Help - Search - Members - Calendar
Full Version: block from symantec.com and norton autoprotection
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Ngai_fun
Apr 29 2004, 09:24 PM
block from symantec.com and norton autoprotection
Hi all:

this is my problem,when I start my computer, an error message " Runtime Error!
Program: c:\program Files\Common Files\symantec Shared\ccEvtMgr.exe R6025
and my norton antivirus autoprotection is disable, and I can't access symantec.com or even update the virus defination.. .. :(

I've check the other thread and donwload those spyware program, and here is the log of highjack.. can anyone help?

Logfile of HijackThis v1.97.7
Scan saved at 5:19:55, on 30/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\KF\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [System Log Event] csrss32.exe
O4 - HKLM\..\RunServices: [System Log Event] csrss32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...r/noplugin.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7872.0348611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll
FatsGordon
Apr 29 2004, 09:34 PM
Hi Ngai_fun, and welcome to the forum!

Please read carefully what Symantec says about this error:

QUOTE
Error: "Runtime Error!. . .<filename>. . .R6025 - Pure virtual function call"

Situation:
You see the error message "Runtime Error!...C:\Program Files\Norton Personal Firewall\<filename>...R6025 - Pure virtual function call." Norton Internet Security (NIS) or Norton Personal Firewall (NPF) may be disabled in the Windows system tray. There are a number of files that might be listed in this error, including: SymMoni.exe, ccEvtMgr.exe, ccApp.exe, Nmain.exeWhen associated with SymMoni.exe, this error happens when restarting the computer.

Solution:
This problem appears to be due to a conflict with an old version of the CompuServe file RpaWinet.dll, or sometimes when installing NIS 2004 over top of 2003.

To fix RpaWinet the conflict
Rename RpaWinet.dll to RpaWinet.old and restart the computer. For help, refer to the document: Error: "Runtime Error!...C:\Program Files\Common Files\Symantec Shared\<File name>...R6025 - Pure virtual function call" when running Norton AntiVirus ( http://service1.symantec.com/SUPPORT/nav.n...=&osv=&osv_lvl= ).

To fix a version conflict with 2003 and 2004
This problem can occur as the result of a conflict with the previous version of Norton AntiVirus (NAV). To fix this you must uninstall all versions of NIS with the Add/Remove Programs utility, run Rnav and RnisUPG to remove any previous versions of NAV and NIS, and reinstall NIS 2004 with the NAV install option checked.

Uninstalling NIS or NPF
Read the document How to uninstall Norton Internet Security or Norton Personal Firewall 2004 ( http://service1.symantec.com/SUPPORT/nip.n...=&osv=&osv_lvl= ).

Using Rnav and RnisUPG
For help with downloading and using Rnav see How to uninstall Norton Internet Security or Norton Personal Firewall 2004 ( http://service1.symantec.com/SUPPORT/nip.n...=&osv=&osv_lvl= ).
For help with downloading and using RnisUPG see How to uninstall Norton Internet Security or Personal Firewall using the RnisUPG.exe removal utility ( http://service1.symantec.com/SUPPORT/nip.n...=&osv=&osv_lvl= ).

Reinstalling NIS or NPF
Read the document How to install Norton Internet Security or Norton Personal Firewall 2004 ( http://service1.symantec.com/SUPPORT/nip.n...=&osv=&osv_lvl= ) or if you have a downloaded copy How to install the copy of Norton Internet Security or Norton Personal Firewall purchased and downloaded online ( http://service1.symantec.com/SUPPORT/nip.n...=&osv=&osv_lvl= ).


But meanwhile I'll also check your HT log.

HTH :thumb:
FatsGordon
Apr 29 2004, 09:42 PM
If I'm not wrong you have the W32/Naco virus, so please for a while disregard what I posted and try to perform an online scan with BOTH of these AV:

http://www.pandasoftware.com/activescan/co...n_principal.htm

http://housecall.trendmicro.com/

since Symantec is unavailable for you.

It also can appear as W32/Agobot or Anacon, but whatever name the culprit is this file:

O4 - HKLM\..\Run: [System Log Event] csrss32.exe
O4 - HKLM\..\RunServices: [System Log Event] csrss32.exe

I'll check around to see if someone has had the same problem and how they get rid of it.
Ngai_fun
Apr 30 2004, 11:39 AM
thnaks alot!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.