In NIS2009 when my system did a full scan it had been (for years) scanning about 1.4 million files.  All of a sudden the number dropped to about 500,000 files.

At the same time I went to use my machine in the morning (it had been on overnight) and NIS2009 had stopped working.  I restarted the machine and all seemed to be (and still seems to be) o.k.  I am just puzzled about the number of files scanned being reduced.

It is an XP Home desktop computer.

Thanks.

You can check to see if the missing files are accounted for by selecting “Scan Results” in the dropdown menu in “Security History.”  Highlight the scan in question and click the “More Details” button.  Click the small “+” sign next to the “Total Items Scanned” heading and see if the missing files appear as “Trusted” or “Skipped.”  Also check that the status of the scan shows as completed.  It’s possible that the scan was interrupted by whatever it was that caused Norton to stop overnight.

In NIS2009 when my system did a full scan it had been (for years) scanning about 1.4 million files.  All of a sudden the number dropped to about 500,000 files.

At the same time I went to use my machine in the morning (it had been on overnight) and NIS2009 had stopped working.  I restarted the machine and all seemed to be (and still seems to be) o.k.  I am just puzzled about the number of files scanned being reduced.

It is an XP Home desktop computer.

Thanks.

Mark,

In looking at the insight settings I see that it says that only 28% of the files are listed as "scan needed".  That would mean that there are about 1.7 million files on the computer, which is about right.

I was aware of insight, but when last I checked it a month, or so, ago, it showed only about 10% of the files as "trusted".  (I upgraded to NIS 2009 from NIS 2008 on May 15, 2009, i.e., at the end of my NIS 2008 subscription period.)  Does insight continue to build its trusted list?  If so, why would the number change so dramatically, quite literally overnight?

I had used the computer yesterday and it was fine, i.e., NIS 2009 was fine (I am in the habit of looking for the little icon with the green check periodically.  I really miss the big icon of NIS 2008).  I have it set to do a full scan overnight, every night, and yesterday morning it showed about 1.4 million files scanned.  I used the computer several times yesterday and left it on overnight.  This morning I first noticed that the full scan screen was not showing.  When I clicked on the NIS icon it disappeared.  When I tried to start NIS 2009 I got an error message 8504,4.  I rebooted the machine and it seemed to be fine.  I started the full scan and noticed that it finished more quickly than normal and that is when I found that it listed only 500,000 files scanned.

Thomas

SendOfJive,

The scan results for yesterday morning 6/13/09, show 1,441,574 files and directories scanned, 1,531 trusted files and 439 skipped files.

The scan results for today, the one that I ran manually, shows 498,017 files and directory scanned, 1,531 trusted files and 424,595 skipped files.

Both show completed.  There is no indication that there was even an attempt to start a full scan last night.  It is scheduled for 11:00 pm.

How does NIS 2009 decide to skip files?  The total of the scanned and skipped is far short of the files and directories scanned on the previous day, but perhaps it is because directories are counted in one and not the other.

Thomas

Files will be skipped if there have been no changes to them, and no updates to the Norton Virus definitions, since the previous scan.  The file counts for scans mystify almost everybody anyway and never seem to be the same twice.  Try updating your definitions and run another scan and see if it comes closer to your normal file count results.  Also, run One-Click Support from the Help and Support link to see if it spots a problem that might have led to Norton shutting down.  Hopefully this is just one of those glitches that happen on Windows systems occasionally.  I am sure the file count is just a symptom of whatever caused the program to quit so I would simply keep an eye on what Norton does in the next few days to catch any problem that may have developed.  There is a Symantec support page for the error code you saw that would suggest the root cause may lie with Windows’ Terminal Services.

nC8504:

Actually, now that you advise us of the 8504 error and a bit more information, it is possible that terminal services are involved or malware.

Please download and install Malwarebytes.  http://www.malwarebytes.org

If you have trouble downloading or installing, that will also tell us something, and we can give you further instructions from there.

By the way, my name is Delphinium.

Mark Twain is the author of my signature remark.

Hello nC8504:

When you have a moment, I would like to suggest reading this fine White Paper concerning Norton Insight.

You can find it at this link.

Barring any technical problems, this should help you understand what is transpiring with your computer.

SN  

SendOfJive,

I updated the definitions and ran a scan manually and it had the same reduced file count, about 500,000.

The One-Click  ran and found no problems.

I went to the Symantec support page that you suggested and followed all the procedures for starting Terminal Services and making it start automatically.  That all went well, including the stopping and restarting NIS2009.

