[4/21/2010] Early this morning, McAfee released virus definition version 5958 which totally hosed lots of computers running the English version of Windows XP Pro SP3.  It might only affect enterprise versions.  It wreaked lots of havok everywhere. This virus definition update falsely detected svchost.exe as a virus called W32/Wecorl.a. Svchost is critical for normal operation of Windows XP including its ability to connect to the internet or any other network. Other symptoms are the task bar / start menu doesn’t appear on its own, constant pop-ups about “Night Watchman service”, and more immediately, it counting down to a forced reboot, even as soon as you boot up.

Since it forces a reboot, you can’t use your computer at all. The immediate workaround for this is to go to a command prompt window and type “shutdown -a“. The -a means abort. Now that it is no longer shutting down, you can go to the next step.

McAfee released another virus definition .DAT update, 5959 today which no longer has this problem. But for most it isn’t so easy to do this update if it has already affected your computer since you don’t have network or internet access to obtain the new definition updates. What you need to do now is this: Open the McAfee VirusScan console, open Quarantine Manager Policy, Click the Manager tab, and the newest item should be svchost.exe. Right-click and restore that item. That will allow Windows to operate properly after rebooting, but only if McAfee is not allowed to run at this point because otherwise McAfee will re-quarantine svchost.exe.   Reboot, then use the [F8] key to start it as “Safe mode with Networking”.  Since svchost.exe is fixed, you will be networked, but since it is safe mode, McAfee won’t run so it won’t re-quarantine svchost.exe.

When it is booted up, obtain the latest SuperDAT from the McAfee website and when you run it, it will update the McAfee definitions even though McAfee isn’t running.  By it updating to a version newer than 5958, it prevents McAfee from re-quarantining svchost.exe after you reboot in normal mode that will allow McAfee to run.

Reboot, this time boot up in normal mode.

Now, open the McAfee VirusScan console again, and confirm that it has updated it to at least 5959 which is safe and already released. [as of 4/22/10, 5960 is the current DAT version.]  And confirm that “On-Access Scanner” is set to enabled; enable it if it is disabled.  When you enable it, it should also automatically enable “Access Protection” and “Buffer Overflow Protection”; enable those two things if they are still not enabled after enabling “On-Access Scanner”.

This is not a hoax.  See more information about it on the McAfee knowledgebase website, KB68780 and McAfee’s community forum.  And read about what havoc is being caused in the news.

[edit 4/22/2010, DH] – removed links to extra.dat and 5959 DAT files since 5960 is now released and at least one is released per day.  I can’t update this daily; instead I’ll link to where the latest SuperDAT can be always download directly from McAfee, plus I updated the instructions above.