I just upgraded my Norton Internet Security to 2009 two days ago and paid for another year's subscription ... I ran a scan; NAV found one or two new little trojans and seemingly successfully removed them.  Great, I think ... Now I'm safe and clean.

Switch computer off yesterday ... switch it on today ... and it won't boot - not in normal mode, not in safe mode, NOT AT ALL.  Great.  Please help.  NB I do NOT want to have to reinstall Windows ... Luckily I can boot off a different drive installed in the same machine, so I can, in theory, replace corrupted files, so if there are any patches to your buggy software, please let me have them!

CPU: Intel Core 2 Duo E8500, 3.16GHz

Memory: 4GB

Operating system: Windows XP Pro, Service Pack 3

I don't know if this is relevant or not, but I did a search to see which files had been modified between when the machine was started up and when it reset itself before failing to boot.  There were 3, the last two of which are components of NIS, which is why I'm blaming Symantec for the boot failure:

WINDOWS\bootstat.dat - 2KB
WINDOWS\system32\msln.exe - 46KB
WINDOWS\system32\drivers\NIS\1005000.087\Cat.DB - 562KB

[edit: Changed subject for clarity.]

Hi, thanks for responding.  I tried booting in safe mode and it got as far as loading giveio.sys before resetting ... I tried renaming this file (as far as I have found out, it's not a regular part of Windows XP but some third party driver) but then it failed on the previous one (Mup.sys) instead ... So basically, it's loading a few drivers.

NB Since Mup.sys (or giveio.sys if you have speedfan) is the last driver to load (and it obviously loads successfully otherwise it would not display the driver name) the problem must occur in what happens next in the boot sequence … afaik Windows reads the registry next.  Any ideas?

OK, well I guess I'm on my own for this one ... I did a few normal fix procedures in the dreaded (and, imho, useless) recovery console, including chkdsk /r, fixmbr and fixboot ... to no avail ... then I did a manual restore of the system registry from the windows\repair folder ... Not even that drastic measure would make the machine boot.  I am now going to have to reinstall Windows because of this STUPIDITY.

I don't know why the subject of this thread was changed - it was VERY much to the point.  I just wasted sixty bucks on a useless product that broke my windows installation, which was working just fine previously.  I did NOTHING different to what I usually do on the machine in the interim (between installing the product, running a scan and shutting down).  The fact remains that after installing NIS 2009 and restarting the machine, it went from working to not working.  Thanks a lot Symantec.

I mean how far along does it get in Normal mode??

Oh and there are Malware that replaces like the logonui.exe and userinit.exe.

Also we are all not in the samer part of the world.

Quads 

OK, on normal startup, it was getting as far as the Windows XP splash screen.  The progress bar moves 2 or 3 notches, froze for 2 seconds, then the machine reset itself.

As well as replacing those 2 files you mentioned, I also did a more thorough check to see which other binaries in the WINDOWS folder had been modified in the last 5 days.  I backed them up (by renaming them .bak) and replaced them from the Windows installation CD.  Some of these were Symantec drivers, which I did not replace but simply renamed.  They were:

WINDOWS\system32\msln.exe 46KB - renamed

WINDOWS\system32\s32evnt1.dll - renamed

WINDOWS\system32\wpa.dbl 14KB - renamed/replaced

WINDOWS\system32\wpa.dbl 14KB 04/08/2009 16:20 - replaced

WINDOWS\system32\drivers\symevent.inf - renamed

WINDOWS\system32\drivers\symim.sys - renamed

WINDOWS\system32\drivers\NIS\ (folder) - renamed 

The most worrying one, however, was this:

WINDOWS\system32\drivers\ntfs.sys

I noticed that it was the wrong file size (619296 bytes) in comparison to what it was supposed to be (574976).

The above file replacements fixed the system boot failure, but now I am stuck with the problem of having to reactivate my copy of Windows XP, which allows you to do so online, yet doesn't let you establish a network connection (unless that's Norton's firewall getting in the way?) ... so will have to do this by phone.

