Updated: July 12, 2004 12:00:00 AM
Type: Removal Information
Norton AntiVirus users have reported apparent system hangs after having installed the June 16 or June 19, 2000 virus definitions. As a result, scandisk may create unwanted and invalid directory entries, which may decrease hard disk space. The latest virus definitions will correct the system hang problem.
SARC has also created a tool called ndf32.exe that will automatically remove the invalid directory entries. ndf32.exe is digitally signed. Symantec recommends only using copies of ndf32.exe that have been downloaded directly from this site. A tool is available on bottom of this page to verify the digital signature of ndf32.exe.
Detailed Description of Problem
Some Symantec customers using Norton AntiVirus versions 4.0x, 5.0x, Norton AntiVirus CE 7.0x, or Norton AntiVirus NLM 4.04 have reported apparent system hangs and loss of hard disk space after installing the June 16 or June 19 virus definitions. Those definitions included an enhancement to Norton AntiVirus's ability to scan script-based threats. This included a read of all sectors in the file, until the End OF File (EOF) was reached.
In some cases, the scanning engine was passed a file to scan that does not have an EOF associated with it, named CLOCK$. The file appears as a file of infinite length to Norton AntiVirus, causing a much longer processing time. What appears to be a system hang is actually a system slow down while Auto-Protect is attempting to scan this file.
However, because the user believes the computer is hung, the user may reboot before Norton AntiVirus has completed the file scan, possibly causing incomplete file writes in one of Norton AntiVirus's temporary work files. When the system is rebooted, ScanDisk may run and detect lost clusters in the incomplete temporary work file. Due to the size of the file, ScanDisk believes the lost clusters are part of a directory rather than a file. ScanDisk, therefore, creates various directories in the root directory of drive C:, such as 'DIR00000', "DIR00001", etc.
These directories cannot be removed with the "RD" or "DELTREE" commands. This is due to the fact that the temporary work file contains garbage data, which is interpreted by the system as invalid entries.
The Symantec AntiVirus Research Center has developed a tool that will scan a computer and detect and remove any directories created by ScanDisk. The tool is designed in such a way that it can be automated and run from a login script. This tool will automatically reboot and run in DOS mode, which is necessary in order to delete these invalid directory entries. The tool includes a message and will prompt before rebooting.
Below are a list of actions the tool will perform:
The tool is a 32-bit program called ndf32.exe. It will contain a PIF file and a DOS program file, which will perform the actual repair.
The tool will check if it has been run before and will only run once per machine.
The tool will check to see if the system has the symptoms of the problem outlined above and will only run on systems that potentially have the problem.
The tool will copy a PIF file and a DOS program file and will run the PIF file which will reboot the system into DOS.
The tool will then run the DOS program file to fix the problem in DOS mode and then reboot system back into normal Windows mode.
Verifying the digital signature of chktrust.exe
To verify the digital signature of ndf32.exe using chktrust.exe:
Download chktrust.exe into the same directory where ndf32.exe is located.
Launch the MS-DOS prompt via the Start/Programs/MS DOS prompt menu.
Change to the directory where ndf32.exe and chktrust.exe are stored. If the files were saved to the desktop folder the command to enter in the MS DOS prompt is:
Type the following command to check the digital signature of ndf32.exe:
chktrust -i ndf32.exe
If the digital signature is valid you will see a dialog asking the following question:
Do you want to install and run "NAV Def Fix Tool" signed on 6/23/2000 7:30 PM and distributed by Symantec Corporation?
The date and time that are displayed in this dialog will be adjusted to your timezone if your computer is not set to the U.S. Pacific Time Zone. For example, if you live in the U.S. Eastern Time Zone the date and time you will see will be 6/23/2000 10:30 PM.
If this dialog does not appear or the date and time are not properly adjusted for your timezone do not use your copy of ndf32.exe. It is not from Symantec.
If this dialog appears and the text is correct for your timezone, this copy of ndf32.exe is from Symantec.
Click the "Yes" button to dismiss the chktrust dialog.
and then press the Enter key. This will terminate the MS DOS session.