Tag Archives: virus

Fixing McAfee’s mess

Got a phone call from my Dad today.   Apparently overnight, his Dell laptop decided to kill itself.


When he started his computer today, he saw these things:

  1. The Windows task bar at the bottom of the screen wasn’t showing up correctly or at all and no networking was working
  2. When logging in, he got this message:
    HP AiO Device Object Server
    RegisterClassObjects failed: hRes = 0x800706BA
    The RPC server is unavailable.
    Maximum retry attempts exceeded
  3. He also got this message:
    Application Error
    Exception EOleSysError in module Skype.exe at 0008963D
    The RPC server is unavailable.

At first I thought, “Crap! He’s gone to some weird website, or someone’s hacked into this PC!”

But then, I heard the news today about McAfee’s blunder last night – http://blogs.zdnet.com/Bott/?p=2003&tag=col1;post-6001.

Yep, Dad confirmed he had McAfee Total Protection on his laptop.   That was probably it.

Trying to fix it properly

So tonight, I sat down to try to fix it.   Seems that the problem is not just confined to corporate users only.  It also affects some home users of McAfee Antivirus software.

First thing I did was boot up into Safe Mode and take a peek around.   No weird exe’s running.  Everything looked OK.    I did see this in the System Log at around 4AM:

The protected system file svchost.exe could not be restored to its original,
valid version.  The file version of the bad file is unknown. 
The specific error code is 0x00000426 [The service has not been started.]

Ah yes, this really confirms it’s the McAfee bug, as I had read that it deletes svchost.exe, a key process in Windows.   I couldn’t find any svchost.exe in the c:\windows\system32\ directory.   A search of the whole drive only found it in these locations:

  • C:\windows\$NtServicePackUninstall$
  • C:\windows\Prefetch
  • C:\Windows\ServicePackFiles\i386

Unfortunately, right clicking on the McAfee tray icon didn’t do anything.  The icon was unresponsive.  Using my trusty MacBook Pro, I googled around and found these instructions on the McAfee site for home users:


But I couldn’t click on the McAfee tray icon.  So I decided to try these instructions here:


But the instructions didn’t quite work for me as there was no svchost.exe in the dllcache directory.

I ended up copying in svchost.exe from the ServicePackFiles\i386 folder, deleted the dat directory as instructed then rebooted.

But things weren’t working again!  Aaarghhh!!   It seems that the svchost.exe was gone again!  WTF?!?

I rebooted into Safe Mode and then tried to run the SDAT5958_EM.EXE file from McAfee.  But this wouldn’t even execute correctly!  What the?!?

Trying to fix it the brute force way

I rebooted into Safe Mode again, and this time I just deleted everything I could under the McAfee VirusScan directory.   I just wanted it gone!!!  There has to be no way that it will try to kill svchost.exe again.  I’d rather a working XP system with corrupted/missing McAfee than a corrupted XP system with working McAfee.  I restored svchost.exe and rebooted.   And the good news is that all was good!   No error messages on boot up, Skype started fine, and the wireless network adapter was detected and connected successfully.

Except now for some messages about McAfee missing files!   I reinstalled it and it downloaded the latest definitions, and all is OK now.

This took me just under 2 hours, mostly due to extra paranoid investigation at the start in case it was a virus.  I really wonder how many hours everyone around the world has spent fixing this problem!

Actually, I really pity the standard home user with minimal computer knowledge.  I don’t see how they could fix this without some help.   As they may not even be able to connect to the internet or use their computer to find out what to do!!

My computer was infected…

I’m sooo angry with myself!  I keep on telling family members about being careful to not click or run wierd programs off the internet.   I had recently spent ages getting wierd malware and spyware off my parents and parents-in-law’s computers.   And what do I do this week?   I accidentally ran an executable called “wmcodec_update.exe” thinking it was a high definition codec update for an embedded Windows media player!

As soon as I ran it I knew I shouldn’t have.   Luckily my hard drive isn’t totally silent – because the thing that made me realise it was bad was hearing the hard drive go crazy!  I thought “*@^&$!! It’s deleting all my files!”   I immediately shut down the laptop and pulled out all my external USB drives.

I first ran my favourite Spybot Search and Destroy but it didn’t seem to have done the full job.  I first tried to remove wmcodec_update.exe by following the instructions at geekstogo and I followed the recommendation on Malwarebytes’ Anti-Malware at Yahoo Answers.

I also noticed a few wierd things – my wallpaper had changed to show a fake window about viruses, I didn’t have the permissions to change my wallpaper back, and there was a “new” virus scanner that had installed itself on my computer called Antivirus XP 2008 which seemed to scanning my computer, reporting hundreds of viruses!!

I noticed a few wierd processes running in Task Manager.   I tried to kill them but they seemed to keep coming back.

Avast found a virus
Avast found a virus

I’m naughty – I had recently removed all virus scanners from my laptop, so I quickly put on Avast and did a few scans which did reveal and repair more traces of the virus.

msconfig showing 2 suspicious startup processes
msconfig showing 2 suspicious startup processes

Unfortunately the fake antivirus program was still there.  I used msconfig to disable it and Task Manager to delete the process but it wasn’t all gone!   I came across this article on bleeping computer with details to remove it and its files and I think I’ve now got rid of it.

Suspicious folder on hard drive
Suspicious folder on hard drive

Arghhh!!  I’ve lost a few days use of the laptop and my Friday night.   Well, now I’ll be extra careful about running unknown processes and have that virus scanner permanently running *sigh*.