主题：诺顿误杀导致中文winxp崩溃，你中招了吗？ -- 小赵

以下方法为支持部门测试的方法，如有问题请及时反馈

=======================================

Backdoor.haxdoor解决方案

Version: 1.6

问题描述：

在windows Xp sp2简体中文版打上补丁KB924270以后，SAV更新到5月17日的病毒定义以后(LiveUpdate的后病毒定义的版本是20070517.v18，rapidrelease的病毒定义版本是20070517.v16(68601)至20070517.v70(68637))会把

C:\windows\system32\netapi32.dll和 C:\windows\system32\lsasrv.dll

认为是backdoor.haxdoor, 并且把他们隔离掉。

会造成重起机器后无法进入系统，安全模式也无法进入，蓝屏。

解决方案：

1，服务器端：

服务器立即liveupdate, 更新到最新的病毒定义库（20070517.v73）.

如果liveupdate有问题，到

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/

进入到68638(22070517.v71)或者以后的文件夹

下载后缀名是xdb的文件，放到服务器的SAV安装文件夹里面（是个共享文件夹，一般的位置是C:\program files\SAV或者C:\program files\SAV\symantec antivirus. 如果服务器内装有winzip等软件，可能会把这个XDB改成zip或者rar, 需要改回到xdb）。

2，正在运行的客户端：

客户端可以从服务器下载到更新后的病毒定义，保证病毒定义在20070517.v71或者以后。

对于无法从服务器自动更新病毒定义的客户端，到

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/

进入到68638或者以后的文件夹，下载****x86.exe文件，在本机运行更新病毒定义。出现过这个问题的电脑，理论上SAV下载更新的病毒定义后，会扫描隔离区，发现误报的dll文件后会自动修复并恢复到原来的位置，这些已经有很多用户确认。但是为保险起见，建议用户在工作量允许得前提下，用windows XP盘里面的i386下面的netapi32.dll和lsasvr.dll文件，替换C:\windows\system32下的这两个文件。

对于已经蓝屏的电脑：

1, 使用windows XP安装盘启动

2, 进入系统恢复控制台。

3, 使用安装盘I386目录下的netapi32.dll和lsasrv.dll文件替换系统system32下和dllcache下的文件

a. cd \windows\system32

b. expand (CD drive letter):\i386\netapi32.dl_

c. expand (CD drive letter):\i386\lsasrv.dl_

d. cd dllcache

e. expand (CD drive letter):\i386\netapi32.dl_

f. expand (CD drive letter):\i386\lsasrv.dl_

4, 重启电脑

5，更新到前面所述的新的病毒定义。

Temporary Solution for Backdoor.haxdoor

Version: 1.6

Situation:

On XP SP2 (Chinese Simplified) image and apply the MS 924270 patch, After the virus definition has been updated to the version of 2007-5-17(The first bad Rapid Release is 20070517.016 (68601) ,the first bad LU definition is 20070517.018)

the following files, C:\windows\system32\netapi32.dll and C:\windows\system32\lsasrv.dll, will be treated as ‘backdoor.haxdoor’ and then be quarantined.

After rebooting the system, it couldn’t log in successfully and the same in the safe mode. It will also display the blue screen.

Solution:

For the server:

Liveupdate immediately, to virus definition version 20070517.v73.

If there is any problem on liveupdate:

1. Go to ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/.

2. Enter the 68638 (20070517.v71)or newer folder.

3. Download the files with the suffix of xdb.

4. Put it into the installation folder of SAV, which is C:\program files\SAV or C:\program files\SAV\symantec antivirus generally.

Note: If the compress software such as winzip has been installed in the server, the suffix will be changed from xdb to zip or rar. Please change it back to xdb.

For the clients:

1. Automatically, the clients will update the new version of the virus definition from the server. Confirm that the virus definition version is 20070517.v71 or later.

2. For those clients that couldn’t obtain the new virus definition from the server automatically, please download ****x86.exe in the above address, then run this execute file.

3. For the client which has met this problem, the latest virus definition will rescan the quarantine, if there is false-positived dll files, SAV will repair and restore it.

4. For the pc displaying blue screen:

1) Locate Installation CD, put in drive and restart machine.

2) At startup, choose the option to boot from CD.

3) After the drivers load in Windows setup, choose ‘R’ for recovery console.

4) Choose the affected windows installation, and type in your administrator password

5) Type the following commands in this order (overwrite files if prompted):

a. cd \windows\system32

b. expand (CD drive letter):\i386\netapi32.dl_

c. expand (CD drive letter):\i386\lsasrv.dl_

d. cd dllcache

e. expand (CD drive letter):\i386\netapi32.dl_

f. expand (CD drive letter):\i386\lsasrv.dl_

6) Type ‘exit’ to reboot the machine

7) update to latest virus defs

Instruction by Symantec Security Response:

On May 17,2007, at approximately 10am PST, Symantec released LiveUpdate definitions which erroneously detected 2 systems files included on some simplified Chinese versions of Microsoft Windows XP as Backdoor.Haxdoor

This affected the Simplified Chinese version of Windows XP Service Pack 2, which had the KB924270 patch from Microsoft applied. The files affected are netapi32.dll (version 5.1.2600.2976) and lsasrv.dll (version 5.1.2600.2976). Other language versions of Windows XP, or Windows XP versions which do not have the KB924270 patch applied, are not affected. Windows will fail to load should the machine be rebooted following the mis-detection.

The mis-detection was introduced in Rapid Release build number 68601 (extended version 20070517.016) and corrected in Rapid Release build number 68638 (extended version 20070517.071)

Symantec released LiveUpdate definitions on May 17, at approximately 11.30pm PST to correct this issue. Users who have not rebooted Windows following the mis-detection can apply the updated definitions through LiveUpdate to resolve the issue. Customers impacted by this issue following reboot of an affected system, can return their system(s) to the previous state through use of the Windows recovery console. (See attached file for details).

The mistaken detections were added via an automation process that has been in use for some time to address the rapidly increasing volume of threats. One of the third party components used in the automation process has recently changed and led to the detection of the two system files, which has now been corrected.

Symantec is putting measures in place to avoid similar incidents in future. We sincerely regret any inconvenience this may have caused our customers.

PS:

Step by step instructions to stop blue screens:

1) Locate Installation CD, put in drive and restart machine.

2) At startup, choose the option to boot from CD.

3) After the drivers load in Windows setup, choose ‘R’ for recovery console.

4) Choose the affected windows installation, and type in your administrator password

5) Type the following commands in this order (overwrite files if prompted):

a. cd \windows\system32

b. expand (cd drive letter):\i386\netapi32.dl_

c. expand (cd drive letter):\i386\lsasrv.dl_

d. cd dllcache

e. expand (cd drive letter):\i386\netapi32.dl_

f. expand (cd drive letter):\i386\lsasrv.dl_

6) Type ‘exit’ to reboot the machine

7) Download and update to latest RR defs

8) Re-apply KB924270 patch.