FIX – Repairing a machine after McAfee incorrectly identifies svchost.exe as W32/Wecorl.a

Seems that everyone is talking about McAfee today, after their software inadvertently identifies svchost.exe on Windows XP SP3 machines (only) as W32/Wecorl.a (McAfee knowledge base article KB68780 regarding the 5958 DAT update on April 21, 2010).

Workarounds have been posted both by McAfee and by the information technology community, however the following might help speed things up if you have a large line of machines to fix by hand: –

  1. Download the EXTRA.DAT file from Mcafee here –
  2. Copy the EXTRA.DAT file to a USB key
  3. Create a batch file with the following content, and save it to the USB key: –

echo off
echo Copying extra.dat…
copy extra.dat “%programfiles%\Common Files\McAfee\Engine”
echo Copying svchost.exe…
copy “%systemroot%\System32\dllcache\svchost.exe” “%systemroot%\System32”
echo Restarting machine…
shutdown -r -t 0

Running this batch file will copy the EXTRA.DAT file in to place, and restore the svchost.exe from the dllcache directory (if it was quarantined) and then automatically restart.

This may not work in all cases, but I have seen a fairly high success rate with machines that I have done this on.


Hyper-V guest only gives the “Backup Using Saved State” option in DPM

Microsoft Data Protection Manager (DPM) 2007 and 2010 allow online backups of Hyper-V guests, providing the guests and the Hyper-V server meet the necessary requirements as follows: –

There is another condition that I’ve encountered that causes a Hyper-V guest to report as “Backup Using Saved State” rather than “Backup Using Child Partition Snapshot”, where disks are marked as read-only.

In order to correct this, use diskpart to select the applicable disk and run “attrib disk clear readonly”, and then check that the Hyper-V guest reports as “Backup Using Child Partition Snapshot”.