PDA

View Full Version : Help! Norton Anti Virus questions



Pete Lamberty
06-23-2003, 1:22 PM
Hi, I have the norton anti virus service. In the last few months I have been getting ALOT of viruses. I have no idea where they all could be coming from. I don't visit any wierd sites. I have a yahoo email address and I think Yahoo screens all emails for viruses. NAV takes care of the viruses I get by deleteing them. I know I get them because a red and white window appears in the middle of my computer screen and tells me the virus name, where it is located, and the action taken by NAV. Is it possible to keep the window from coming up in the middle of my screen? This window is very annoying to me because I work on line and I get alot of these Virus Alert windows coming up. When one comes up I have to click on the OK button to get rid of it. The problem is, is that today alone I must have had over 1000 (thats right one thousand) virus alert windows come up on my screen. So I have to click the OK button 1000 times. This is not fun. So can I, in some way, keep this window from appearing? Thanks for any help. This is driving me crazy. Today is the worst so far. OH, I am not a computer person. I only use it because I need it for work. Thanks for any help or ideas that you have. Pete

Dave Arbuckle
06-23-2003, 2:03 PM
There are a lot of different versions of NAV, each slightly different. On my computer here I'm running Corporate Edition. On it, the option is "Display message on infected computer", which has a checkbox.

If you're running the standalone version, I'm pretty sure there is a similar option. Search help for a message similar to the one I posted, or for "real-time protection options". Something like that ought to get you there.

I can't imagine why your are being hammered so hard. Our entire network doesn't get maybe 10 a day.

Dave

Dan McLaughlin
06-23-2003, 2:44 PM
Pete - how many e-amils do you get a day? I get a lot of e-mail (average 500/day) and I have rarely gotten a virus. What version of Norton are you running and what is the date of the Virus definition file that you are using? If you are using Live Update, it should be around 6/18/03. When was the last Full System scan that Norton ran? The easiest way to find out this information is to click the Norton icon in your tray (next to the date and time) The Virus definition info and last System scan will be right there. The version info should be available after you click the Help on the Norton screen and then About Norton AntiVirus.

Pete Lamberty
06-23-2003, 3:53 PM
Hi Dave, Dan, Thanks for your quick replies. Right after I wrote the original post, I went to NAV and scanned my computer. I had 1019 infected files. 1018 were automatically deleted. So I have a virus that they said is called Hacktool. It is in C:\system32\ntservice.exe. I have no idea what that is. Can I delete it or is it an important file? I don't know how to delete it. As far as I could see, NAV does not have a removal tool for the Hacktool virus. Dave, I have the 2003 version of NAV. I could not find anywhere in the options anything like Display message on infected computer. NAV said I should do a safe start and then a complete scan. When the file with the virus is found, I should delete it. I did do a safe start but I cannot get onto the internet when in the safe start mode. So I couldn't do a scan. Dan, I get about a dozen emails a day. Dan, even though I have the automatic live update, I go to NAV everyday and update the virus defintions. Dan the last update is 6/18/03. So now I have two problems. How to get rid of the virus and how to keep the virus alert windows from coming up. I read a little on the NAV site. Could someone be trying to get into my computer and use it for sending viruses or whatever. I am on the computer over seven hours a day. Should I get a firewall? Sorry guys for such a lone post. I just have alot of thoughts on this and know nothing. Thanks, Pete





Pete - how many e-amils do you get a day? I get a lot of e-mail (average 500/day) and I have rarely gotten a virus. What version of Norton are you running and what is the date of the Virus definition file that you are using? If you are using Live Update, it should be around 6/18/03. When was the last Full System scan that Norton ran? The easiest way to find out this information is to click the Norton icon in your tray (next to the date and time) The Virus definition info and last System scan will be right there. The version info should be available after you click the Help on the Norton screen and then About Norton AntiVirus.

Pete Lamberty
06-23-2003, 4:27 PM
Hi, Since my original post, and the posts by Dave and Dan, I have gone back to the NAV site. I tried something different. I went to scan for viruses. Then scan files. Then I worked my way through a window that started with C; and then openned WINNT then openned system 32, then openned ntservice.exe. It scanned and then NAV said there was one virus in it. Can I just delete this file at this point? Or is it important? Thanks. Pete



















