Free Antivirus Help Contact Us  |   FAQ Help  |  Why Free
  Home Download Instructions Antivirus Reviews News

How to Fix the McAfee w32/Wecorl.a deletion of SVCHost.exe


Thursday, 22 April 2010 12:30:46 (US Mountain Standard Time, UTC-07:00)

    Many already know about the McAfee disaster and how 100,000’s of users were affected.  The guts of the story lie within McAfee detecting a legitimate file called SVCHost.exe as a virus W32/Wecorl.a.  SVChost.exe is a critical component of Windows that allows a computer  to run multiple system functions within one file.   Usually, under normal circumstances,  if SVChost.exe is stopped, it will automatically attempt  to restart.  However, since McAfee actually deletes the file, there is now way for the file to restart causing the whole system to crash.  Users may be prompted with a  NT Authority Shutdown Message and then  an automatic system restart.  W32Blaster worm caused a strikingly similar situation years ago when users were prompted with an NT Authority Shutdown message and concurrent system restarts.  

    There are few positive aspects about the McAfee false positive.  The first being that only Windows XP users were affected.  The next being that only McAfee business users were affected and not the consumer products.

    Now I am going to offer a few methods on how to fix the false virus problem. Please note that McAfee released updated antivirus definitions shortly after the incident and some users may not have been affected at all.  It is probably best to update McAfee antivirus first.  If a user can get into Windows, even for a little bit, one can navigate to the McAfee antivirus program and attempt to restore SVChost.exe from the quarantine.  If one is unable to make it to the quarantine, a user can start the computer in Safe Mode with Networking and download the 5959xdat.exe file to repair the false definition.  Once the updated virus definition is installed, navigate to the C:WindowsSystem32 folder. If SVChost.exe is not located in the folder or has 0 bytes then proceed (if it is there, stop here) to the C:WindowsServicePackFilesi386 and or C:Windowssystem32dllcache folder and locate SVChost.exe in either one of these folders.  A SVChost.exe backup file is located in these locations that is produced during a service pack upgrade etc.  Copy the SVChost.exe file from one of the preceding locations back into the C:WindowsSystem32 folder and restart the computer. 

    If the above fails or one cannot get into safe mode.  Then get a Windows XP CD Rom and put the CD-Rom into the Computer and restart the system.  Boot into the windows setup and into the Recovery Console.  Once in there run the command: 

copy c:windowsServicePackFilesi386svchost.exe c:WINDOWSsystem32
or
copy c:windows system32dllcache c:WINDOWSsystem32

    After this is done, one should be able to enter safe Mode with Networking and run the 5959xdat.exe file to update McAfee virus definitions.  Then restart the computer to enter Windows normally and again update McAfee from the normal update procedure.  

    Hopefully, a similar situation won’t happen again.  Unfortunately, this isn’t the first time this mess up has happened. CA released faulty definitions years back too.  Maybe the Antivirus companies aren’t learning their lesson.