W32.Wecorl.a (or Variant) Infection across enterprise

Joined
Apr 21, 2010
Messages
1
Reaction score
0
Solution found

My company was crippled by this .dat update today.

We have found that a combination of things must occur to return an affected workstation back to functioning:

The "infection" created a dcom issue that caused the system to continuously reboot. Resetting the dcom service to restart service kept the system from rebooting. Second, the svchost.exe file needed to be copied in on some affected systems. In all cases, the mcafee folder files had to be modified to remove the 5958.dat from epo.

To do this, we found that booting into safe mode with network allowed the admin staff to both copy in a new svchost.exe file into c:windowssystem32 as well as permanently delete the av* files from c:program filescommmon filesmcafeeengine folder. This removes mcafee's current .dat profile and forces mcafee to revert to last known good .dat removing the corrupted 5958 dat.

After adding the svchost.exe and cleaning up the mcafee dats, rebooting the system and booting into normal windows produced health working systems.

We are going to explore legal remedies against McAfee as the lost of revenue from this disaster is immense.
 
D

Duh_OZ

Reminds me something that happened back in floppies days. McAfee was
giving a false positive on an install disk (and yes, it was a false
positive) and when I went on vacation a field engineer came in to do
maintenance work, put the floppy in, got the virus warning and
promptly wiped out the hard drive (as the corporate office told him to
do). I had all the files backed up, so I just had to install a
few programs and copy the files back. Still a brain dead anti-
virus + brain dead F.E. = not a good thing.

On a side note, no idea if the work place started rolling out McAfee
yet. Still have Trend on the computers by me.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top