Hi, I have the norton anti virus service. In the last few months I have been getting ALOT of viruses. I have no idea where they all could be coming from. I don't visit any wierd sites. I have a yahoo email address and I think Yahoo screens all emails for viruses. NAV takes care of the viruses I get by deleteing them. I know I get them because a red and white window appears in the middle of my computer screen and tells me the virus name, where it is located, and the action taken by NAV. Is it possible to keep the window from coming up in the middle of my screen? This window is very annoying to me because I work on line and I get alot of these Virus Alert windows coming up. When one comes up I have to click on the OK button to get rid of it. The problem is, is that today alone I must have had over 1000 (thats right one thousand) virus alert windows come up on my screen. So I have to click the OK button 1000 times. This is not fun. So can I, in some way, keep this window from appearing? Thanks for any help. This is driving me crazy. Today is the worst so far. OH, I am not a computer person. I only use it because I need it for work. Thanks for any help or ideas that you have. Pete

Jim Becker
06-23-2003, 5:20 PM
Hi, Since my original post, and the posts by Dave and Dan, I have gone back to the NAV site. I tried something different. I went to scan for viruses. Then scan files. Then I worked my way through a window that started with C; and then openned WINNT then openned system 32, then openned ntservice.exe. It scanned and then NAV said there was one virus in it. Can I just delete this file at this point? Or is it important? Thanks. Pete

You don't say which OS version you are running, but for WinNT, Win2K and WinXP, deleting that particular file may render your machine unusable--it's a key OS function. You have a very serious problem in that your picked up something that from the name indicates it's a trojan horse that will allow someone else to use your computer for "their own purposes". You may need to get help from someone who is skilled in your particular OS and virus issues as you may need to completely rebuild the machine to get rid of this scum-ware. There is a chance that something like PestPatrol or similar might help, but if your virus protection is not removing it...

BTW, if you are not already doing do, you need to start running a firewall application like ZoneAlarm on your computer to help protect from these kind of things. This is in addition to virus protection. With a proper firewall, you may still get "infected" buy you'll know about it right away and the software will keep your PC from communcating information out that you do not allow it to do.

Pete Lamberty
06-23-2003, 5:22 PM
Hi Jim, The operating system on my computer is windows 2000. Pete





You don't say which OS version you are running, but for WinNT, Win2K and WinXP, deleting that particular file may render your machine unusable--it's a key OS function. You have a very serious problem in that your picked up something that from the name indicates it's a trojan horse that will allow someone else to use your computer for "their own purposes". You may need to get help from someone who is skilled in your particular OS and virus issues as you may need to completely rebuild the machine to get rid of this scum-ware. There is a chance that something like PestPatrol or similar might help, but if your virus protection is not removing it...

BTW, if you are not already doing do, you need to start running a firewall application like ZoneAlarm on your computer to help protect from these kind of things. This is in addition to virus protection. With a proper firewall, you may still get "infected" buy you'll know about it right away and the software will keep your PC from communcating information out that you do not allow it to do.

Dan McLaughlin
06-23-2003, 5:48 PM
Pete - Jim is correct. Deleting that file and any other files that may be infected very well could render your PC dead. Hacktool is a generic term for a several Trojan programs that can do a number of things:

1. Take complete control of your PC (Hacktool.Rootkit)
2. Keep a log of keystroke on the system (Hacktool.KeyLoggPro)
3. Decrypt Windows passwords (Hacktool.PassUnleash)
4. Hacktool.DoS is a hacktool that performs a Denial of Service (DoS) attack against a third-party server. Even though this tool does not cause any damage to the computer on which it is deployed, it is considered a threat by network administrators. (Hacktool.DoS)

This is probably more than you ever wanted to know about Hacktool. I would not recommend dealing with this yourself especially since you have said "I am not a computer person". I would also echo Jim's recommendation about Zone Alarm (either the free version or the Pro Version). We used it here along with Norton AV until we upgraded to a hardware firewall rather just a softwall one.

Find a good PC Tech and let him deal with the problem. You may need a re-install of Windows2000 after the Hacktool trojan is removed.

Pete Lamberty
06-23-2003, 6:35 PM
Thanks guys for all the info. I guess I will have to find someone more knowledgable than myself. Where do I look for a PC tech like Dan suggested? I will have to ask some friends that are computer people, hopefully they will know also. Also, am I spreading this virus to others in emails or how about here on Saw Mill Creek? Should I stop being on line until I get this fixed? Thanks again. Pete





Pete - Jim is correct. Deleting that file and any other files that may be infected very well could render your PC dead. Hacktool is a generic term for a several Trojan programs that can do a number of things:

1. Take complete control of your PC (Hacktool.Rootkit)
2. Keep a log of keystroke on the system (Hacktool.KeyLoggPro)
3. Decrypt Windows passwords (Hacktool.PassUnleash)
4. Hacktool.DoS is a hacktool that performs a Denial of Service (DoS) attack against a third-party server. Even though this tool does not cause any damage to the computer on which it is deployed, it is considered a threat by network administrators. (Hacktool.DoS)

This is probably more than you ever wanted to know about Hacktool. I would not recommend dealing with this yourself especially since you have said "I am not a computer person". I would also echo Jim's recommendation about Zone Alarm (either the free version or the Pro Version). We used it here along with Norton AV until we upgraded to a hardware firewall rather just a softwall one.

