Many companies both private and public (including police departments and hospitals), were hit by a false positive from McAfee on Wednesday that labeled a core Windows file as potentially malign.
A detection update from McAfee (DAT 5958) falsely labeled the svchost.exe as the Wecorl-A virus, sending a core Windows system file into quarantine in the process.
Infected computers became inoperable and went into a continuous reboot cycle. Clean up operations were further complicated by the fact that the dodgy update disabled network access.
McAfee responded to the problem by withdrawing the definition update and later releasing a clean one. However if you are unable to get access to a working computer to download the fixes then the manual instructions are below for replacing the svchost.exe file
Manual fix instructions
Below is manual fix instructions should your PC be inoperable following McAfee DAT file 5958 update.
- Start your computer in Safe Mode (When starting press F8 and pick Safe Mode).
- Open My Computer.
- Navigate to C:Program FilesMcAfeeVirusScan.
- Delete the DAT folder.
- Press the CTRL, SHIFT, and ESC keys at the same time to open Task Manager.
- Click File and select New Task (Run)...
- Type CMD and press Enter.
- In the command prompt window type:
copy %systemroot%system32dllcachesvchost.exe %systemroot%system32
- Press Enter.
- After the copy is completed, restart the computer.
- After the computer restarts, right-click the M icon and manually check for an update to get the new DAT files.
A real danger
Cybercrooks wasted little time in exploiting the situation for their own purposes, poisoning search results so that links to scareware portals appeared prominently in indexes. As a result users are advised to be especially careful if they choose to search for information on solving the problem. To minimize risk to users, we at Prolateral have published the manual fix above which has come direct from McAfee Support (TS100970).
The scale of the problem
The timing of the update was mid-afternoon on Wednesday (European time) which meant USA enterprise systems configured to automatically apply new updates were among those worst affected. However the problem has affected thousands of PCs in the UK and Europe leaving machines inoperable.
Prolateral can help you
If you think you have been affected by this problem and need help then give us a call. Prolateral Consulting is an IT Security company specialising in the protection of your computer systems. Prolateral is solution partners with Symantec and eSet to help provide you the best of breed solution that is tailored to fit your business requirement. Together with proFilter, Prolateral's first rate anti-spam and anti-phishing email filter we have the complete solution.
About Prolateral
Prolateral Consulting is in business to put your organisation back in control of your own Information Technology, specialising in information and messaging security, computer forensic services, and disaster recovery planing.
Contact Info
Prolateral Consulting Ltd
Luton, Bedfordshire, UK
Tel : +44 (0) 8450 763760
Email :
Instant Information request
Please complete the request for information if you wish to discuss matters further or if your needs are more urgent then you can request a call back from us.