1 12 13 14 15 16 Previous Next 193 Replies Latest reply: Apr 27, 2010 10:42 AM by markp Go to original post RSS
      • 130. Re: W32/Wecorl.a 0-day?

        @jmcleish : VS 8.5 or 8.7 ?  I tried it on 8.5 with safe mode, and not working.

        • 131. Re: W32/Wecorl.a 0-day?

          doesn't look like they can even get environment variables correct.


          from the sdat article:



          What does the SuperDAT Remediation Tool Do?
          The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:

          • %WINDOWS%\servicepackfiles\i386\svchost.exe
          • Quarantine.


          I don't know about anyone else here, but i have never seen a %windows% or a %system_dir% environment variable defined anywhere on any XP system i have; actually any windows system at all.  i could have swore all you get is %windir% and no variable for system32.  and in the prebvious sentance they hardcoded the C:\ drive letter into the dat copy path.  they can't even be consistent.  maybe that's why people are having trouble using the fix?  it is looking in places that don't exist?

          • 132. Re: W32/Wecorl.a 0-day?

            I've just checked- all v8.5


            Maybe its like koawmfot says- maybe it can't find the file to restore.


            Grab another copy to use.


            Check this first tho....




            Message was edited by: jmcleish on 22/04/10 09:44:33 CDT
            • 133. Re: W32/Wecorl.a 0-day?
              Our McAfee contract will be up in July, this is making me think about changes virus companies. It appears that the University of TN is dropping McAfee for Microsoft Forefront.


              There have been other companies with false positive detections before.

              We had one from our AntiSpyware company that quarantined a whole stats package on all our machines!


              Here's one example I remember reading about:




              Besides isn't Forefront included in a campus agreement somewhere- could be cost based?



              Message was edited by: jmcleish on 22/04/10 09:49:59 CDT
              • 134. Re: W32/Wecorl.a 0-day?

                This looks like a really good forum. I am a remote worker on XP and have this issue. I'm medium tech savvy. I can't stop mcafee easily since I have no taskbar and can't seem to get it back. Windows explorer works, task manager works plus some other programs. I have no net connectivity (got "retrying IP" messages) but also have a Vista OS computer if I need to get a new file to my XP computer via USB.


                Could one of you brilliant people please suggest the steps I should take?


                Thank you so much



                • 135. Re: W32/Wecorl.a 0-day?

                  safe mode then running SDAT5958_EM.exe seems to do the trick, only just got the warning email from mcafee's..a bit late.

                  Today has been a nightmare. Maybe time to look at a new virus solutions once the license expires. Could not handle another day like this and confidence in mcafee's at an all time low.

                  • 136. Re: W32/Wecorl.a 0-day?

                    Follow the instructions here:


                    • 137. Re: W32/Wecorl.a 0-day?

                      Try Option 2 on




                      You can recover your PC without any additional files being required.




                      • 138. Re: W32/Wecorl.a 0-day?



                        Can anyone confirm that the ONLY thing this bug does is delete/quarantine the scvchost.exe ? That is, if I disable / update McAffee and restore the svchost.exe, then the PC is "back to normal" ? Or are there less visible impacts of the bug that will still be haunting me later ?


                        Thanks in advance ( new to this game ! ).

                        • 139. Re: W32/Wecorl.a 0-day?

                          Yes, that's the only thing it does. But make sure to upgrade to 5959 minimum or apply the EXTRA.DAT because if you stay at 5858, the problem will reoccur again after you restore svchost.exe.

                          1 12 13 14 15 16 Previous Next