主题:诺顿误杀导致中文winxp崩溃,你中招了吗? -- 小赵
大家小心,如果你的电脑是简体中文而又用诺顿防毒的话,一定要注意,这两天把诺顿关了,否则诺顿会把几个非常重要的系统文件当木马杀掉。然后你的机子就当了,安全模式也不行。只有用系统安装盘修复。
我就中招了,昨天晚上花了5个小时重装系统,早上直到5点才睡。
下面是新浪上的介绍:
笔记本上的Norton是自带的,一个多月前刚刚过期,嫌它老出现提示信息,换了一个Nod32,换的时候还骂norton,tnnd,一个笔记本也就三、五年时间,一次性收费不就完了。
不是付不起钱,是付不起时间。不过现在嘘了一口气。
可恶的是,一天多过去了,norton现在也没有一个说法。
可恨的是,到现在没有关于此事的英文报道:(
俺买的toshiba自带xp,俺给设置成中文的。俺也用诺顿,随时升级的。并没有出现当机的情况啊。
以下方法为支持部门测试的方法,如有问题请及时反馈
=======================================
Backdoor.haxdoor解决方案
Version: 1.6
问题描述:
在windows Xp sp2简体中文版打上补丁KB924270以后,SAV更新到5月17日的病毒定义以后(LiveUpdate的后病毒定义的版本是20070517.v18,rapidrelease的病毒定义版本是20070517.v16(68601)至20070517.v70(68637))会把
C:\windows\system32\netapi32.dll和 C:\windows\system32\lsasrv.dll
认为是backdoor.haxdoor, 并且把他们隔离掉。
会造成重起机器后无法进入系统,安全模式也无法进入,蓝屏。
解决方案:
1,服务器端:
服务器立即liveupdate, 更新到最新的病毒定义库(20070517.v73).
如果liveupdate有问题,到
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/
进入到68638(22070517.v71)或者以后的文件夹
下载后缀名是xdb的文件,放到服务器的SAV安装文件夹里面(是个共享文件夹,一般的位置是C:\program files\SAV或者C:\program files\SAV\symantec antivirus. 如果服务器内装有winzip等软件,可能会把这个XDB改成zip或者rar, 需要改回到xdb)。
2,正在运行的客户端:
客户端可以从服务器下载到更新后的病毒定义,保证病毒定义在20070517.v71或者以后。
对于无法从服务器自动更新病毒定义的客户端,到
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/
进入到68638或者以后的文件夹,下载****x86.exe文件,在本机运行更新病毒定义。出现过这个问题的电脑,理论上SAV下载更新的病毒定义后,会扫描隔离区,发现误报的dll文件后会自动修复并恢复到原来的位置,这些已经有很多用户确认。但是为保险起见,建议用户在工作量允许得前提下,用windows XP盘里面的i386下面的netapi32.dll和lsasvr.dll文件,替换C:\windows\system32下的这两个文件。
对于已经蓝屏的电脑:
1, 使用windows XP安装盘启动
2, 进入系统恢复控制台。
3, 使用安装盘I386目录下的netapi32.dll和lsasrv.dll文件替换系统system32下和dllcache下的文件
a. cd \windows\system32
b. expand (CD drive letter):\i386\netapi32.dl_
c. expand (CD drive letter):\i386\lsasrv.dl_
d. cd dllcache
e. expand (CD drive letter):\i386\netapi32.dl_
f. expand (CD drive letter):\i386\lsasrv.dl_
4, 重启电脑
5,更新到前面所述的新的病毒定义。
Temporary Solution for Backdoor.haxdoor
Version: 1.6
Situation:
On XP SP2 (Chinese Simplified) image and apply the MS 924270 patch, After the virus definition has been updated to the version of 2007-5-17(The first bad Rapid Release is 20070517.016 (68601) ,the first bad LU definition is 20070517.018)
the following files, C:\windows\system32\netapi32.dll and C:\windows\system32\lsasrv.dll, will be treated as ‘backdoor.haxdoor’ and then be quarantined.
After rebooting the system, it couldn’t log in successfully and the same in the safe mode. It will also display the blue screen.
Solution:
For the server:
Liveupdate immediately, to virus definition version 20070517.v73.
If there is any problem on liveupdate:
1. Go to ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/.
2. Enter the 68638 (20070517.v71)or newer folder.
3. Download the files with the suffix of xdb.
4. Put it into the installation folder of SAV, which is C:\program files\SAV or C:\program files\SAV\symantec antivirus generally.
Note: If the compress software such as winzip has been installed in the server, the suffix will be changed from xdb to zip or rar. Please change it back to xdb.
