Wednesday, April 21, 2010

W32/Wecorl.a McAfee False Positive Workaround

If you are running McAfee Antivirus on Windows XP SP3 and have an issue with your computer rebooting with a message of "Windows must now restart because the DCOM Service Process Launcher service terminated unexpectedly" and W32/Wecorl.a is reported on your machine in the Application Event Log then it is caused by a known issue with DAT 5958. To abort the automated shutdown open a command prompt and type in "shutdown -a" and then get yesterday's (5957) superDAT from McAfee at http://www.mcafee.com/apps/downloads/security_updates/superdat.asp?region=us&segment=enterprise and run the file from the command prompt with a /F switch to force the downgrade and reboot when prompted. That will work until McAfee fixes the issue.

*QUICK UPDATE*
After doing the above steps you may not be able to connect to the network and also will notice that many of your services that are set to automatic will not start. This is because your svchost.exe file was eaten by McAfee. Copying SVCHOST.exe from another good XP SP3 machine to your broken one's c:\windows\system32\ directory fixes that issue.