nav, task manager wont start, virus

Computing.Net > Forums > Security and Virus > nav, task manager wont start, virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

nav, task manager wont start, virus

Name: danielgrigson
Date: November 24, 2003 at 14:24:22 Pacific
OS: xp pro
CPU/Ram: athlon xp 2500 1 gig ddr

Comment:

HELP PLEASE!!
I cannot get online to download spybot.
I think I have a worm/virus. Norton AntiVirus wont start, Task Manager Won't Start, Cannot connect to the net. For a while, my computer wouldn't boot, just continually restarted.
I have run HijackThis!
here is the log:
Logfile of HijackThis v1.97.7
Scan saved at 3:39:34 PM, on 11/24/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\SPOOLSRV.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\KAZAA\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.juno.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Danny Boy's Browser
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Spooler] SPOOLSRV.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe
O4 - HKCU\..\RunOnce: [Windows Spooler] SPOOLSRV.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37830.8122222222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Please Help me fix whatever crap is going on!
Thank you sooo much.
Daniel

Sponsored Link

Ads by Google

Response Number 1

Name: Kevin The Tech Dude
Date: November 24, 2003 at 14:38:27 Pacific

Reply:

This is the only thing I see that draws my attention but is not a huge problem.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
Anyone else see something I might be missing???
KTTD

Response Number 2

Name: blender
Date: November 24, 2003 at 18:58:44 Pacific

Reply:

I do see something suspecious...
in processes
C:\WINDOWS\System32\SPOOLSRV.exe
and...
O4 - HKLM\..\Run: [Windows Spooler] SPOOLSRV.exe
O4 - HKCU\..\RunOnce: [Windows Spooler] SPOOLSRV.exe
the spooler process should be:
C:\WINDOWS\system32\spoolsv.exe
as you have listed above...
As far as what virus is causing it...not sure yet ...looking at one of the randex varients but reg entry not quite the same...mabye what I see will help someone else to better the diagnosis..until then I will keep looking...
For now try running scan in safe mode since you can't run task manager to end process on SPOOLSRV.exe

Response Number 3

Name: Kevin The Tech Dude
Date: November 24, 2003 at 19:03:02 Pacific

Reply:

I must be getting old. I missed two of them tonight :(
KTTD

Response Number 4

Name: blender
Date: November 24, 2003 at 19:08:07 Pacific

Reply:

Just found another link...
http://www.titan.co.nz/clint/page58.html
Trojan is called "magic Horse" by them
It steals cashed passwords and sends them by email to hacker.
Have hijack only running and check the following entries to fix.
O4 - HKLM\..\Run: [Windows Spooler] SPOOLSRV.exe
O4 - HKCU\..\RunOnce: [Windows Spooler] SPOOLSRV.exe
Reboot the pc and delete the spoolsrv.exe file
located in c:\windows\system32\spoolsrv.exe <-this file
Be careful.....dont delete spoolsv.exe
Note the spelling

Response Number 5

Name: blender
Date: November 24, 2003 at 19:23:56 Pacific

Reply:

KTTD
Guess that's why more than 1 or 2 ppl people can read logs...helps to have more than one set of eyes looking at them.
Danielgrigson
Once you get rid of that and hopefully all is well and working properly again...few things I would do.
I would certinly look into running a firewall...xp's if nothing else..and visit windows update to grab the critical updates (there are lots)
By turning on xp's firewall you should be able to stay online long enough to get updates to protect you from the many exploits and worms running around that hit just because you are online.
(if you don't know already)
To turn on firewall:
start> settings> network connections> your internet connection> properties> advanced> check "protect my computer and network by limiting or preventing access to this computer from the internet"
Ok your way out.
Good luck

imac wont start mac task manager imac wont start	apple wont start imac wont start imac wont start
See More

Response Number 6

Name: Kevin The Tech Dude
Date: November 24, 2003 at 19:34:49 Pacific

Reply:

Blender,
You are correct and just as others learn. I myself have again gained more knowledge. Computers are a never ending learning experience. Thank you for your time and experience.
KTTD