Find a good PC Tech and let him deal with the problem. You may need a re-install of Windows2000 after the Hacktool trojan is removed.

Ken Garlock
06-23-2003, 11:33 PM
Hi Pete. I also run W2k, the Pro version, with all recommended maintenance installed. There is NO such program as ntservice.exe on my system drive. Use file explorer to find it, right click on it and select properties, you will get a small window. click on the version tab at the top, this will give you pertinent info about the module. If it doesn't say Microsoft or some other software house whose product you have installed, it is probably bogus. An easy test is to rename it to ntservice.exo, a see what happens. The worst thing is that you need to boot up into "safe mode" and name it back again.

If you are not installing the current maintenance from M/S, you need to start doing that. There are almost monthly security fixes issued by the Redmond crew.

I don't run any Norton products, but that is another story :mad: I have been quite happy with the McAfee virus filter.

Aaron Koehl
06-24-2003, 1:02 AM
Thanks guys for all the info. I guess I will have to find someone more knowledgable than myself. Where do I look for a PC tech like Dan suggested? I will have to ask some friends that are computer people, hopefully they will know also. Also, am I spreading this virus to others in emails or how about here on Saw Mill Creek? Should I stop being on line until I get this fixed? Thanks again. Pete

Don't worry-- SawmillCreek is safe from your 'puter, but personal emails
to members are a plausible method of transmission.

_Aaron_

Pete Lamberty
06-24-2003, 11:45 AM
Hi Ken, Thanks for the good info. I, too, have windows 2000 Professional. Sorry for the mistake. I tried to follow your directions but I didn't know where everything was. For example, I don't know where to look for my system drive. But I did this. Try to follow my poor description. I got into my computer on the desk top. I explored and worked my way thru a list on the side of the window. I went Gateway C, then FIXIT, then OEMINFO, then WINNT, then system32. After I expanded all of these, I right Clicked on the WINNT icon in the right side of the window and openned it. Then I found the system32 icon, right clicked and hit explore. It gave me a whole bunch (computer talk here). of icons. So I went thru it all and found ntservice. I right clicked on this icon and selected properties. The tab at the top said "General". Under the word General in a little window was the letters ntservice. Then it listed the following:
Type of file: application
Description: ntservice
Location: C:\WINNT\system32
Size: 9.50KB(9,728 bytes)
Size on disk: 16.0 KB (16.384 bytes)
Created: Tuesday, June 17, 2003, 10:57:20 AM
Modified Saturday, September 07, 2002. 1:54:14 AM
Accessed: Today June 24, 2003
Attributes Open box Read only open box hidden open box Archive

Is this what you wanted me to find? No where do I see anything that says it is a Microsoft prduct or another one that I have. I have very few programs on this computer. I tried to open the ntservice file but a little window came up that said..."access to the specified device, path, or file is denied". I can right click on the icon and then select rename and the name does get boxed in and highlighted . So I can rename it. I did not try to rename it yet, because I don't know if I am at the right place that you told me to go. Should I try to rename it here? Thats about all I found with your instructions. I didn't follow the path you said so I don't know if this is right. Please let me know.
Also you said that I should be installing the current maitenance from Microsoft. I have never done this and I really don't know what you are talking about. I went to the Microsoft website but couldn't find anything called current maitenance. I don't know who the Redmond crew is or how to find them. How do I get to them? Sorry for such along post but I thought I need to explain what I have been doing here.
Thanks for the help. I hope you could follow what I did here. Pete Lamberty




Hi Pete. I also run W2k, the Pro version, with all recommended maintenance installed. There is NO such program as ntservice.exe on my system drive. Use file explorer to find it, right click on it and select properties, you will get a small window. click on the version tab at the top, this will give you pertinent info about the module. If it doesn't say Microsoft or some other software house whose product you have installed, it is probably bogus. An easy test is to rename it to ntservice.exo, a see what happens. The worst thing is that you need to boot up into "safe mode" and name it back again.

