We are being told to reboot affected computers in safe mode. Apply extra.dat (see attached from McAfee)
An EXTRA.DAT file should be placed in the same directory in which VirusScan is installed and the machine rebooted.
This location is generally C:\Program Files\Common Files\Network Associates\Engine\
You may need to also copy svchost.exe back to affected computer as well.Message was edited by: April Jacobs to remove attachment. on 4/21/10 4:44:27 PM CDT
I posted this on another thread, but thought I would add it here as well in case any of you needed it. Good luck everyone.
For those of you who don't use ePO or have found the svchost file severely damaged and the extra.dat fix not working for you, here is the way we were able to repair our affected machines. On some of our machines the OS was so messed up most of the services, including some of McAfee's were not running (which prevented us from rolling back the DAT), nor could we revert to the previous DAT because we were unable to install at all.
Basically you break McAfee, repair the OS, remove McAfee and then re-install it.
For this we used CD's so we wouldn't have to deal with getting USB keys to load, especially since drivers were not loading correctly for some of our machines.
1) Get an undamaged copy of svchost.exe.
2) Create a CD with the following on it: McAfee AntiVirus 8.7i (this is the install files) and the undamaged copy of svchost.exe.
3) Boot Windows into Safe Mode.
4) Rename the McAfee folder (C:\Program Files\McAfee) to McAfeeXZ
5) Reboot to Normal Mode.
6) Load the CD you created and open a command prompt (you may need to Ctrl-Alt-Del to load Task Manager, do a File>New Task (Run..) and type cmd).
7) (Assuming your CD drive is D:\) type the following command: copy d:\svchost.exe c:\windows\system32\.
😎 Hit enter and when it asks if you want to overwrite type Y and hit enter again.
10) Test the Internet, if it is working, you are in good shape.
11) Go to Add\Remove Programs and remove the McAfee VirusScan Enterprise & McAfee Agent (in that order).
12) Delete the old McAfee folder (C:\Program Files\McAfeeXZ)
13) Reinstall McAfee from your CD and perform the update during the post-installation to get the latest DAT file.
14) Make sure you create any schedules scans you had or configuration changes you made before, as it will be a fresh install of McAfee.
15) Reboot and test it out, everything should be working as it was before, including the OS.
w32/wecorl.a False Positive Recovery
McAfee has published recovery procedures for the following two scenarios:
* Recommended Manual Recovery Procedure using the Extra DAT where DAT 5958 is currently installed
* Alternate Manual Recovery Procedure using DAT 5959 where DAT 5958 is currently installed
This information has been posted on http://vil.nai.com/vil/5958_false.htm and will be continuously updated as more information and procedures become available.