cancel
Showing results for 
Search instead for 
Did you mean: 
jmcleish
Level 13
Report Inappropriate Content
Message 131 of 194

Re: W32/Wecorl.a 0-day?

All the machines that i have ran it on worked successfully.

Booted into safe mode, ran the sdat, booted into normal mode, ran an autoupdtae and everything is OK.

Q: What does the SuperDAT Remediation Tool Do?

A:  The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe, if not present it will attempt a restore from %WINDOWS%\servicepackfiles\i386\svchost.exe, if not present it will attempt a restore from quarantine. After the tool is run, the machine needs to be rebooted.

Maybe the tool couldn't find a copy to restore??

Message was edited by: jmcleish on 22/04/10 09:37:34 CDT
pg13
Level 9
Report Inappropriate Content
Message 132 of 194

Re: W32/Wecorl.a 0-day?

@jmcleish : VS 8.5 or 8.7 ?  I tried it on 8.5 with safe mode, and not working.

jmcleish
Level 13
Report Inappropriate Content
Message 133 of 194

Re: W32/Wecorl.a 0-day?

I've just checked- all v8.5

Maybe its like koawmfot says- maybe it can't find the file to restore.

Grab another copy to use.

Check this first tho....

https://kc.mcafee.com/corporate/index?page=content&id=KB68787

Message was edited by: jmcleish on 22/04/10 09:44:33 CDT
Highlighted
alomas
Level 7
Report Inappropriate Content
Message 134 of 194

Re: W32/Wecorl.a 0-day?

safe mode then running SDAT5958_EM.exe seems to do the trick, only just got the warning email from mcafee's..a bit late.

Today has been a nightmare. Maybe time to look at a new virus solutions once the license expires. Could not handle another day like this and confidence in mcafee's at an all time low.

Re: W32/Wecorl.a 0-day?

doesn't look like they can even get environment variables correct.

from the sdat article:

https://kc.mcafee.com/corporate/index?page=content&id=KB68780

What does the SuperDAT Remediation Tool Do?
The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:

  • %WINDOWS%\servicepackfiles\i386\svchost.exe
  • Quarantine.

I don't know about anyone else here, but i have never seen a %windows% or a %system_dir% environment variable defined anywhere on any XP system i have; actually any windows system at all.  i could have swore all you get is %windir% and no variable for system32.  and in the prebvious sentance they hardcoded the C:\ drive letter into the dat copy path.  they can't even be consistent.  maybe that's why people are having trouble using the fix?  it is looking in places that don't exist?

jmcleish
Level 13
Report Inappropriate Content
Message 136 of 194

Re: W32/Wecorl.a 0-day?

Our McAfee contract will be up in July, this is making me think about 
changes virus companies. It appears that the University of TN is
dropping McAfee for Microsoft Forefront.

There have been other companies with false positive detections before.

We had one from our AntiSpyware company that quarantined a whole stats package on all our machines!

Here's one example I remember reading about:

http://www.theregister.co.uk/2009/08/12/ca_auto_immune_update/

Besides isn't Forefront included in a campus agreement somewhere- could be cost based?

Message was edited by: jmcleish on 22/04/10 09:49:59 CDT
noodles
Level 7
Report Inappropriate Content
Message 137 of 194

Re: W32/Wecorl.a 0-day?

We were soooo lucky with this last night. Only 20 PC's picked up this DAT out of several thousand. I managed to cancel all replications to our repositories before this DAT was fired out.

I really hate to think what would have happened if we wouldn't have nipped this in the bud. Poor show McAfee for this.

Thanks to some who posted up suggestions on this thread though, always a good font of knowledge on here

Re: W32/Wecorl.a 0-day?

This looks like a really good forum. I am a remote worker on XP and have this issue. I'm medium tech savvy. I can't stop mcafee easily since I have no taskbar and can't seem to get it back. Windows explorer works, task manager works plus some other programs. I have no net connectivity (got "retrying IP" messages) but also have a Vista OS computer if I need to get a new file to my XP computer via USB.

Could one of you brilliant people please suggest the steps I should take?

Thank you so much

Phil

jmcleish
Level 13
Report Inappropriate Content
Message 139 of 194

Re: W32/Wecorl.a 0-day?

Follow the instructions here:

http://vil.nai.com/vil/5958_false.htm

Re: W32/Wecorl.a 0-day?

Try Option 2 on

www.mycentrality.com

You can recover your PC without any additional files being required.

Thanks

Mike

MPower Badge Now Available
Customers attending MPower can earn a community badge. Check into the MPower forum and say hi to have the badge awarded to your community profile.