Norvin said:
The Norton AntiVirus 2003 on my system quit running - I can't even call
it up. Double clicking on the Norton icon only brings a short busy
indicator and then nothing. Repeated clicks do not bring up Norton.
Going into Norton via Start, Programs, Norton, I was able to uninstall
successfully, and then reinstall. I still can't call up Norton though.
I tried uninstalling and reinstalling a 2nd time to no avail. The 2nd
time, I used the hard power off (manual power off, wait 30 seconds,
power
back on instead of the system restart) with no difference. When
uninstalling, the program stopped and asked if I wanted the "quaranteed
files" deleted. I said no as I didn't know what they were and if they
were something important (QuickBooks, Taxes, etc). Another observation
that I have seen lately is a lot of H.D.D. activity (red light on almost
continuously at times with nothing else (at least that I am aware of)
going on, just Windows and Juno email. Does the hard disk need to be
"defragged"? Is a virus causing this problem? Why are files
quaranteed?
These steps applies to unpatch WinXP/Win2000 PCs. Please post if you're
unsure of the steps.
STEP 1: Identify suspected process/services
-----------------------------------------------------------------------
First off, try to see what processes or services are being run on your PC
that is causing the HDD to blinks rapidly. There are tools available to see
Win98 processes available on the net. As for WinXP/2K, CTRL+ALT+DELETE and
look at any suspicious programs that is running and these includes Windows
Media Player! (if you're not running it). If you attempt to terminate it, it
comes back.
Take note, SVCHOST.exe is a valid Windows process and even though SVCHOST is
showing 100% CPU Utilization, most likely it is not due to SVCHOST.exe.
Think of SVCHOST.exe as the master services that drives other processes,
like the engine of a car that drives the wheel.
Also, SVCHOST.exe is NOT the same as SCVHOST.exe!
STEP 2: Terminate the Virus at startup....
-----------------------------------------------------------------------
Check the registry using Start/Run/Registry Edit and check the following
registry values:-
2.1. HKEY_LOCAL_MACHINE (HKLM)/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN
2.2. HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUNONCE
2.3. HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUNONCEEX
Most virus were startup from the 2nd and 3rd item above. Write down the
values or use EXPORT feature to keep a copy of the registry before proceed.
Caution! If you edited wrongly, the PC might not start.
One by one, manually delete process .EXE/.COM that is running in
HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUNONCE OR
HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUNONCEEX.
2.4 Before deleteing the process, make sure you write the process name for
reference in STEP 3
Note for STEP 2:-
Most of the virus that we encountered attempts to close REGEDIT program
after a few seconds, and the trick is to quickly open up a section of the
registry and click on the "X" (Close) button before the virus can close it
for you and reopening REGEDIT will start off from where you left off.
You need to take a closer look at the services that runs at startup and if
it is suspected as a virus, attempt to disable it from starting up.
STEP 3: Reconfigure how the virus works (for Win2K/WinXP only)....
-----------------------------------------------------------------------
3.1 Locate the suspected virus services that is running from the Windows
Services. This can be found at Start/Run/Settings/Control
Panel/Administrative Tools/Services/<Process Name from STEP 2.4>.
3.2 Mouse Right Click, and select properties.
3.3 Click on the Recovery Tab, and take a look at the "RECOVERY" Tab. Most
of the Windows services DO NOT RESTART the services on SUBSEQUENT FAILURES.
If you suspect that this service is the one that is causing the problem,
change the First, Second and Subsequent Failures to "Take No Action".
3.4 Click on OK to update the changes to how the service is started.
3.5 Mouse Right Click on the suspected service, and click on the RESTART
option to restart the service. Once the suspected virus has been restarted,
you can proceed to delete its process using CTRL+ALT+DELETE. This time, it
should terminate the process.
The trick that these viruses uses is that it start the services before
Windows or Anti Virus (AV) starts, and disables the AV. Any attempt to STOP
the virus (CTRL+ALT+DELETE) restarts the virus, as explained in Step 3.3/3.4
respectively.
STEP 4: Patching up...
-----------------------------------------------------------------------
More information of DCOM vulnerability can be found at Microsoft websites,
typically,
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Microsoft had also release a program to assist administrators to check for
PCs that is unpatch on their networks. The tool can be obtained from
http://support.microsoft.com/default.aspx?scid=kb;en-us;827363
If you do not patch Windows security updates, the virus will come back.
We've seen newly installed PCs, once connected to the network shows symptoms
of infection below 2 minutes!
4.1 Run Windows update, or setup a SUS to update the security services for
Microsoft
http://www.microsoft.com/downloads/...eetext=sus&DisplayLang=en&DisplayEnglishAlso=
4.2 Run Liveupdate (NAV) and make sure your AV is up-to-date.
HTH
PS.
I don't work for Microsoft nor is a MVP. Please excuse my lousy English.
English is not my first language.
Using the above technique, we manage to solve the problem for 20~25 PCs on
our network. I hope it does good for others. TQ