Overnight (Sunday - Monday, 6/14 - 6/15) the automatic full scan ran and it failed at some point during the night.  The screen was blocked by the failure notice and when I stopped it NIS2009 stopped running on the machine.  I rebooted the machine and started another.  I just spoke with my wife and she said that the scan completed successfully and with the file count of 1.4+ million files scanned.  Not sure what changed, but it seems to be working as it had been.  I will watch it over the next few days.

Thanks for your help.

Thomas

Delphinium,

Sorry about the Mark reference.  I do know who Mark Twain was! 

I ran the Malwarebytes that you suggested in a quick scan and it found 4 items that I think are innocuous.  Two were related to NIS2009, one was related to a registry entry for Windows current version and the last was some "Weather Channel" item that I cannot identify, but I have used "Weather Channel" software before.  Do I suspect correctly that Malwarebytes finds anything that has a signature of hidden code or virus like capability, even if it is harmless?

As I noted in a reply above the scan ran to completion this morning (after failing overnight) and showed 1.4 million files scanned.  I will run Malwarebytes in the full mode to completion and see if it finds anything.  Does Malwarebytes find things that NIS2009 does not?

Thanks for your help.

Thomas

Smart Neuron,

Thanks for the reference.  I will read it.  As of the moment the computer seems to be working normally.  Perhaps just one of those very occasional quirks in the system.  It has been a good computer for 5 years with very few problems.

Thomas

nC8504

Yes, MalwareBytes will look at the files a little differently than Norton will.  One is coming from the Virus side; the other is coming from the Spyware side.  Since no program is perfect, it is good to have a double look at you files. 

Can you please post the log files contents of what MBAM did find?  The items about Norton / Symantec should not have been there, I believe.

dbrisendine,

This is what the quick scan found yesterday:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

In running a full scan today (I stopped it when I got home as it had been running for 6 hours) was this, which I removed:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.

I will run a quick scan again.  I take it I should remove those items above, i.e., from yesterday's scan?

Thomas

Yes, Run the quick scan again and have MBAM fix / delete the items found.  I’m concerned about the Trojan entry but as there are no files found that may be just left over from a already cleaned item.

dbrisendine,

I cleaned those items.

Is there any way to know if the Trojan did anything or how long it had been on my machine?  On the security center issues I manually edited the registry and changed the values from 1 to 0.  Should I just remove those security center data items?

I suppose if information was taken from my computer I would have no way of knowing.

Why doesn't NIS 2009 find these things and at least notify me if not quarantine the entries?

Thomas

Just to confirm nC8504, have you done the full Malwarebytes scan, with System Restore disabled, and disconnected from the internet. You could also run it again in safe mode to see if there was anything that was unable to hide itself, as it sometimes can in normal mode.

Sometimes infections can hide in the system restore files, and then people think they have become reinfected. 

Unfortunately malware always comes before the definitions to protect against it.  Sonar helps with this but has its limits as well because too many false positives are not a good thing either.  With two programs, Norton should act as a blocker of malware, while MBAM uses different definitions and is more of a hunter of malware.  You are well protected with both.

I think it might be wise to post a full Malwarebytes log for us to check.

Hope I am not interrupting the flow here. I would like to collect a few information here.

Open Norton 2009.

In the Computer Pane, click Settings.

Under Computer Scans, turn off Rootkits and Stealth items scan.

Click Apply and then OK.

Now run a full system scan and check how many files it scans.

Turn on Rootkits and Stealth items scan.

Then boot into safe mode. Double click the Norton product icon, when you receive the alert, click Yes. This will initiate the scan.

Let me know the result.

Also follow Delph's suggestions, I am sure he/she will take you to the solution.

Vineeth--

delphinium,

I will do that beginning this evening.  I am estimating that it will take about 20 hours to run so I should know tomorrow about this time.

Once done I assume that I can turn System Restore back on.  If something is found and removed in the scan, System Restore will have no knowledge of it and will not be able to "undo" it, so to speak.  Is that correct?

Also, running is safe mode sounds as thought it will be a more complete scan, and doing that will preclude the requirement to run it in normal mode.  Correct?

I will post the results.  Geez, I thought I was fairly well protected.

Vineeth,

Thanks for contributing.

I will do that tomorrow after I run the scan discussed in the most immediate past posts.

delphinium,

This is tangentially related - My ISP (TDS Telecom) recently changed from supporting their own e-mail to contracting it to Google.  That means that the incoming and outgoing e-mails are on non-standard (at least insofar as NIS 2009 is concerned) ports.  Thus, NIS 2009 is blind to e-mail traffic on this machine.  I think that NIS looks at activity in the e-mail client (Thunderbird), e.g., opening attachments and such.

I suspect that this makes my machine more vulnerable than it had been.  Anything I can do about this?  Is Symantec considering a change to support the other ports?  My university e-mail was also changed to Google, and I have recently heard that this is becoming commonplace.

Thanks.