McAfee False Positive Brings Down XP Machines

23Apr, 2010

We recently had a computer come into the shop with what appeared to be some pesky malware.  It wouldn’t let you drag icons, the taskbar was minimized and unresponsive, and it kept auto-initiating shutdowns due to DCOM errors and the RPC Service stopping unexpectedly.

These services required svchost.exe (along with a hundred other things in Windows) to be usable and located in the system32 directory.  It was missing, and after replacing just that file with a copy of the good one, it would still disappear after a minute or so!

After searching in vain for some rogue process that might be causing this, it became clear that this machine was hit by a pretty disastrous false positive due to a McAfee Antivirus update!

Basically, the latest update (April 21st, 2010) was downloaded by the machine, and after scanning it thought it had found an instance of the w32/wecorl.a virus (which apparently hasn’t been around since 2003), and proceeded to remove and quarantine svchost.exe, bringing Windows XP to its knees. This little bug has effected  millions of machines worldwide in the last 48 hours! (and, this isn’t the first time a McAfee update has done something like this.

This is yet another testament to antivirus programs doing more harm that good for most users.