antivirus shuts down automatically

Computing.Net > Forums > Security and Virus > antivirus shuts down automatically

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

antivirus shuts down automatically

Name: wbscarb
Date: October 3, 2003 at 14:29:42 Pacific
OS: win 98
CPU/Ram: P-MMX / 128Mb

Comment:

Help!
I believe I've got a computer with a virus of some sort. They original symptom was that I was no longer able to reach the internet through my DSL router. Whenever I bring up the browser, i get the standard message "Connect: Host ... contacted. Waiting for reply...", but nothing ever comes back. The other computers on my network are able to browse just fine.
Then I noticed that my antivirus s/w (Norton, part of Norton Internet Security 2001) had been disabled. When I re-enable it, the program shuts down automatically after 10 to 20 seconds.
I did boot up in safe mode and was able to run NAV, but it found nothing.
I have run Ad-aware. It found several spy programs/cookies, etc... When I cleaned them off, the problem still persists.
I just ran "hijackthis" and the log file is below.
Any help would be greatly appreciated!
Logfile of HijackThis v1.97.2
Scan saved at 3:36:29 PM, on 10/3/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\SSDPSRV.exe
C:\WINDOWS\SYSTEM\PTUDFAPP.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.exe
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.exe
C:\WINDOWS\RUNDLL32.exe
C:\WINDOWS\SYSTEM\MSIEXEC16.exe
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.exe
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.exe
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 98\DMHKEY.exe
C:\TOOLS\WINZIP\WZQKPICK.exe
C:\QUICKENW\QWDLLS.exe
C:\WINDOWS\FSSCRCTL.exe
A:\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.exe
O4 - HKLM\..\Run: [NewsUpd.exe] C:\Program Files\Creative\News\NewsUpd.exe /q
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [GLSetIT32] C:\WINDOWS\SYSTEM\MSIEXEC16.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [wssvxd] wssvxd.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.exe"
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 98\DMHKEY.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\tools\winzip\WZQKPICK.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030105/cccabs/CleverContent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe

Sponsored Link

Ads by Google

Response Number 1

Name: smithdk
Date: October 3, 2003 at 15:52:32 Pacific

Reply:

This may be a trojan:
O4 - HKLM\..\Run: [GLSetIT32] C:\WINDOWS\SYSTEM\MSIEXEC16.exe
http://www.sophos.com/virusinfo/analyses/trojoptixp13.html

Response Number 2

Name: smithdk
Date: October 3, 2003 at 15:56:58 Pacific

Reply:

This also may be a virus:
O4 - HKLM\..\RunServices: [wssvxd] wssvxd.exe

Response Number 3

Name: smithdk
Date: October 3, 2003 at 16:04:04 Pacific

Reply:

O4 - HKLM\..\Run: [NewsUpd.exe] C:\Program Files\Creative\News\NewsUpd.exe /q
This is spyware
http://cexx.org/newsupd.htm

Response Number 4

Name: wbscarb
Date: October 4, 2003 at 15:31:29 Pacific

Reply:

Thanks for the info. It soundnds like there may be several trojans here. I'll follow the steps listed at these websites to get rid of them and I'll see how that works.
I'll let you know.
Thanks again,
Brad

Response Number 5

Name: stevem5000
Date: October 4, 2003 at 20:14:23 Pacific

Reply:

The guys are correct...they are trojans...
But there is other stuff you may need to do...
AFTER you kill these trojans, then do a FULL virus scan in safe mode...
OR, if you can, slave your HD to a good computer with latest virus updates, and run a virus scan from there...

down automatic vaio shut downs automatically counter strike shuts down automatically	outlook shut down automatically outlook shutting down automatically solaris shuts down automatically
See More

Response Number 6

Name: MSP
Date: October 14, 2003 at 11:45:49 Pacific

Reply:

My antivirus an Firewall shut down imediately as i run them.What is to be done?
Thanking you
MSP

Response Number 7

Name: smithdk
Date: October 14, 2003 at 13:53:41 Pacific

Reply:

Does it do this in safe mode?

