McAfee false positive detection of w32/wecorl.a when using 5958 DAT file causing Windows XP SP3 BSOD Crashes

Customers running Windows XP SP3 and McAfee security solutions in concert have been left scrambling to restore their computers after an issue involving specific v.5958 of McAfee DAT file version caused false positive detection of w32/wecorl.a virus. When this occurs, Svchost.exe is quarantined, causing machine to go into a reboot loop and possibly blue-screen. At […]

Customers running Windows XP SP3 and McAfee security solutions in concert have been left scrambling to restore their computers after an issue involving specific v.5958 of McAfee DAT file version caused false positive detection of w32/wecorl.a virus. When this occurs, Svchost.exe is quarantined, causing machine to go into a reboot loop and possibly blue-screen. At the time of this article, w32/wecorl.a McAfee false positives had been confirmed to affect only XP SP3 platforms. Neither Microsoft nor McAfee indicated any other Windows OS could be impacted by the issue. At the same time, buggy DAT file has been replaced by version 5959, designed to resolve false positive detection. McAfee also took measure to make available an EXTRA.DAT file set up to help customers deal with false detection problems if they had already deployed 5958 DAT file. Microsoft detailed workaround: “Restart computer in safe mode by pressing F8 before Windows splash screen. Log on to computer. Press CTRL+ALT+DEL, and click Start Windows Task Manager. Select New Task (Run…) from File menu. Type cmd.exe, and press ENTER. Run following command: ren “%programfiles%\Common Files\McAfee\Engine\avvscan.dat” avvscan.old. This behavior removes McAfee virus definitions. Make sure you update to latest definitions after you complete these steps to restore virus definitions. Run following command: copy %systemroot%\system32\dllcache\svchost.exe %systemroot%\system32\ and press ENTER.”

More info: KB68780, KB51109, KB51109, KB52204, KB52977, KB67602, KB68759