McAfee delivers a false positive detection of the W32/wecorl.a virus when McAfee uses a 5958 DAT file

McAfee has identified an issue in the Virus Definition (DAT) file. This issue causes a false positive detection of the W32/wecorl.a virus in the Svchost.exe process. When this false positive occurs, the Svchost.exe process may be quarantined or removed, depending on the software configuration. This behavior may cause one of the following issues:

  • The computer shuts down when a DCOM error or a RPC error occurs
  • The computer continues to run without network connectivity.
  • The computer triggers a Bugcheck (Blue screen).

Windows XP Service Pack 3 (SP3) is the only operating system that is affected by this problem. This is a known problem.


Option 1:

Reference McAfee for the latest information including recovery steps:


Option 2:

To manually repair a computer that encounters this problem, follow these steps:

1. Restart the computer in safe mode by pressing F8 before the Windows splash screen appears.

2. Log on to the computer. Then, press CTRL+ALT+DEL, and then click Start Windows Task Manager.

3. Select New Task (Run…) from the File menu.

4. Type cmd.exe and then press ENTER.

5. Rename avvscan.dat to prevent the svchost.exe from being removed by McAfee until an updated DAT is installed. This can be done by running the following command:

ren “%CommonProgramFiles%\McAfee\Engine\avvscan.dat” avvscan.old

Note This behavior removes McAfee virus definitions. Make sure that you update to the latest definitions (5959 DAT or newer) after you complete these steps to restore virus definitions.

6. Restore svchost.exe back to the system32 directory by running the following command. A backup copy is typically stored in the DLLCACHE folder.:

copy %systemroot%\system32\dllcache\svchost.exe %systemroot%\system32\

and press ENTER

Note If the above command fails with error "The system cannot find the file specified", verify the syntax or proceed to the section: Advanced Steps to recover a missing svchost.exe

7. Restart the computer.

Advanced Steps to recover a missing svchost.exe

  1. Download Windows XP Service Pack 3 from the location below:
  2. Click Start , click Run , type cmd.exe in the Open box, and then press ENTER.
  3. Change to the directory that you downloaded the above file to using the cd command. For example:
    cd c:\dir name
  4. Extract the files from the WindowsXP-KB936929-SP3-x86-ENU.exe file by typing the following at the command prompt: WindowsXP-KB936929-SP3-x86-ENU.exe /x: dir name

    Note dir name is a placeholder for the destination directory where you save the extracted files.
  5. Expand svchost.exe from the extracted folder and place it in the proper location using the command below:
    expand –r .\i386\svchost.ex_ %systemroot%\system32\

Option 3:

For steps to create a task sequence that automates this repair in SystemCenter Configuration Manager 2007, visit the following Microsoft Web site:


More Information
This issue occurs for version 5958 of the McAfee DAT file, which was released on April 21, 2010. This DAT file has been superseded by version 5959, which corrects the false positive detection. Additionally, McAfee has released an EXTRA.DAT file that can be used to suppress the false detection of the Svchost.exe process for customers who are running the 5958 DAT file.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.

  • Microsoft Windows XP Service Pack 3
Source :





Guest Room