Someone's going to look for another job at McAfee for deploying the buggy definition file that detected "False Positive" signatures of the W32/Wecorl.a virus. It reportedly affected millions of computers worldwide. Fortunately, McAfee provided instructions to correct the problem...
Recommended Manual Recovery Procedure using the Extra DAT where DAT 5958 is currently installed
1. Locate the extra.dat from here and unzip
2. Boot in safe mode with “Network Option“ enabled
3. Copy Extra DAT into c:\program files\commonfiles\mcafee\engine
4. If svchost.exe exists in (c:\windows\system32) and is not a “0“ byte file, skip to step 5
5. If svchost.exe deleted, Pull up the VSE console and open “Quarantine manager“
Click on the detection and select “Restore“
1) If the VSE console does not come up:
C:\program files\mcafee\virusscan enterprise\mcconsol.exe /standalone
This will pull up the VSE console. Click on the detection and select “Restore“
C:\program files\mcafee\virusscan enterprise\mcconsol.exe /standalone
This will pull up the VSE console. Click on the detection and select “Restore“
2) If steps 4 and 4.1 do not work OR if svchost.exe is “0“ bytes:
a. When possible Copy svchost.exe from the local C:\windows\ServicePackFiles\i386\svchost.exe or if not present c:\windows\system32\dllcache\svchost.exe
b. Copy svchost.exe from an unaffected system to c:\windows\system32 directory (same OS) from external media (USB, CD etc.)
If “paste“ is grayed out, use the following commands:
Start -> run -> cmd
Run the following command “copy from [source\filename] to [destination\folder]“
Example: copy x:\svchost.exe c:\windows\system32
6. Reboot in normal mode
7. Use the product update to update to 5959
8. Delete the Extra DAT file in c:\program files\commonfiles\mcafee\engine
Alternate Manual Recovery Procedure using DAT 5959 where DAT 5958 is currently installed
1. Boot in safe mode with “Network Option“ enabled
2. If svchost.exe not deleted (look in c:\windows\system32\svchost.exe) and is not 0 byte then network connection should be possible - skip to step 5
3. If svchost.exe deleted or if it is “0“ bytes, then network connection may not be possible
4. If svchost.exe deleted, Pull up the VSE console and open “Quarantine manager“
Click on the detection and select restore
1) If the VSE console does not come up:
C:\program files\mcafee\virusscan enterprise\mcconsol.exe /standalone
This will pull up the VSE console
2). If steps 4 and 4.1 do not work OR svchost.exe is “0“ bytes:
a. When possible Copy svchost.exe from the local C:\windows\ServicePackFiles\i386\svchost.exe or if not present c:\windows\system32\dllcache\svchost.exe
b. Copy svchost.exe from an unaffected system to c:\windows\system32 directory (same OS) from external media (USB, CD etc.)
If “paste“ is grayed out, use the following commands:
Start -> run -> cmd
Run the following command “copy from [source\filename] to [destination\folder]“
Example: copy x:\svchost.exe c:\windows\system32
5. Download the 5959 SuperDAT from here
6. Run the SuperDAT program
7. Reboot in normal mode
This requires IT personnel to spend time with affected machines individually. What a nightmare.
0 comments:
Post a Comment