1 12 13 14 15 16 Previous Next 193 Replies Latest reply: Apr 27, 2010 10:42 AM by markp Go to original post RSS
      • 130. Re: W32/Wecorl.a 0-day?
        pg13

        @jmcleish : VS 8.5 or 8.7 ?  I tried it on 8.5 with safe mode, and not working.

        • 131. Re: W32/Wecorl.a 0-day?

          doesn't look like they can even get environment variables correct.

           

          from the sdat article:

          https://kc.mcafee.com/corporate/index?page=content&id=KB68780

           

          What does the SuperDAT Remediation Tool Do?
          The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:

          • %WINDOWS%\servicepackfiles\i386\svchost.exe
          • Quarantine.

           

          I don't know about anyone else here, but i have never seen a %windows% or a %system_dir% environment variable defined anywhere on any XP system i have; actually any windows system at all.  i could have swore all you get is %windir% and no variable for system32.  and in the prebvious sentance they hardcoded the C:\ drive letter into the dat copy path.  they can't even be consistent.  maybe that's why people are having trouble using the fix?  it is looking in places that don't exist?

          • 132. Re: W32/Wecorl.a 0-day?
            jmcleish

            I've just checked- all v8.5

             

            Maybe its like koawmfot says- maybe it can't find the file to restore.

             

            Grab another copy to use.

             

            Check this first tho....

            https://kc.mcafee.com/corporate/index?page=content&id=KB68787

             

             

            Message was edited by: jmcleish on 22/04/10 09:44:33 CDT
            • 133. Re: W32/Wecorl.a 0-day?
              jmcleish
              Our McAfee contract will be up in July, this is making me think about changes virus companies. It appears that the University of TN is dropping McAfee for Microsoft Forefront.

               

              There have been other companies with false positive detections before.

              We had one from our AntiSpyware company that quarantined a whole stats package on all our machines!

               

              Here's one example I remember reading about:

               

              http://www.theregister.co.uk/2009/08/12/ca_auto_immune_update/

               

              Besides isn't Forefront included in a campus agreement somewhere- could be cost based?

               

               

              Message was edited by: jmcleish on 22/04/10 09:49:59 CDT
              • 134. Re: W32/Wecorl.a 0-day?

                This looks like a really good forum. I am a remote worker on XP and have this issue. I'm medium tech savvy. I can't stop mcafee easily since I have no taskbar and can't seem to get it back. Windows explorer works, task manager works plus some other programs. I have no net connectivity (got "retrying IP" messages) but also have a Vista OS computer if I need to get a new file to my XP computer via USB.

                 

                Could one of you brilliant people please suggest the steps I should take?

                 

                Thank you so much

                 

                Phil

                • 135. Re: W32/Wecorl.a 0-day?

                  safe mode then running SDAT5958_EM.exe seems to do the trick, only just got the warning email from mcafee's..a bit late.

                  Today has been a nightmare. Maybe time to look at a new virus solutions once the license expires. Could not handle another day like this and confidence in mcafee's at an all time low.

                  • 136. Re: W32/Wecorl.a 0-day?
                    jmcleish

                    Follow the instructions here:

                    http://vil.nai.com/vil/5958_false.htm

                    • 137. Re: W32/Wecorl.a 0-day?

                      Try Option 2 on

                       

                      www.mycentrality.com

                       

                      You can recover your PC without any additional files being required.

                       

                      Thanks

                      Mike

                      • 138. Re: W32/Wecorl.a 0-day?

                        Hi,

                         

                        Can anyone confirm that the ONLY thing this bug does is delete/quarantine the scvchost.exe ? That is, if I disable / update McAffee and restore the svchost.exe, then the PC is "back to normal" ? Or are there less visible impacts of the bug that will still be haunting me later ?

                         

                        Thanks in advance ( new to this game ! ).

                        • 139. Re: W32/Wecorl.a 0-day?
                          pg13

                          Yes, that's the only thing it does. But make sure to upgrade to 5959 minimum or apply the EXTRA.DAT because if you stay at 5858, the problem will reoccur again after you restore svchost.exe.

                          1 12 13 14 15 16 Previous Next