Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
McAfee delivers a false-positive detection of the W32/wecorl.a virus when version 5958 of the DAT file is used
Article ID: 2025695 - View products that this article applies to.
McAfee has identified an issue in its virus definition (DAT) file. This issue causes a false-positive detection of the W32/wecorl.a virus in the Svchost.exe process. When this false positive occurs, the Svchost.exe process may be quarantined or removed, depending on the software configuration. This behavior may cause one of the following issues:
Windows XP Service Pack 3 (SP3) is the only operating system that is affected by this problem. This is a known problem.
For the latest information about this issue, including recovery steps, visit the following McAfee Web site:
To manually repair a computer that encounters this problem, follow these steps:
1. Restart the computer in safe mode by pressing F8 before the Windows splash screen appears.
2. Log on to the computer. Press CTRL+ALT+DEL, and then click Start Windows Task Manager.
3. On the File menu, click New Task (Run).
4. Type cmd.exe, and then press ENTER.
5. Rename the Avvscan.dat file to prevent the Svchost.exe file from being removed by McAfee until an updated DAT file is installed. To do this, run the following command:
6. Restore the Svchost.exe file to the system32 directory by running the following command. A backup copy is typically stored in the DLLCACHE folder.
7. Restart the computer.
Advanced Steps to recover a missing Svchost.exe file
For steps to create a task sequence that automates this repair in System Center Configuration Manager 2007, visit the following Microsoft Web site:
This issue occurs for version 5958 of the McAfee DAT file. This DAT file was released on April 21, 2010. This DAT file has been superseded by version 5959. Version 5959 which corrects the false-positive detection that is described in the "Summary" section. Additionally, McAfee has released an EXTRA.DAT file that can be used to suppress the false-positive detection of the Svchost.exe process for customers who are running version 5958 of the DAT file.