Thursday, April 22, 2010

Bug en McAfee 5958 DAT - falso virus w32/wecorl.a

En millones de ordenadores de todo el mundo, incluído uno de los míos, apareció la siguiente ventana de error:
Y es que el DAT del antivirus McAfee número 5958, hacen uno por día, marcaba el proceso de Windows XP llamado Svchost.exe como si fuera el virus w32/wecorl.a

McAfee reconoció el error como si se tratara de un bug en su antivirus y publicó el siguiente documento McAfee Knowledge titulado: False positive detection of w32/wecorl.a in 5958 DAT (for Corporate/Business users) - VirusScan Enterprise con las siguientes recomendaciones para solucionar el problema: KB68780

Environment Microsoft Windows XP with SP3
McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.
WARNING: If you receive a detection for w32/wecorl.a, Do not restart your computer until you have performed the remediation steps in this article.
Problem: Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.

Solution 1
McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.
What does the SuperDAT Remediation Tool Do?
The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:
* %WINDOWS%\servicepackfiles\i386\svchost.exe
* Quarantine.
After the tool has been run, restart your computer.
Recommended recovery SuperDAT procedure
1. From a computer that has Internet access, locate and download the Recovery SuperDAT at http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe and save it to portable media.
2. Take the portable media to each affected computer and run the tool.
NOTE: If you are not able to run the tool on the affected computer, (re)start your computer in Safe Mode.
For instructions on starting in Safe Mode, see http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true
3. Run the Recovery SuperDAT tool.
4. Restart in normal mode.
5. Use the product update to update to DAT 5959.

Solution 2
The issue is resolved in the 5959 DAT file release (April 21, 2010), which is available from the McAfee Security Updates page at: http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise
IMPORTANT: If you are already affected by this issue, you must still either replace or restore svchost.exe. McAfee is continuing to work on an automated solution to fully resolve the issue for affected customers.
Recovery procedure using DAT 5959
1. Download the 5959 DAT file (5959xdat.exe) on a working computer and copy it to a removable media device such as a CD or USB stick.
2. Start the affected computer in Safe Mode with networking enabled.
3. Copy 5959xdat.exe to the computer, then double-click it to update the VSE DAT files.
4. Launch Windows Explorer and navigate to C:\WINDOWS\system32.
4.1. If svchost.exe exists in this folder and is not a 0 byte file, continue to Step 8
4.2. If svchost.exe has been deleted (or is a 0 byte file), launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).
If you are unable to launch the VirusScan Console, click Start, Run, type the following command (including the quotes) and click OK:
"C:\program files\mcafee\virusscan enterprise\mcconsol.exe" /standalone
5. Double-click Quarantine Manager Policy, then click the Manager tab.
6. Right-click the detection and select Restore.
7. Restart your computer normally.
If you are unable to restore svchost.exe from Quarantine or if svchost.exe is 0 bytes, do the following:
* If you have more than one computer.
From the unaffected computer, copy the svchost.exe file in c:\Windows\System32 to c:\Windows\System32 on the affected computer. You can copy the file to a removable media device such as a CD or USB stick to do this.
IMPORTANT: The two computers must have the same version of Windows.
* If you have a single computer, or if all your computers have been affected.
On the affected computer, copy the svchost.exe file to c:\WINDOWS\system32 using one of the following methods:
o From Windows Explorer, go to the folder c:\windows\ServicePackFiles\i386\ (or if not present, C:\WINDOWS\system32\dllcache\), and make a copy of svchost.exe, then go to c:\WINDOWS\system32 and paste the file in the folder.
o From the command prompt (If svchost.exe is located in c:\windows\ServicePackFiles\i386\), type the following command and press ENTER:
"copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32"
o From the command prompt (If svchost.exe is located in c:\WINDOWS\system32\dllcache), type the following command and press ENTER:
"copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32\dllcache"
* If (the correct version of) svchost.exe cannot be located on any of your computers

1. Start your computer from your Windows XP installation disk and select the Recovery console.
2. Follow the onscreen instructions and log on as Windows XP admin.
This will take you to the command prompt. Example: C:\WINDOWS>
3. From the prompt, type : and press ENTER. Where is the drive where your XP installation disk is located. Default drive is C:.
4. Type cd \I386 and press ENTER. The prompt should is now :\I386>
5. Type expand svchost.ex_ :\windows\system32 and press ENTER.
is the letter of the drive where Windows XP is installed. Default drive is C.You now have a new copy of svchost.exe in your system32 folder.
6. Type exit and press ENTER. Your computer restarts.
Workaround 1
McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.
Apply the EXTRA.DAT to all potentially affected systems as soon as possible.
For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.
To apply the EXTRA.DAT locally to an affected computer
IMPORTANT: For VirusScan Enterprise 8.5i and later, temporarily disable Access Protection before proceeding. For details, see: KB52204.
To apply the EXTRA.DAT locally:
1. Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
2. Start the affected computer in Safe Mode with networking enabled.
3. Copy EXTRA.DAT to C:\Program Files\Common Files\McAfee\Engine.
4. Launch Windows Explorer and navigate to C:\WINDOWS\system32:
4.1. If svchost.exe exists in this folder and is not a 0 byte file, continue to Step 9
4.2. If svchost.exe has been deleted (or is a 0 byte file), launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).
If you are unable to launch the VirusScan Console, click Start, Run, type the command below (including quotes) and click OK:
"C:\program files\mcafee\virusscan enterprise\mcconsol.exe" /standalone
5. Double-click Quarantine Manager Policy, then click the Manager tab.
6. Right-click the detection and select Restore.
7. Restart the computer normally.
If you are unable to restore svchost.exe from Quarantine or if svchost.exe is 0 bytes, do the following:
* If you have more than one computer.
From the unaffected computer, copy the svchost.exe file in c:\Windows\System32 to c:\Windows\System32 on the affected computer. You can copy the file to a removable media device such as a CD or USB stick to do this.
IMPORTANT: The two computers must have the same version of Windows.
* If you have a single computer, or if all your computers have been affected.
On the affected computer, copy the svchost.exe file to c:\WINDOWS\system32 using one of the following methods:
o From Windows Explorer, go to the folder c:\windows\ServicePackFiles\i386\ (or if not present, C:\WINDOWS\system32\dllcache\), and make a copy of svchost.exe, then go to c:\WINDOWS\system32 and paste the file in the folder.
o From the command prompt (If svchost.exe is located in c:\windows\ServicePackFiles\i386\), type the following command and press ENTER:
"copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32"
o From the command prompt (If svchost.exe is located in c:\WINDOWS\system32\dllcache), type the following command and press ENTER:
"copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32\dllcache"
* If (the correct version of) svchost.exe cannot be located on any of your computers
1. Start your computer from your Windows XP installation disk and select the Recovery console.
2. Follow the onscreen instructions and log on as Windows XP admin.
This will take you to the command prompt.

Example: C:\WINDOWS>
3. From the prompt, type : and press ENTER.
Where is the drive where your XP installation disk is located. Default drive is C:
4. Type cd \I386 and press ENTER. The prompt should is now :\I386>
5. Type expand svchost.ex_ :\windows\system32 and press ENTER.
is the letter of the drive where Windows XP is installed. Default drive is C.
You now have a new copy of svchost.exe in your system32 folder.
6. Type exit and press ENTER.Your computer restarts.

2 comments:

asane said...

Mejor solución (después de haber seguido esos pasos): desinstalar el McAfee.

emeshing said...

jajajaja
Mejor que entren virus antes que el antivirus te haga la vida imposible...
Saludos
Emeshing.com