Tag Archive: Virus

Here’s how to turn it off:

Go to your Control Panel.  Choose “Folder Options.”  Go to the “View” tab, scroll down to the entry that says “Hide extensions for known file types” and un-check it if it is checked.  Hit “Apply” and then if available, “Apply to Folders.”

Here is why I recommend you turn it off:

Ever since Windows 95 was released the default setting was to hide extensions for known file types.  The reasoning behind that being the default was to make Windows look more like a Macintosh where the picture of the icon is what tells you what kind of file it is, instead of the usual 3 characters after the dot.

Sure it’s nice having the icon so you cant tell at a glance what is an Excel spreadsheet and what is an MP3 song, but by seeing the 3 character extension, you can tell for sure before you try to open something you didn’t intend.

People who have written trojans (viruses) take advantage of this.  A file name can have only one extension but they can have more than one dot in the name, so the real extension is whatever is after the last dot.  Some trojans are named something innocent looking, which appears to not be executable, such as “hello.txt.exe” The real extension being .exe makes it executable.  If the setting to hide extensions is turned on like the default, then all you see is “hello.txt” making you think it is safe to open it because you would expect it to simply open in notepad, but instead it executes the .exe file.

If this setting was what I recommend, then you will immediately see that it is really an .exe file and should know to exercise caution handling this file.  (Such as running a virus scan on it before doing anything besides deleting it).

[4/21/2010] Early this morning, McAfee released virus definition version 5958 which totally hosed lots of computers running the English version of Windows XP Pro SP3.  It might only affect enterprise versions.  It wreaked lots of havok everywhere. This virus definition update falsely detected svchost.exe as a virus called W32/Wecorl.a. Svchost is critical for normal operation of Windows XP including its ability to connect to the internet or any other network. Other symptoms are the task bar / start menu doesn’t appear on its own, constant pop-ups about “Night Watchman service”, and more immediately, it counting down to a forced reboot, even as soon as you boot up.

Since it forces a reboot, you can’t use your computer at all. The immediate workaround for this is to go to a command prompt window and type “shutdown -a“. The -a means abort. Now that it is no longer shutting down, you can go to the next step.

McAfee released another virus definition .DAT update, 5959 today which no longer has this problem. But for most it isn’t so easy to do this update if it has already affected your computer since you don’t have network or internet access to obtain the new definition updates. What you need to do now is this: Open the McAfee VirusScan console, open Quarantine Manager Policy, Click the Manager tab, and the newest item should be svchost.exe. Right-click and restore that item. That will allow Windows to operate properly after rebooting, but only if McAfee is not allowed to run at this point because otherwise McAfee will re-quarantine svchost.exe.   Reboot, then use the [F8] key to start it as “Safe mode with Networking”.  Since svchost.exe is fixed, you will be networked, but since it is safe mode, McAfee won’t run so it won’t re-quarantine svchost.exe.

When it is booted up, obtain the latest SuperDAT from the McAfee website and when you run it, it will update the McAfee definitions even though McAfee isn’t running.  By it updating to a version newer than 5958, it prevents McAfee from re-quarantining svchost.exe after you reboot in normal mode that will allow McAfee to run.

Reboot, this time boot up in normal mode.

Now, open the McAfee VirusScan console again, and confirm that it has updated it to at least 5959 which is safe and already released. [as of 4/22/10, 5960 is the current DAT version.]  And confirm that “On-Access Scanner” is set to enabled; enable it if it is disabled.  When you enable it, it should also automatically enable “Access Protection” and “Buffer Overflow Protection”; enable those two things if they are still not enabled after enabling “On-Access Scanner”.

This is not a hoax.  See more information about it on the McAfee knowledgebase website, KB68780 and McAfee’s community forum.  And read about what havoc is being caused in the news.

[edit 4/22/2010, DH] – removed links to extra.dat and 5959 DAT files since 5960 is now released and at least one is released per day.  I can’t update this daily; instead I’ll link to where the latest SuperDAT can be always download directly from McAfee, plus I updated the instructions above.