1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] Blue Screen error message and can't log on to Symantec

Discussion in 'Virus & Other Malware Removal' started by lisaw, May 10, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. lisaw

    lisaw Thread Starter

    Joined:
    May 10, 2004
    Messages:
    10
    I am having a problem with a computer at work. It's a Windows 2000 System that seems to have some viruses. It's been giving me a blue screen and restarting intermittently for the last few days. It won't let me udate my virus definitions or even go to the symantec or mcafee websites, although it can go to other sites. I was able to start up in safe mode and update my virus definitions, after which I ran a virus scan (NAV) and had two files that were infected: hosts and Dc31.zip. hosts was quarantined, but Dc31.zip couldn't be quarantined, and I restored it in order to unzip it so that NAV could fix it. After restoring it I can't find it (it used to reside in one of the two NAV recycle bins that are in the NAV folder. Everthing seemed to be working better (no more restarting), but I still couldn't update virus definitions, so I uninstalled and reinstalled NAV, and now I can't update definitions, even in safe mode. I found your site by searching for 'can't update symantec virus definitions' and read the answer, but when I ran HiJack This I didn't get the same list of stuff as the previous person. Please help!! Thanks, Lisa
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi lisaw

    Welcome to TSG! :)

    Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    *Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
     
  3. lisaw

    lisaw Thread Starter

    Joined:
    May 10, 2004
    Messages:
    10
    Thanks for your amazingly fast reply. Here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:01:16 AM, on 5/10/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\explorer.exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=12421412817120940
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=12421412817120940
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINNT\gsim.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
    O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
    O4 - HKLM\..\Run: [System Updater Process] wmiprvse.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\RunServices: [System Updater Process] wmiprvse.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Service Manager.lnk = C:\MSDE\Binn\sqlmangr.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON19106/flash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37963.6348958333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    lisa
     
  4. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Hi, welcome from me as well.

    Unrelated question to the hijack log, but, how much ram do you have installed in the computer?
     
  5. lisaw

    lisaw Thread Starter

    Joined:
    May 10, 2004
    Messages:
    10
    512kb
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat...421412817120940

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat...421412817120940

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll

    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINNT\gsim.dll

    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

    O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe

    O4 - HKLM\..\Run: [System Updater Process] wmiprvse.exe

    O4 - HKLM\..\RunServices: [System Updater Process] wmiprvse.exe


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

    Now find and delete:

    The C:\WINNT\system32\wmiprvse.exe file
    The C:\WINNT\Belt.exe file


    Also in safe mode navigate to the C:\WINNT\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


    Empty the Recycle Bin


    Now navigate to the C:\WINNT\System32\drivers\etc folder. Locate the HOSTS file. Open the HOSTS file in notepad by clicking on it to open it. It will ask you what program you want to use to open it. Tick "Select the program from a list" and click OK. In the menu of programs that opens find and select notepad and click OK. The HOSTS file will open in notepad. Look for a list like this:

    127.0.0.1 www.symantec.com
    127.0.0.1 securityresponse.symantec.com
    127.0.0.1 symantec.com
    127.0.0.1 www.sophos.com
    127.0.0.1 sophos.com
    127.0.0.1 sophos.com
    127.0.0.1 www.mcafee.com
    127.0.0.1 mcafee.com
    127.0.0.1 liveupdate.symantecliveupdate.com
    127.0.0.1 www.viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 f-secure.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 kaspersky.com
    127.0.0.1 www.avp.com
    127.0.0.1 www.kaspersky.com
    127.0.0.1 avp.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 networkassociates.com
    127.0.0.1 www.ca.com
    127.0.0.1 ca.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 my-etrust.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 secure.nai.com
    127.0.0.1 nai.com
    127.0.0.1 www.nai.com
    127.0.0.1 update.symantec.com
    127.0.0.1 updates.symantec.com
    127.0.0.1 us.mcafee.com
    127.0.0.1 liveupdate.symantec.com
    127.0.0.1 customer.symantec.com
    127.0.0.1 rads.mcafee.com
    127.0.0.1 trendmicro.com
    127.0.0.1 www.trendmicro.com


    Delete all those lines leaving only this one:

    127.0.0.1 localhost

    Now close the file and answer Yes to confirm the changes.


    Go here and do an online virus scan:

    http://housecall.trendmicro.com/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.


    IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows. This worm got on your machine by taking advantage of one of those vulnerabilities.
     
  7. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Ok, it's probably more like 512 MB hopefully ;) When you are done with the hijack fixing that will be recommended, I'll make some suggestions to trim down the 04 startup items. Even with 512 ram, I like to keep my startups down to the necessary items.
     
  8. lisaw

    lisaw Thread Starter

    Joined:
    May 10, 2004
    Messages:
    10
    Hi AcaCandy,
    Yes, of course, 512MB. I would be very interested in ways to clean up the system. I had to scan the computer for viruses, and I'll be working on it again tomorrow. I will start posting messages then. Thanks for your help.

    lisa
     
  9. lisaw

    lisaw Thread Starter

    Joined:
    May 10, 2004
    Messages:
    10
    Flrman1,
    I followed all directions and scanned for viruses. Housecall found 23 copies of worm gaobot.tv (which I can not find any information on at symantec, will check the housecall site.) Also found one virus called mimail. Had to leave for the day but will be back tomorrow. Thanks for your help.

    lisa
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Did you have it delete the infected files? If there were files that could not be deleted, did you make note of the files and their locations so you could delete them?
     
  11. lisaw

    lisaw Thread Starter

    Joined:
    May 10, 2004
    Messages:
    10
    I'm going to finish tomorrow. I told it to autoclean, but I had to leave and will try to delete the files tomorrow. I will check where they are and delete them if it can't. It looked like they were all in some sort of recycle bin when I glanced at it. I found the worm_agobot.tv virus at housecall. It sounded like that is the one I've got. I'll know more tomorrow. Thanks for all your help so far.

    lisa
     
  12. lisaw

    lisaw Thread Starter

    Joined:
    May 10, 2004
    Messages:
    10
    I was able to delete everything. I can now connect to symantec and I updated my virus definitions and got all the windows critical updates. I ran NAV on the computer and it found two w32.hllw.gaebot.gen worms which it quarantined and I am now running the fix tool to see if it can fix them. Everything is much much better. Thank you, thank you, thank you.

    lisa
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! :)

    Post back and let us know how the rest goes so we can mark this thread solved.
     
  14. lisaw

    lisaw Thread Starter

    Joined:
    May 10, 2004
    Messages:
    10
    I could not fix the worms with the tool, so I deleted the files that were infected. (they were two .exe files that had weird names. Everything is working again so thank you for solving my computer's problems for me. Thank you!

    lisa
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Glad we could help! (y)

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/228077

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice