McAfee has reported that update 5958 for it’s Antivirus product reports a false positive by detecting that the svchost.exe file has been infected with the W32/wecorl.a virus. The detection may cause your Windows computer to restart over and over again, or fail to boot altogether.

If you’re experiencing this issue, you have two options for fixing it.

Recommended Manual Recovery Procedure using the Extra DAT where DAT 5958 is currently installed

1.      Locate the extra.dat from here and unzip

2.      Boot in safe mode with “Network Option“ enabled

3.      Copy Extra DAT into c:program filescommonfilesmcafeeengine

4.      If svchost.exe exists in (c:windowssystem32) and is not a “0“ byte file, skip to step 5

5.      If svchost.exe deleted,  Pull up the VSE console and open “Quarantine manager“

Click on the detection and select “Restore“

1)      If the VSE console does not come up:
C:program filesmcafeevirusscan enterprisemcconsol.exe /standalone
This will pull up the VSE console. Click on the detection and select “Restore“

2)      If steps  4 and 4.1 do not work OR if svchost.exe is “0“ bytes:

a.       When possible Copy svchost.exe from the local C:windowsServicePackFilesi386svchost.exe or if not present c:windowssystem32dllcachesvchost.exe

b.      Copy svchost.exe from an unaffected system to c:windowssystem32 directory (same OS) from external media (USB, CD etc.)

If  “paste“ is grayed out, use the following commands:

Start -> run -> cmd

Run the following command “copy from [sourcefilename] to [destinationfolder]“

Example:  copy x:svchost.exe c:windowssystem32

6.      Reboot in normal mode

7.      Use the product update to update to 5959

8.      Delete the Extra DAT file in c:program filescommonfilesmcafeeengine

Alternate Manual Recovery Procedure using DAT 5959 where DAT 5958 is currently installed

1.      Boot in safe mode with “Network Option“ enabled

2.      If svchost.exe not deleted (look in c:windowssystem32svchost.exe) and is not 0 byte then network connection should be possible – skip to step 5

3.      If svchost.exe deleted or if it is “0“ bytes, then network connection may not be possible

4.      If svchost.exe deleted,  Pull up the VSE console and open “Quarantine manager“

Click on the detection and select restore

1)      If the VSE console does not come up:

C:program filesmcafeevirusscan enterprisemcconsol.exe /standalone

This will pull up the VSE console

2).    If steps 4 and 4.1 do not work OR svchost.exe is “0“ bytes:

a.       When possible Copy svchost.exe from the local C:windowsServicePackFilesi386svchost.exe or if not present c:windowssystem32dllcachesvchost.exe

b. Copy svchost.exe from an unaffected system to c:windowssystem32 directory (same OS) from external media (USB, CD etc.)

If “paste“ is grayed out, use the following commands:

Start -> run -> cmd

Run the following command “copy from [sourcefilename] to [destinationfolder]“

Example:  copy x:svchost.exe c:windowssystem32

5.      Download the 5959 SuperDAT from here

6.      Run the SuperDAT program

7.      Reboot in normal mode

Update 5959 fixes the issue and allows you to continue using McAfee Antivirus with the latest definitions.

Source: McAfee KB