iCare Data Recovery Software is offering its data recovery software for free for a limited time only (we reviewed easeUs data recovery software before).  This software normally costs $69.99 but is free until the end of May 2010. Why would a user want to use recovery software?  The most common answer is because a virus has deleted or modified important files.  Often viruses or worms will load modify system files with to spread virus copies to easily spread via p2p etc.  This feature also makes the viruses more difficult to delete by antivirus software.  After an antivirus scan is performed, the antivirus may delete many files such as .sys, .dll, .doc, .jpg (all a users photos) or .docx.  This is where data recovery software usefulness comes in.  On any Windows system (Windows Xp, Vista and 7) the file system retains copies of all of a systems files regardless of file deletion and/or modification.   Recovery software such as iCare’s can access non operating system allowed portions (essentially RAW areas) and successful restore affected files instantly.

    Viruses can also often infect the Master Boot Record (the MBR is critical for Windows Boot process) and make drives including thumb drives inaccessible.  ICare’s Data Recovery Software can fix all of these problems by restoring the MBR and fixing bad hard drive sectors. Finally iCare’s software is completely compatible with Windows 7. Download the full version below and use the license code in the picture above.

Download the free full version of iCare Data Recovery Software

    The latest news that has been creating a lot of hysteria in the antivirus market is a new proof of concept virus or exploit that is essentially undetectable by all current 2010 antivirus programs including Norton 360 2010 and even McAfee Internet Security. The exploit discovered by matousec.com targets the software that’s suppose to protect us, antivirus and firewall software.  

Background:

    Whenever one installs a firewall software on Vista or Windows 7 a user is alerted to a Windows UAC prompt to allow the firewall to install a driver.  The driver allows the firewall to first integrate into the operating system’s kernel and stand in between the internet connection thereby allowing the firewall to regulate connections (block or allow).  Microsoft has released guidelines on how to write efficient and safe drivers but almost all antivirus vendors have ignored them.  Now a rouge software can access the driver through an exploit and completely bypass all current antivirus security checks to run a myriad of attacks against a host computer.  Take a look at the opening screenshot for this section it includes only a handful of the currently vulnerable internet security suites.

    While I find the actual article hard to understand (its written for expert programmers), it’s clear that the industry needs to beef up security across the board.  Unfortunately, there is no current patch or update for this type of attack.  Users will need to pressure antivirus companies to patch their software in their 2011 versions.  A simple update seems like it will not solve this vulnerability and antivirus vendors will need to completely rewrite their software. In the mean time one can only hope that this type of attack doesn’t become more mainstream as there no fix as of May 12, 2010. In the mean time, be on the extra vigilance for suspicious attachments and non necessary websites.

    Many already know about the McAfee disaster and how 100,000’s of users were affected.  The guts of the story lie within McAfee detecting a legitimate file called SVCHost.exe as a virus W32/Wecorl.a.  SVChost.exe is a critical component of Windows that allows a computer  to run multiple system functions within one file.   Usually, under normal circumstances,  if SVChost.exe is stopped, it will automatically attempt  to restart.  However, since McAfee actually deletes the file, there is now way for the file to restart causing the whole system to crash.  Users may be prompted with a  NT Authority Shutdown Message and then  an automatic system restart.  W32Blaster worm caused a strikingly similar situation years ago when users were prompted with an NT Authority Shutdown message and concurrent system restarts.  

    There are few positive aspects about the McAfee false positive.  The first being that only Windows XP users were affected.  The next being that only McAfee business users were affected and not the consumer products.

    Now I am going to offer a few methods on how to fix the false virus problem. Please note that McAfee released updated antivirus definitions shortly after the incident and some users may not have been affected at all.  It is probably best to update McAfee antivirus first.  If a user can get into Windows, even for a little bit, one can navigate to the McAfee antivirus program and attempt to restore SVChost.exe from the quarantine.  If one is unable to make it to the quarantine, a user can start the computer in Safe Mode with Networking and download the 5959xdat.exe file to repair the false definition.  Once the updated virus definition is installed, navigate to the C:WindowsSystem32 folder. If SVChost.exe is not located in the folder or has 0 bytes then proceed (if it is there, stop here) to the C:WindowsServicePackFilesi386 and or C:Windowssystem32dllcache folder and locate SVChost.exe in either one of these folders.  A SVChost.exe backup file is located in these locations that is produced during a service pack upgrade etc.  Copy the SVChost.exe file from one of the preceding locations back into the C:WindowsSystem32 folder and restart the computer. 

    If the above fails or one cannot get into safe mode.  Then get a Windows XP CD Rom and put the CD-Rom into the Computer and restart the system.  Boot into the windows setup and into the Recovery Console.  Once in there run the command: 

copy c:windowsServicePackFilesi386svchost.exe c:WINDOWSsystem32
or
copy c:windows system32dllcache c:WINDOWSsystem32

    After this is done, one should be able to enter safe Mode with Networking and run the 5959xdat.exe file to update McAfee virus definitions.  Then restart the computer to enter Windows normally and again update McAfee from the normal update procedure.  

    Hopefully, a similar situation won’t happen again.  Unfortunately, this isn’t the first time this mess up has happened. CA released faulty definitions years back too.  Maybe the Antivirus companies aren’t learning their lesson.