Results 1 to 3 of 3

Thread: updating problems & system lock-ups

  1. #1
    wightknight Guest

    Default updating problems & system lock-ups

    Like so many people recently, I found one PC on our network (with latest updates of XP Pro & ZAV) seriously sick: failing to update and locking up all over the place.
    The solution turned out to be deleting ZAV and reinstalling.
    By "deleting" I mean ruthlessly expunging every trace of ZA in files and the registry.
    Less brutal solutions repeatedly recommended
    elsewhere in this forum did not work.
    An unexpected bonus was that ZA hides its licence key so well that I did not need to type it in again!
    Maybe I can save other people losing several working days by passing on a few lessons learned:
    1.
    The root cause of the problem is still a mystery.
    For a while I suspected that ZA had reached the point (as happens eventually to most smallish IT firms) of losing the battle against bigger badder guys, and it had simply shipped some dodgy versions.
    Then I worried about various "expert" programs (e.g. UltraVNC, Virtual PC, remote camera viewer) loaded, or changes to our network.
    Finally, however, I cannot improve on pointing out that ZAV will not update while Microsoft is updating, and maybe recent big MS updates put ZA off its stride.
    Also ZA may not have correctly recognised all computers on our network as being in the trusted zone.
    2.
    ZA's firewall blocked and logged multiple attempts to send packets out to a bizarre address that implied some process was trying to communicate without my permission.
    (ZA staff need to work on the on-screen display and documentation of "Destination DNS".)
    Much time-consuming scanning revealed no malware.
    Free products that I like include Sophos's rootkit detector, plus of course AdAware and Spybot.
    Trend's Housecall gave false positive on some contents of my HOSTS file!
    The key tool was ZTREE, a wonderful program that lets you list all the files on a drive by time of creation, so I could examine all files created around the time of ZA's firewall logs of the outgoing packets.
    The answer turned out to be that a remote Internet address had been added to my Network Neighbourhood.
    Heaven knows what key I had accidentally pressed to do that.
    3.
    Mercifully I was spared the ultimate clean-up process if my PC had been cleverly rootkitted: to take out its hard drive and slave it on another PC, malware-scan it there, and then overwrite files in its Windows and System32 directories.
    Only if that failed would reformatting and reloading Windows have been needed.



    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Antivirus

  2. #2
    alan_w Guest

    Default Re: updating problems & system lock-ups

    I'm having similar strange problems. A week ago I came in in the morning to find my machine locked up and failing to reboot XP pro sp2 - dying while loading drivers. Would only reboot in safe mode. After trying everything including full indepth scans for viruses and malware finding nothing I managed to uninstall VASS and lo and behold all was well again. I reinstalled VASS and it ran ok for a week but today says it has an unreadable ZA file: UnLSX.ppl and to run chkdsk. My disks are only a few months old and mirrored under VIA Raid 1 which shows no faults in its log. Seems highly unlikely to be a hardware problem. While researching the last incident I found that Kaspersky AV causes problems with chkdsk because of the unorthodox way the current version handles the NTFS disk streams, using a hidden MS object to store a checksum. Apparently this method will be dropped next year in favour of using an orthodox database for this purpose. I am now suspicious that it is also causing some kind of disk corruption. I have had more trouble since I changed from CA Security to VASS in August than for many years and it has cost me a lot of time. The only possible competing security product being run is periodic scans by XoftSpySE.

  3. #3
    alan_w Guest

    Default chkdsk shows messed up objectid & index files

    The chkdsk log entry (Winlogon in System Eventlog) shows the following. Again I had to uninstall ZASS after this recovery - this time because Truevector system service continually crashed.

    Event Type: Information
    Event Source: Winlogon
    Event Category: None
    Event ID: 1001
    Date: 4/11/2007
    Time: 10:43:28 a.m.
    User: N/A
    Computer: xxxxxx
    Description:
    Checking file system on C:
    The type of the file system is NTFS.
    Volume label is IDE0-1.

    One of your disks needs to be checked for consistency. You
    may cancel the disk check, but it is strongly recommended
    that you continue.
    Windows will now check the disk.
    The object id in index entry in file 0x19 is incorrect.
    The entry points to file 0x67bb.
    54 5e 10 90 f2 85 dc 11 8f 25 00 03 47 bf bb 16 T^.......%..G...
    bb 67 00 00 00 00 8c 07 ca 51 02 38 45 cf c1 46 .g.......Q.8E..F
    ----------------------------------------------------------------------
    54 5e 10 90 f2 85 dc 11 8f 25 00 03 43 bf bb 16 T^.......%..C...
    56 52 00 00 bc e5 06 00 cf 98 05 01 a4 e2 06 00 VR..............
    Deleting an index entry from index $O of file 25.
    The object id in file 0x67bb does not appear in the object
    id index in file 0x19.
    Inserting an index entry into index $O of file 25.
    Unable to locate the file name attribute of index entry spuninst.exe
    of index $I30 with parent 0x67b3 in file 0x67ba.
    Deleting index entry spuninst.exe in index $I30 of file 26547.
    Cleaning up minor inconsistencies on the drive.
    CHKDSK is recovering lost files.
    Recovering orphaned file stuninst.exe (26554) into directory file 26547.
    Cleaning up 12 unused index entries from index $SII of file 0x9.
    Cleaning up 12 unused index entries from index $SDH of file 0x9.
    Cleaning up 12 unused security descriptors.
    Inserting data attribute into file 26553.
    CHKDSK is verifying file data (stage 4 of 5)...
    File data verification completed.
    CHKDSK is verifying free space (stage 5 of 5)...
    Free space verification is complete.
    CHKDSK discovered free space marked as allocated in the
    master file table (MFT) bitmap.
    CHKDSK discovered free space marked as allocated in the volume bitmap.
    Windows has made corrections to the file system.

