Posted by mikeb on April 22, 2010
McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.
Q: What does the SuperDAT Remediation Tool Do?
A: The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe, if not present it will attempt a restore from %WINDOWS%\servicepackfiles\i386\svchost.exe, if not present it will attempt a restore from quarantine. After the tool is run, the machine needs to be rebooted.
Recommended Recovery SuperDAT Procedure
1. From a machine that has Internet access, locate and download the Recovery SuperDAT at http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe and save it to portable media.
2. Take the portable media to each affected machine and run the tool. If you are not able to run the tool on the affected machine, boot in safe mode
3. Execute the Recovery SuperDAT tool
4. Reboot in normal mode
5. Use the product update to update to 5959
For additional FAQs and information, go to https://kc.mcafee.com/corporate/index?elq_mid=2373&elq_cid=1475603&page=content&id=KB68780 which will remain up to date.
UPDATE #4 (7:38pm US/CDT)
McAfee has published recovery procedures for the following two scenarios:
- Recommended Manual Recovery Procedure using the Extra DAT where DAT 5958 is currently installed
- Alternate Manual Recovery Procedure using DAT 5959 where DAT 5958 is currently installed
This information has been posted on http://vil.nai.com/vil/5958_false.htm and will be continuously updated as more information and procedures become available.
UPDATE #3 (2:55pm US/CDT)
Emergency DAT 5959 has been posted and is available at http://www.mcafee.com/apps/downloads/security_updates/dat.asp. This file is available in English and is replicating in other languages. For MORE information, go to the 5958 DAT Report on http://vil.nai.com/vil/5958_false.htm.
UPDATE #2 (12:47pm US/CDT)
McAfee is aware that a number of corporate customers have incurred a false positive error due to incorrect malware alerts. Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.
The 5958 DAT has been removed from McAfee download servers, preventing any further impact to corporate customers. McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. You can view information at https://kc.mcafee.com/corporate/index?elq_mid=2373&elq_cid=1475603&page=content&id=KB68780 (NOTE: system is currently slow) or the McAfee Community at http://community.mcafee.com/docs/DOC-1374/
We will notify you of an emergency update when available, or in 90 minutes.
ORIGINAL EMAIL (11:06am US/CDT)
McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1). McAfee advises NOT to download this DAT. Please disable pull tasks and update tasks.