To summarize, it looks like my ntfs.sys was corrupted by some virus that Symantec doesn't yet know about or else failed to fix ... And if a virus didn't do this, I would have thought that checking for correct file sizes (at least for the really important OS drivers like ntfs.sys) was one of the first things a good virus scanner would do!

Will now submit the file to Symantec security response ...

WINDOWS\system32\wpa.dbl 14KB - renamed/replaced

WINDOWS\system32\wpa.dbl 14KB 04/08/2009 16:20 - replaced

= "Windows Product Activation'   You can rename the by double extenstion the new 2kb wpa.dbl  and place back the 14kb ones as long as it is the same system usually.

wpa.dbl  2kb = pre activation

wpa.dbl 14kb = after activation

As mentioned above, the WPA.DBL file can be backed up to permit activation if you reload Windows XP. You can also experiment with different hardware configurations, as we did in preparation for this article. You would back up WPA.DBL for each configuration change, so you can roll back whenever desired, similar to what developers may do frequently, as mentioned above. If you save a copy of the WPA.DBL file at each change of hardware, you can roll back.

Quads 

wpa.dbl is of course the Windows XP data file which records the installation's activation status ... So, restoring this from the backup fixed the problem of having to reactive.

I am now going to try reinstalling NIS 2009 ... Let's see if the same thing stuff happens ...

[Edit: Thanks, Quads - must have been replying at the same time!]

I just upgraded my Norton Internet Security to 2009 two days ago and paid for another year's subscription ... I ran a scan; NAV found one or two new little trojans and seemingly successfully removed them.  Great, I think ... Now I'm safe and clean.

Switch computer off yesterday ... switch it on today ... and it won't boot - not in normal mode, not in safe mode, NOT AT ALL.  Great.  Please help.  NB I do NOT want to have to reinstall Windows ... Luckily I can boot off a different drive installed in the same machine, so I can, in theory, replace corrupted files, so if there are any patches to your buggy software, please let me have them!

CPU: Intel Core 2 Duo E8500, 3.16GHz

Memory: 4GB

Operating system: Windows XP Pro, Service Pack 3

I don't know if this is relevant or not, but I did a search to see which files had been modified between when the machine was started up and when it reset itself before failing to boot.  There were 3, the last two of which are components of NIS, which is why I'm blaming Symantec for the boot failure:

WINDOWS\bootstat.dat - 2KB
WINDOWS\system32\msln.exe - 46KB
WINDOWS\system32\drivers\NIS\1005000.087\Cat.DB - 562KB

[edit: Changed subject for clarity.]

Interesting: http://www.prevx.com/filenames/2855018090984559304-X1/82964142.SYS.html

Note the reported file size.

This looks like the same infection, in which case it may very well be a new virus which Symantec possibly does not yet know about.

jmcg,

Is 12200621 the tracking number of the file you submitted? If so, it is now detected as Hacktool.Rootkit. If not, please post the tracking number here so we can makes sure it gets looked at.

Good to hear you got your machine working again.

JohnM

Hi, my tracking number was 12218607 (haven't had any response yet).  I see now AVG Free (which I run on my other bootable drive) is able to detect this malware - it found another copy of it in one of the restore points in System Volume Information.  However, just prior to writing this sentence, I updated my NIS virus definitions and scanned the corrupted ntfs.sys directly - NIS still does not detect the infection!

Please let me know if there's anything else I need to do to squish this nasty bug?  I hope it's not lurking elsewhere on the system.

I had a similar problem.  One day Windows would not boot.  The Windows XP loading screen would come up and then the system would reboot.  I was able to load into Safe Mode.  I could not figure out what was wrong.  I had Windows loaded on another drive (from an old istall).  I switched the drives around and Windows loaded fine.  I figured something was wrong with my Hard Drive.  So I started updating the old install.  As soon as I finished installing NIS 2009, the system crashed.  It would no longer boot at all, not even into Safe Mode.  I switched the hard drives back, loaded back into Safe Mode and unintstalled NIS.  Everything is working fine now, but no NIS. 