Response Number 8

Name: Daniel
Date: November 14, 2003 at 22:43:53 Pacific

Reply:

I am having the same results as many of you - Norton shuts down after 10-20 seconds - but I ran in safe and scanned, nothing - I have checked numerous ways for the registry edits, but those files don't appear - I also searched for backdoor.optixpro.14 as symantec suggests, still no luck - the only thing I have that says I have this trojan is the msiexec16.exe running - and continues to open itself as new programs open - the only option I can think of that's left is to format - however most stuff still works - any suggestions on what to do - or what the problem might be if other than a Trojan

Response Number 9

Name: smithdk
Date: November 15, 2003 at 05:14:36 Pacific

Reply:

Post back your hijackthis log
http://mjc1.com/mirror/hjt/

Response Number 10

Name: daniel
Date: November 15, 2003 at 15:37:13 Pacific

Reply:

Logfile of HijackThis v1.97.6
Scan saved at 3:35:45 PM, on 11/15/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe
C:\Program Files\CallWave\IAM.exe
C:\WINNT\System32\svchost.exe
c:\winnt\system32\msiexec16.exe
C:\Program Files\Starcraft\Starcraft.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Daniel's\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [supervisor.exe] C:\WINNT\supervisor.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.780787037
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://kotelcam.virtualjerusalem.com/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{064B1FE2-E496-4868-AF10-D8E69DD58DF1}: NameServer = 12.45.56.2 12.45.54.2
I'm a little curious about the supervisor.exe thing - but I don't knwo what else

Response Number 11

Name: smithdk
Date: November 15, 2003 at 17:07:20 Pacific

Reply:

Have you tried to close out msiexec16.exe and then delete the file. You may have to do that in safe mode.

Response Number 12

Name: smithdk
Date: November 15, 2003 at 17:08:44 Pacific

Reply:

Also run the exefix here:
http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/

Response Number 13

Name: DAniel
Date: November 15, 2003 at 18:47:25 Pacific

Reply:

well I've thought about deleting hte file - but isn't it a windows system process? cuase I've heard the backdoor.optixpro.14 file infests itself in the systems files - and rewrites some of hte registry entries - I can delete it htough - should I do that?

Response Number 14

Name: smithdk
Date: November 15, 2003 at 18:54:05 Pacific

Reply:

Doing a search for that file on a search engine brings up virus links. If you are concerned about deleting the file, then just rename it.

Response Number 15

Name: daniel
Date: November 15, 2003 at 18:57:33 Pacific

Reply:

ok - in case it's a system process - ya that's what cuased me to think it was a virus intially - a google search came up trojan - alright - so I'll delete the file - and the exefix - do I need to get all those files ina folder and run it?

Response Number 16

Name: smithdk
Date: November 15, 2003 at 19:31:22 Pacific

Reply:

That virus probably assciated itself with your executeables which is why it keeps showing back up.
Try the exefix.com file and hopefully it will fix your association.

Response Number 17

Name: daniel
Date: November 15, 2003 at 19:33:39 Pacific

Reply:

Ok I think I figured it out - I deleted the file - ran those files from that - even though the file seems to continue to come back - msiexec isn't in the system processes anymore - and norton doesn't close anymor e- thank you so much for the help - it's much appreciated
Daniel

Sponsored Link

Ads by Google

A true story

Symantec Corporate Editio...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: antivirus shuts down automatically

AntiVirus automatically shuts down!

Summary

www.computing.net/answers/security/antivirus-automatically-shuts-down/8864.html

pc shut down randomly without warni

Summary

www.computing.net/answers/security/pc-shut-down-randomly-without-warni/20230.html

computer shuts down randomly

Summary

www.computing.net/answers/security/computer-shuts-down-randomly/14709.html

From the Geek Dictionary
necroism - The act of excavating old contents from a website's depths (say forums or u...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
screen saver

Getting off Windows XP Pro safe mode

Directory Structure

all search links redirected

new shutdown virus

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE