchost.exe”, then you need to copy it back to c:/Windows/system32/svchost.exe while in safe mode. This fix has to be applied locally at the workstation. However, it may be possible to do this remotely if your workstations support Intel’s “vPro” technology. We should have a link to instructions shortly.

Additional information from McAfee: http://community.mcafee.com/thread/24056?tstart=0
McAfee Knowledgebase Article: https://kc.mcafee.com/corporate/index?page=content&id=KB68780
EXTRA.DAT file: http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=265240

From SANS Internet Storm Center.

Update 2:

McAfee has deployed a SuperDAT that is having even better luck at reviving machines. Download the SuperDAT to fix this problem to a USB memory stick and then boot the broken computer into safe mode and run the SuperDAT. After it completes (takes about 2-3 minutes), reboot and the computer will likely be repaired.

If you get an odd message about the shutil.dll file missing like I did a few times (out of dozens of machines) copy the shutil.dll file from a working computer at c:program filesmcafeevirusscan enterpriseshutil.dll to the same location on the broken machine in Safe Mode.

Filed Under: Security and Privacy, Software, System Administration, Tech Solutions

Trending

  • Java 7u7 and 6u35 updates address prominent vulnerabilities
    In Security and Privacy, Software
  • Evaluating the Cisco Meraki MX64 firewall
    In Hardware, Gadgets, and Products, Reviews
  • HP’s WiFi Mobile Mouse – Dongle-Free For Your Convenience
    In Hardware, Gadgets, and Products, News

Latest Media Posts

Find Out Where To Download SNES ROMs

Find Out Where To Download SNES ROMs

Multifunctional Video Conversion Tools – Wondershare Video Converter

Multifunctional Video Conversion Tools – Wondershare Video Converter

  • Popular
  • Latest
  • Today Week Month All
  • Wal-Mart’s Low Tech Solution to a Shocking Problem Wal-Mart's Low Tech Solution to a Shocking Problem
  • Access to the resource [servershare] has been disallowed Access to the resource [servershare] has been disallowed
  • What is the AllJoyn Router Service on Windows 10? What is the AllJoyn Router Service on Windows 10?
  • Read the Event Logs on Windows Server Core Read the Event Logs on Windows Server Core
  • Increase IIS Private Memory Limit to improve WSUS availability Increase IIS Private Memory Limit to improve WSUS availability
  • How Virtual Reality Supports Mental Health Therapy How Virtual Reality Supports Mental Health Therapy
  • Key Strategies of Successful Coin Listing on Exchange Key Strategies of Successful Coin Listing on Exchange
  • Keeping Your Mac Healthy: A Comprehensive Guide to Maintenance and Troubleshooting Keeping Your Mac Healthy: A Comprehensive Guide to Maintenance and Troubleshooting
  • Making Distributed Software Development Work: Strategies and Best Practices for Managing Remote Teams Making Distributed Software Development Work: Strategies and Best Practices for Managing Remote Teams
  • customer contactless payment for drink with mobile phon at cafe counter bar,seller coffee shop accept payment by mobile.new normal lifestyle concept The Latest Innovations In Payment Technology
Ajax spinner

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Recent Posts

  • How Virtual Reality Supports Mental Health Therapy
  • Key Strategies of Successful Coin Listing on Exchange
  • Keeping Your Mac Healthy: A Comprehensive Guide to Maintenance and Troubleshooting

Search

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.

Copyright © 2025 · Magazine Pro Theme on Genesis Framework · WordPress · Log in