For the clients:
1. Automatically, the clients will update the new version of the virus definition from the server. Confirm that the virus definition version is 20070517.v71 or later.
2. For those clients that couldn’t obtain the new virus definition from the server automatically, please download ****x86.exe in the above address, then run this execute file.
3. For the client which has met this problem, the latest virus definition will rescan the quarantine, if there is false-positived dll files, SAV will repair and restore it.
4. For the pc displaying blue screen:
1) Locate Installation CD, put in drive and restart machine.
2) At startup, choose the option to boot from CD.
3) After the drivers load in Windows setup, choose ‘R’ for recovery console.
4) Choose the affected windows installation, and type in your administrator password
5) Type the following commands in this order (overwrite files if prompted):
a. cd \windows\system32
b. expand (CD drive letter):\i386\netapi32.dl_
c. expand (CD drive letter):\i386\lsasrv.dl_
d. cd dllcache
e. expand (CD drive letter):\i386\netapi32.dl_
f. expand (CD drive letter):\i386\lsasrv.dl_
6) Type ‘exit’ to reboot the machine
7) update to latest virus defs
Instruction by Symantec Security Response:
On May 17,2007, at approximately 10am PST, Symantec released LiveUpdate definitions which erroneously detected 2 systems files included on some simplified Chinese versions of Microsoft Windows XP as Backdoor.Haxdoor
This affected the Simplified Chinese version of Windows XP Service Pack 2, which had the KB924270 patch from Microsoft applied. The files affected are netapi32.dll (version 5.1.2600.2976) and lsasrv.dll (version 5.1.2600.2976). Other language versions of Windows XP, or Windows XP versions which do not have the KB924270 patch applied, are not affected. Windows will fail to load should the machine be rebooted following the mis-detection.
The mis-detection was introduced in Rapid Release build number 68601 (extended version 20070517.016) and corrected in Rapid Release build number 68638 (extended version 20070517.071)
Symantec released LiveUpdate definitions on May 17, at approximately 11.30pm PST to correct this issue. Users who have not rebooted Windows following the mis-detection can apply the updated definitions through LiveUpdate to resolve the issue. Customers impacted by this issue following reboot of an affected system, can return their system(s) to the previous state through use of the Windows recovery console. (See attached file for details).
The mistaken detections were added via an automation process that has been in use for some time to address the rapidly increasing volume of threats. One of the third party components used in the automation process has recently changed and led to the detection of the two system files, which has now been corrected.
Symantec is putting measures in place to avoid similar incidents in future. We sincerely regret any inconvenience this may have caused our customers.
PS:
Step by step instructions to stop blue screens:
1) Locate Installation CD, put in drive and restart machine.
2) At startup, choose the option to boot from CD.
3) After the drivers load in Windows setup, choose ‘R’ for recovery console.
4) Choose the affected windows installation, and type in your administrator password
5) Type the following commands in this order (overwrite files if prompted):
a. cd \windows\system32
b. expand (cd drive letter):\i386\netapi32.dl_
c. expand (cd drive letter):\i386\lsasrv.dl_
d. cd dllcache
e. expand (cd drive letter):\i386\netapi32.dl_
f. expand (cd drive letter):\i386\lsasrv.dl_
6) Type ‘exit’ to reboot the machine
7) Download and update to latest RR defs
8) Re-apply KB924270 patch.
如果是原来英文的系统,通过语言和区域设置加上中文支持的,就不会有问题。有问题的是那些原来就是简体中文版本的。
星期四的时候中招了,没办法,用安装盘修复安装.还好,驱动,软件什么的都在,就是要费时间装下补丁.
http://tech.sina.com.cn/it/2007-05-18/17381515653.shtml
上次硬盘分区表丢失的灾难发生在我的电脑上。那可是彻彻底底的灾难,100多G的游戏电影不必说它,10多个G的个人照片可是千金不换的个人珍宝,最要命的是全部的专业资料、assignment、文件性的存档如果找不回来那是实实在在的影响到了生活啊。
好不容易费了一个礼拜的时间找回了分区表才算安生。
自那时起,赶紧买软驱和软盘备份了分区表。 以后谁说软驱要消失我跟谁急,这玩意儿才是真正靠得住的东西。听说软盘以后不卖了,赶紧买一盒回来存着
我估计多半是norton删掉了那两个文件的缘故,所以直接拿可启动u盘到别人机器上把这两个文件拷贝了过来,然后拿u盘引导启动复制回原目录就可以了。
不过这样重装一下也好,把系统清理了一遍,计算机运行速度快多了。以前老下载软件,把硬盘搞得到处是碎片,严重影响速度。现在好多了。