    20482840 KB total disk space.
    8892176 KB in 56049 files.
    34968 KB in 4467 indexes.
    0 KB in bad sectors.
    109480 KB in use by the system.
    43024 KB occupied by the log file.
    11446216 KB available on disk.

    4096 bytes in each allocation unit.
    5120710 total allocation units on disk.
    2861554 allocation units available on disk.

    Internal Info:
    a0 fa 00 00 6f ec 00 00 5d 39 01 00 00 00 00 00 ....o...]9......
    57 ec 00 00 01 00 00 00 5f 05 00 00 00 00 00 00 W......._.......
    c2 45 6e 02 00 00 00 00 8a 0a de a0 00 00 00 00 .En.............
    a0 9b d6 10 00 00 00 00 4c 21 11 7b 01 00 00 00 ........L!.{....
    6c e8 0d 66 00 00 00 00 a2 cc 10 9c 02 00 00 00 l..f............
    99 9e 36 00 00 00 00 00 18 3b 07 00 f1 da 00 00 ..6......;......
    00 00 00 00 00 40 bc 1e 02 00 00 00 73 11 00 00 .....@......s...

    Windows has finished checking your disk.

    The previous crash didn't show the object id faults but again index files were screwed up:

    Event Type: Information
    Event Source: Winlogon
    Event Category: None
    Event ID: 1001
    Date: 28/10/2007
    Time: 10:01:12 p.m.
    User: N/A
    Computer: xxxxxx
    Description:
    Checking file system on C:
    The type of the file system is NTFS.
    Volume label is IDE0-1.

    A disk check has been scheduled.
    Windows will now check the disk.
    The file reference 0x64bd0000000006a0 of index entry wsus3setup.cab of index $I30
    with parent 0x4463 is not the same as 0x64c20000000006a0.
    Deleting index entry wsus3setup.cab in index $I30 of file 17507.
    The file reference 0x64bd0000000006a0 of index entry WSUS3S~1.CAB of index $I30
    with parent 0x4463 is not the same as 0x64c20000000006a0.
    Deleting index entry WSUS3S~1.CAB in index $I30 of file 17507.
    Cleaning up minor inconsistencies on the drive.
    CHKDSK is recovering lost files.
    Recovering orphaned file WSUS3S~1.CAB (1696) into directory file 17507.
    Recovering orphaned file wsus3setup.cab (1696) into directory file 17507.
    Cleaning up 63 unused index entries from index $SII of file 0x9.
    Cleaning up 63 unused index entries from index $SDH of file 0x9.
    Cleaning up 63 unused security descriptors.
    CHKDSK is verifying file data (stage 4 of 5)...
    File data verification completed.
    CHKDSK is verifying free space (stage 5 of 5)...
    Free space verification is complete.
    Windows has made corrections to the file system.

    20482840 KB total disk space.
    8893392 KB in 56601 files.
    34912 KB in 4460 indexes.
    0 KB in bad sectors.
    109472 KB in use by the system.
    43024 KB occupied by the log file.
    11445064 KB available on disk.

    4096 bytes in each allocation unit.
    5120710 total allocation units on disk.
    2861266 allocation units available on disk.

    Internal Info:
    a0 fa 00 00 8f ee 00 00 d9 3d 01 00 00 00 00 00 .........=......
    a3 ed 00 00 01 00 00 00 92 05 00 00 00 00 00 00 ................
    70 92 9b 02 00 00 00 00 6c df d9 a2 00 00 00 00 p.......l.......
    1c f1 ef 11 00 00 00 00 2e 23 3e 7e 01 00 00 00 .........#>~....
    f2 23 af 67 00 00 00 00 a0 d0 10 a4 02 00 00 00 .#.g............
    99 9e 36 00 00 00 00 00 18 3b 07 00 19 dd 00 00 ..6......;......
    00 00 00 00 00 40 cf 1e 02 00 00 00 6c 11 00 00 .....@......l...

    Windows has finished checking your disk.

    I think I am going to switch to a different AV. I can't afford the downtime Kaspersky seems to be causing me.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •