Slashdot Mirror

← Back to Stories (view on slashdot.org)

McAfee Kills SVCHost.exe, Sets Off Reboot Loops For Win XP, Win 2000

Posted by timothy on from the hope-you-were-using-antiantivirus-too dept.

Kohenkatz writes "A McAfee Update today (DAT 5958) incorrectly identifies svchost.exe, a critical Windows executable, as a virus and tries to remove it, causing endless reboot loops." Reader jswackh adds this terse description: "So far the fixes are sneakernet only. An IT person will have to touch all affected PCs. Reports say that it quarantines SVCHOST. [Affected computers] have no network access, and missing are taskbar/icons/etc. Basically non-functioning. Windows 7 seems to be unaffected." Updated 20100421 20:08 GMT by timothy: An anonymous reader points out this easy-to-follow fix for the McAfee flub.

12 of 472 comments (clear)

  1. Guess what I've been doing all morning? by uvsc_wolverine · · Score: 5, Funny

    I work at a university where we use McAfee anti-virus as our corporate AV. Guess what I've been doing all morning?

    --
    This space for rent...
    1. Re:Guess what I've been doing all morning? by 2names · · Score: 5, Funny

      Um, hiding in the bathroom like I have been doing?

      Seriously, though, we got hit hard with this. I don't mind fixing the problem, what pisses me off is that we didn't want McAfee in here in the first place but Corporate HQ forced it on us.

      --
      "I'm just here to regulate funkiness."
    2. Re:Guess what I've been doing all morning? by oldspewey · · Score: 5, Funny

      Reading Slashdot?

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
    3. Re:Guess what I've been doing all morning? by JamesP · · Score: 5, Insightful

      Funny that one of the 'false reasons' against Open Source is liability

      So are you going to sue the bastards for lost time and productivity?? You should.

      --
      how long until /. fixes commenting on Chrome?
    4. Re:Guess what I've been doing all morning? by 2names · · Score: 5, Informative

      Every system that we had that was XP SP3 that got updated to the 5958 DAT file became useless. We are now forced to visit each machine and manually fix it. Rubbish.

      --
      "I'm just here to regulate funkiness."
  2. virus scanners are the devil by buddyglass · · Score: 5, Informative

    Seriously. They consume CPU. They stay resident and consume usable memory. They occasionally crash and/or cause other applications not to work. And, in this situation, they break Windows. I don't use AV and have had pretty much zero issues over the last 6 years of using Windows XP. All you need to do is:

    * Configure Windows update to run daily.

    * Don't use IE or Outlook.

    * Keep Windows Firewall active.

    * Don't connect directly to the internet- sit behind a router that's configured to be (mostly) invisible.

    * Don't run random things you get sent in email, on facebook, or that pop up unexpectedly while you're at a questionable website.

    * If you think something's amiss, boot into safe mode and use a non-resident tool like MBAM.

    1. Re:virus scanners are the devil by blincoln · · Score: 5, Informative

      I used to believe something along those lines. Then my PC was infected with a worm when I plugged an mp3 player into the USB port. I'd bought the player new, factory-sealed, so it must have picked it up at the manufacturing plant. I disabled all autorun/autoplay after that, but I'm still wary enough that I run Avast to help avoid another similar situation.

      Also, none of the things you mention will detect/remove a rootkit if one does manage to make its way onto your PC. I cleaned one up off of a PC that belongs to my sister a few weeks ago, and that was a headache. I did a scan of the infected drive in an external USB case, and that got nearly all of the infected files taken care of, but because most virus scanners apparently don't scan the MBR of non-boot drives, the rootkit was still waiting there and I had to use the Windows recovery console to write a new MBR.

      As far as I can tell, her PC was infected through some variation of the "malicious PDF in a hidden IFRAME which belongs to an online advertisement" scenario, because she was already using Firefox exclusively. So maybe you should at least add "don't install Adobe Reader, or if you do, disable browser integration, update it daily, and set Firefox to download PDFs instead of opening them" and "install and use AdBlock Plus, and possibly NoScript" to your list.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  3. My Experience by jibster · · Score: 5, Informative

    I work at a major chip manufacturing plant. At 4.10 I was conferencing with another fab when all our PCs shutdown. 10 minutes later the place was in chaos. Now don't get me wrong the fab keeps going but my god the cost to the company of this. Say 10 sites world wide with 2-5k employees each the majority of which can't do any meaningful work. McAfee have a lot to answer for.

  4. Re:Double ouch. by Jazz-Masta · · Score: 5, Informative

    Norton, McAfee and Trend Micro have very solid products that allow for remote management, deployment, updates, forced scans, etc.

    Avast (which I use at home) does not have all of these features yet. I can tell you that when dealing with hundreds of machines, having that dashboard for antivirus saves many hours of time. You can run more frequent scans on problem machines, or allow more/less freedom with the click of a button. Many of the products also have URL blocking (by category), email attachment filtering through Exchange plugins, etc. One feature I like about Trend Micro is the "behaviour" plugin, which flags anything out of the ordinary - such as accessing files, programs, or drives that they haven't before.

    Corporate networks also typically have edge firewalls that will catch many of the malware infested URLs, email attachments, etc that cause problems. For many businesses 200+ computers, the Windows-installed Anti-virus software is actually the last line of defense. Often times the loss of productivity of a couple viruses getting through isn't worth the extra $$ invested in more products or a "better" product with less management features.

    Licencing is also a plus. While Norton, McAfeee and Trend Micro are expensive initially, additional licences for a large number of computers and renewal licences each year actually make it less expensive than others such as Avast and Panda.

  5. Re:Why Worry about Malware-Viruses... by Anonymous Coward · · Score: 5, Funny

    My boss, who knows just enough about computers to get himself in trouble, is an idiot.

    A few days ago, he called me in to come look at his laptop. He said that his computer was infected and that the virus killed his email. After further inspection, I found out that he pressed "ctrl+alt+del" and brought up the Task Manager. He went through and ended all of the svchost.exe's that he could. When I asked him about it, here was his response:

    "I was closing all of those system virus hosts on my machine!"

    I hate my job sometimes.

  6. Re:For a program so hard to turn off by clone53421 · · Score: 5, Insightful

    Whitelist them by checksum, not filename.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  7. Re:For a program so hard to turn off by shutdown+-p+now · · Score: 5, Insightful

    Actually, you can't trust anything once a machine's compromised, which to my mind is a huge problem with modern Windows systems, but I'm not even going to go there....

    Guess where the "root" in "rootkit" comes from?

    Hint: it ain't Windows.