Symantec.com > Norton - United Kingdom & Ireland > svchost_exe

What to Watch Out For: Svchost.exe Removal due to "False Positive"


What happened?
On April 21, 2010, McAfee released a virus signature that incorrectly identified a core Windows operating system file called SVCHOST.EXE as a threat. When McAfee's products incorrectly detect SVCHOST.EXE as malware, the file may be deleted from the computer or quarantined, but without access to this critical operating system file, Windows fails to load properly and can cause significant system instability. For example, when this occurs Windows may shut down the computer and when the user attempts to re-start, the machine may become completely inoperable.

What can I do if this has happened to me?
McAfee currently recommends a manual solution to update impacted systems. Read McAfee's Corporate KnowledgeBase article.
For Small to Midsize Business and IT Professionals, visit the incident page.

What else you should watch out for?
Creators of rogue antivirus software have been using this news to push poisoned search terms such as McAfee, 5958, and DAT that return results that can lead to malicious and fake antivirus scans resulting in the installation of malware. An example of this takes you to a site where you will find a fake online scanner followed by the offer of fake antivirus software. This attack by the malware creators is quite insidious as many of the people searching for information about this problem are most likely already affected by the problem and are looking for a solution using another computer, perhaps borrowed from a friend or family member.

More information on this threat and how to protect yourself can be found at:
http://www.symantec.com/connect/blogs/malware-authors-kicking-mcafee-users-when-they-re-down

How to stay safe online
  1. Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.
  2. Don’t use "free" security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their "full" service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.
  3. Turn off the "autorun" feature that will automatically run programs found on memory sticks and other USB devices.
  4. Be smart with your passwords. This includes
  1. Change your passwords periodically
  2. Use complex passwords - no simple names or words, use special characters and numbers
  3. Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.
  1. Use a passwords management system such as Identity Safe (included in Norton Internet Security 2012 and Norton 360 Version 6.0) to track your passwords and to fill out forms automatically.
  2. Run Norton Internet Security 2012, Norton AntiVirus 2012 or Norton 360 Version 6.0. You can also try Norton Security Scan.


Norton Recommends



Symantec Recommends


The following SMB security and backup solutions help protect you from today’s internal and external threats, minimize downtime and rapidly recover data and complete systems when problems occur.