Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
173030 Views 193 Replies Latest reply: Apr 27, 2010 10:40 AM by markp RSS Go to original post 1 ... 12 13 14 15 16 ... 20 Previous Next
  • pg13 Newcomer 71 posts since
    Jul 5, 2007
    Currently Being Moderated
    130. Apr 22, 2010 9:36 AM (in response to jmcleish)
    Re: W32/Wecorl.a 0-day?

    @jmcleish : VS 8.5 or 8.7 ?  I tried it on 8.5 with safe mode, and not working.


    Patrick
  • Newcomer 4 posts since
    Apr 21, 2010
    Currently Being Moderated
    131. Apr 22, 2010 9:37 AM (in response to jmcleish)
    Re: W32/Wecorl.a 0-day?

    doesn't look like they can even get environment variables correct.

     

    from the sdat article:

    https://kc.mcafee.com/corporate/index?page=content&id=KB68780

     

    What does the SuperDAT Remediation Tool Do?
    The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:

    • %WINDOWS%\servicepackfiles\i386\svchost.exe
    • Quarantine.

     

    I don't know about anyone else here, but i have never seen a %windows% or a %system_dir% environment variable defined anywhere on any XP system i have; actually any windows system at all.  i could have swore all you get is %windir% and no variable for system32.  and in the prebvious sentance they hardcoded the C:\ drive letter into the dat copy path.  they can't even be consistent.  maybe that's why people are having trouble using the fix?  it is looking in places that don't exist?

  • jmcleish Volunteer Moderator 965 posts since
    Jun 20, 2003
    Currently Being Moderated
    132. Apr 22, 2010 9:44 AM (in response to pg13)
    Re: W32/Wecorl.a 0-day?

    I've just checked- all v8.5

     

    Maybe its like koawmfot says- maybe it can't find the file to restore.

     

    Grab another copy to use.

     

    Check this first tho....

    https://kc.mcafee.com/corporate/index?page=content&id=KB68787

     

     

    Message was edited by: jmcleish on 22/04/10 09:44:33 CDT

    ---------------------------------------------------------
    ePO 4.6.7 (x86)
    ePO 4.6.7 (x64)
    VScan 8.7.0 p4,p5 
    VScan 8.8 p3
    VirusScan for Mac 9.2/9.6
    Groupshield 7.0.1
    EEPC v6.1.1/ v6.2.1
    MA  4.6.0.2292 / 4.6.0.3122/ 4.8.0.1500
    MA Mac  4.6.0.1694/ 4.8.0.887
  • jmcleish Volunteer Moderator 965 posts since
    Jun 20, 2003
    Currently Being Moderated
    133. Apr 22, 2010 9:49 AM (in response to twenden)
    Re: W32/Wecorl.a 0-day?
    Our McAfee contract will be up in July, this is making me think about changes virus companies. It appears that the University of TN is dropping McAfee for Microsoft Forefront.

     

    There have been other companies with false positive detections before.

    We had one from our AntiSpyware company that quarantined a whole stats package on all our machines!

     

    Here's one example I remember reading about:

     

    http://www.theregister.co.uk/2009/08/12/ca_auto_immune_update/

     

    Besides isn't Forefront included in a campus agreement somewhere- could be cost based?

     

     

    Message was edited by: jmcleish on 22/04/10 09:49:59 CDT

    ---------------------------------------------------------
    ePO 4.6.7 (x86)
    ePO 4.6.7 (x64)
    VScan 8.7.0 p4,p5 
    VScan 8.8 p3
    VirusScan for Mac 9.2/9.6
    Groupshield 7.0.1
    EEPC v6.1.1/ v6.2.1
    MA  4.6.0.2292 / 4.6.0.3122/ 4.8.0.1500
    MA Mac  4.6.0.1694/ 4.8.0.887
  • Newcomer 3 posts since
    Apr 22, 2010
    Currently Being Moderated
    134. Apr 22, 2010 9:49 AM (in response to CrazyFingers)
    Re: W32/Wecorl.a 0-day?

    This looks like a really good forum. I am a remote worker on XP and have this issue. I'm medium tech savvy. I can't stop mcafee easily since I have no taskbar and can't seem to get it back. Windows explorer works, task manager works plus some other programs. I have no net connectivity (got "retrying IP" messages) but also have a Vista OS computer if I need to get a new file to my XP computer via USB.

     

    Could one of you brilliant people please suggest the steps I should take?

     

    Thank you so much

     

    Phil

  • alomas Newcomer 4 posts since
    Apr 21, 2010
    Currently Being Moderated
    135. Apr 22, 2010 9:50 AM (in response to jmcleish)
    Re: W32/Wecorl.a 0-day?

    safe mode then running SDAT5958_EM.exe seems to do the trick, only just got the warning email from mcafee's..a bit late.

    Today has been a nightmare. Maybe time to look at a new virus solutions once the license expires. Could not handle another day like this and confidence in mcafee's at an all time low.

  • jmcleish Volunteer Moderator 965 posts since
    Jun 20, 2003
    Currently Being Moderated
    136. Apr 22, 2010 9:51 AM (in response to ihatecomputers)
    Re: W32/Wecorl.a 0-day?

    Follow the instructions here:

    http://vil.nai.com/vil/5958_false.htm


    ---------------------------------------------------------
    ePO 4.6.7 (x86)
    ePO 4.6.7 (x64)
    VScan 8.7.0 p4,p5 
    VScan 8.8 p3
    VirusScan for Mac 9.2/9.6
    Groupshield 7.0.1
    EEPC v6.1.1/ v6.2.1
    MA  4.6.0.2292 / 4.6.0.3122/ 4.8.0.1500
    MA Mac  4.6.0.1694/ 4.8.0.887
  • Newcomer 3 posts since
    Apr 22, 2010
    Currently Being Moderated
    137. Apr 22, 2010 9:54 AM (in response to jmcleish)
    Re: W32/Wecorl.a 0-day?

    Try Option 2 on

     

    www.mycentrality.com

     

    You can recover your PC without any additional files being required.

     

    Thanks

    Mike

  • Newcomer 2 posts since
    Apr 22, 2010
    Currently Being Moderated
    138. Apr 22, 2010 10:04 AM (in response to jmcleish)
    Re: W32/Wecorl.a 0-day?

    Hi,

     

    Can anyone confirm that the ONLY thing this bug does is delete/quarantine the scvchost.exe ? That is, if I disable / update McAffee and restore the svchost.exe, then the PC is "back to normal" ? Or are there less visible impacts of the bug that will still be haunting me later ?

     

    Thanks in advance ( new to this game ! ).

  • pg13 Newcomer 71 posts since
    Jul 5, 2007
    Currently Being Moderated
    139. Apr 22, 2010 10:07 AM (in response to MLL)
    Re: W32/Wecorl.a 0-day?

    Yes, that's the only thing it does. But make sure to upgrade to 5959 minimum or apply the EXTRA.DAT because if you stay at 5858, the problem will reoccur again after you restore svchost.exe.


    Patrick
1 ... 12 13 14 15 16 ... 20 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points