Considering I had this problem on 2 different installs of Windows (both XP Pro) I figured I would see more online about other people having this issue, but I found very little.  Have others been reporting this?  What is Symantec doing about it?

Could be the same thing ... I submitted the file to virustotal and it still seems very few know about it so far:

http://www.virustotal.com/analisis/f0ab650e60b2623249831c89fab9696f25be75cda5817a29788261f25b18cb0d-1249836182

Hmm, I know it's the weekend, but I'm amazed that nobody is particularly jumping to attention at what appears to be a new EXTREMELY stealthy infection.  Again, I find myself wondering why I am paying this expensive subscription to Symantec when AVG Free seems to be just as good.

Hi

I can see a problem if the new malicious ntfs.sys is all bad and not just the legit one with injected code

Then you would have the not booting problem once removed by AV software cos that is where the legit copy should be also  but would be gone.

So the Malicous modified version was in folder "WINDOWS\system32\drivers\" But the legit version should be in "WINDOWS\system32\drivers\" both files using the same name. OH bugger

Norton detects it,  has to restart the PC..................... Now that PC doesn't boot, this wll be due to the fact there is no file legit or otherwise in the drivers folder either.  So windows can't load. 

Quads 

Hello Quads,

I get what you're saying, however if you remove ntfs.sys (try renaming it and rebooting if you want to see for yourself) the system displays an error message: Missing or corrupt c:\windows\system32\drivers\ntfs.sys ... My machine was not displaying any such message when trying to load the damaged ntfs.sys.

I still have a copy of the corrupted file, which is 619,296 bytes ... I can scan it directly with NIS and it does not detect any infection.  Out of interest, I had a look at the raw binary data in a hex editor.  Interestingly, most of the file is padded with zeros.  Only the first 1133 bytes contain actual data, which is still quite sparse.  The first two bytes are the MZ signature.  The last 57 bytes of this block contains the following string:

e:\msln\trunk\src\dev\test\objfre_w2k_x86\i386\driver.pdb

So, we can deduce that:

a) The file is definitely intended to be executable.

b) The malware which caused ntfs.sys to be replaced/corrupted probably does not reside in this file.

c) The string looks suspiciously like the sort of path a developer would use to create a driver for MSLN, using WinDDK.

MSLN (correct me if I'm wrong) is a component of Symantec's MS Light.

So how did this end up inside the main NT file system driver?  What is going on?!

Well, for starters, read this: http://en.wikipedia.org/wiki/Rootkit ... and look at the section on Removal, particularly noting the last paragraph about how Symantec's Veritas (VxMS, aka MS Light) attempts to get rid of some rootkits ...

This looks great ... But, boys, what if something there's an unforseen bug in your software?  What if something screws up in the middle of one of these types of removals?  Well, something precisely like this!  So, as I said right from the start - please patch your buggy software before you make us buy it!

I am now fairly certain that this file was not damaged by a virus, but by the software which attempted to remove a rootkit and failed ... ie NIS.  Can somebody at Symantec please confirm or deny this ... ?

I know what the error message would be I don't need to try it out,    

I was stating about if the thge file was a Rootkit and Norton deleted it leaving no ntfs.sys file. Bingo.

You wouldn't have had that "message" as you still had a file "ntfs.sys" in the correct location.   I can create a file ntfs.sys and place in the correct location, and still not have the error message although it does contain different instuctions, so causes problems.

hahahaha  I don't need to read "Well, for starters, read this: http://en.wikipedia.org/wiki/Rootkit" and removing rootkits .. 

Quads 

Heh, yup, you're the guru after all ...

So we're agreed, it's a pretty disasterous fault in the rootkit removal process!  I hope Symantec sorts this out soon and provides a software update ... In the meantime I strongly advise everybody reading this NOT to let Norton attempt to remove rootkits from your system.