If you are not installing the current maintenance from M/S, you need to start doing that. There are almost monthly security fixes issued by the Redmond crew.

I don't run any Norton products, but that is another story :mad: I have been quite happy with the McAfee virus filter.

Pete Lamberty
06-24-2003, 12:53 PM
Hi Ken, I went ahead and tried to rename it. It wouldn't let me. So I don't know what to do next. Any advice is appreciated. Pete



Hi Pete. I also run W2k, the Pro version, with all recommended maintenance installed. There is NO such program as ntservice.exe on my system drive. Use file explorer to find it, right click on it and select properties, you will get a small window. click on the version tab at the top, this will give you pertinent info about the module. If it doesn't say Microsoft or some other software house whose product you have installed, it is probably bogus. An easy test is to rename it to ntservice.exo, a see what happens. The worst thing is that you need to boot up into "safe mode" and name it back again.

If you are not installing the current maintenance from M/S, you need to start doing that. There are almost monthly security fixes issued by the Redmond crew.

I don't run any Norton products, but that is another story :mad: I have been quite happy with the McAfee virus filter.

Dave Arbuckle
06-24-2003, 3:25 PM
Pete, it sounds to me like you've landed a worm dubbed "muma". It appears to be a whole bunch of files.

Norton Antivirus has a page for this virus, here: http://securityresponse.symantec.com/avcenter/venc/data/bat.mumu.a.worm.html

The beginning is a technical breakdown that you probably aren't interested in. If you click on the button marked "removal instructions", it will take you to where you can download the specific tool that will (hopefully) remove it.

If you have anything on the computer that is irreplaceable, before is a much better time to back it up, than after. Just in case.

Dave

Ken Garlock
06-24-2003, 3:53 PM
Pete, sorry I confused you with "system drive". In 99.99% of the cases it will be the C drive. M/S started all the alphabetic drive stuff back with DOS. Other OSs use a more basic form of IDing the drive involving the physical path from the cpu out to the device. The user only knows about "files" and doesn't even know where they are stored.

It looks like you did the best you can, and I think Dave A. has the right next step.

Good Luck :)

Pete Lamberty
06-24-2003, 4:34 PM
:p Yippie!!!! It's gone. Thanks Dave, Dan, Jim, Ken, and Saw Mill Creek. Thanks for all the ideas. The last thing I did was to start the computer in safe mode. I then went to the file and deleted it. It asked me if I wanted it in the recycle bin. I said yes. Then I shut down the computer and restarted it. Went to NAV and did a complete scan of the computer. It said there was one virus and it was in the recycle bin. So I went and emptied the recycle bin. Then I did another scan at NAV. This time no virus found. Yippie!!! So now I just hope I didn't delete something that maybe important later. I am a rather anxious person. Am I a computer person now?? This computer stuff is easy when you have smart friends. ;) So should I get a firewall now??? Thanks guys, I really appreciate the help. Pete Lamberty






Pete, sorry I confused you with "system drive". In 99.99% of the cases it will be the C drive. M/S started all the alphabetic drive stuff back with DOS. Other OSs use a more basic form of IDing the drive involving the physical path from the cpu out to the device. The user only knows about "files" and doesn't even know where they are stored.

It looks like you did the best you can, and I think Dave A. has the right next step.

Good Luck :)

Ken Garlock
06-24-2003, 6:52 PM
Congrats on solving the problem. It just goes to show that if you have enough guesses to pick from, you can get the correct answer :D

Pete Lamberty
06-25-2003, 9:40 AM
Hi Ken, Could you explain to me the maintenance topic that you brought up. What web site do I go to to get the current maintenance? Who is the Redmond crew you wrote about? You said that I should be doing this every month. I have never done this. Please educate me. Thanks, Pete



Congrats on solving the problem. It just goes to show that if you have enough guesses to pick from, you can get the correct answer :D

Ken Garlock
06-25-2003, 11:19 AM
The "maintenance" I was talking about is the "Windows update" button/option on your start list. Click start in the bottom left, and it should be at the top of the list which goes up the left side of your screen. One of the things that it will do for you is to install a program on your system which will check with M/S about once a day for what they call "critical updates". If it finds one, it will put a little "blinky" on the bottom right of your tool bar to tell you that you need to install an update.

Since not all updates are critical, I click on the "windows update" once or twice a week to keep up with other updates which have been released. I don't install everything that is recommended, for example, there is a 23 MB install of the "net framework" which I don't need/want, so I just ignore it.

I don't recall ever having a bad update by using this update method.