Response Number 7

Name: danielgrigson
Date: November 24, 2003 at 20:13:02 Pacific

Reply:

I did what you said, and Norton just started up! Hopefully, it is fixed. Thank you guys!!!
daniel

Response Number 8

Name: danielgrigson
Date: November 24, 2003 at 20:24:40 Pacific

Reply:

Hey Guys
My PC is working pretty well, but now the laptop I was using to fix the PC is having the same issues!!! Arrgh!!!
I ran ad aware and spy bot to no effect. Can I post the HijackThis! log for my laptop here?
thanks,
Daniel

Response Number 9

Name: danielgrigson
Date: November 24, 2003 at 20:52:06 Pacific

Reply:

Here, I just posted it to save time.
If you can help, I would be indebted.
Logfile of HijackThis v1.97.7
Scan saved at 11:45:47 PM, on 11/24/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cart322.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\WINDOWS\System32\svdhost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe
C:\Documents and Settings\Daniel Grigson\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [Windows update] svdhost.exe
O4 - HKLM\..\Run: [ConfiggLoader] cart322.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe
O4 - HKLM\..\RunServices: [Windows update] svdhost.exe
O4 - HKLM\..\RunServices: [ConfiggLoader] cart322.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37942.8730787037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Response Number 10

Name: Abnormal
Date: November 24, 2003 at 21:42:43 Pacific

Reply:

O4 - HKLM\..\Run: [Windows update] svdhost.exe
This is Orvell software.
http://www.protectcom.com/
Tracking every action down the last keystroke pressed.
With its built-in spy components, it can record every keystroke, window title and visited website.
Not sure about this;
O4 - HKLM\..\Run: [ConfiggLoader] cart322.exe

Response Number 11

Name: Tom41
Date: November 25, 2003 at 01:56:53 Pacific

Reply:

Hi Abnormal, I don't think this entry is Orvell software.
O4 - HKLM\..\Run: [Windows update] svdhost.exe
Orvell would show as:
O4 - HKLM\..\Run: [COMDRV32] svdhost.exe
This entry is W32.Gaobot:
O4 - HKLM\..\Run: [ConfiggLoader] cart322.exe
danielgrigson,
Before we start the removal, go here and run an online virus scan and copy the report and paste it in a reply.
RAV

Response Number 12

Name: Abnormal
Date: November 25, 2003 at 09:42:11 Pacific

Reply:

Thanks Tom

Response Number 13

Name: danielgrigson
Date: November 25, 2003 at 11:49:38 Pacific

Reply:

Thanks Again!
Here is the log from RAV:
Found viruses
File: C:\WINDOWS\SYSTEM32\svdhost.exe->(UPXW)
Virus: Win32/Gaobot.gen! Status: Infected

File: C:\WINDOWS\SYSTEM32\cart322.exe->(UPXW)
Virus: Win32/Gaobot.gen! Status: Suspicious

File: C:\WINDOWS\SYSTEM32\winhlpp32.exe->(UPXW)
Virus: Win32/Gaobot.gen! Status: Suspicious

File: C:\WINDOWS\SYSTEM32\cart322.exe.poly->(UPXW)
Virus: Win32/Gaobot.gen! Status: Suspicious

File: C:\System Volume Information\_restore{88428941-04ED-4317-B43D-80B0CD84640C}\RP11\A0000627.exe->(UPXW)
Virus: Win32/Gaobot.gen! Status: Infected

Response Number 14

Name: Tom41
Date: November 25, 2003 at 12:12:00 Pacific

Reply:

Hi Daniel,
Download, unzip and run Process Explorer and end process (kill) on the following:
C:\WINDOWS\System32\cart322.exe
C:\WINDOWS\System32\svdhost.exe
Process Explorer
Then run HT again and check the following items.
Next, close all browser Windows, and have HT 'fix checked'.
You Must restart your computer in Safe Mode when you're done.
O4 - HKLM\..\Run: [Windows update] svdhost.exe
O4 - HKLM\..\Run: [ConfiggLoader] cart322.exe
O4 - HKLM\..\RunServices: [Windows update] svdhost.exe
O4 - HKLM\..\RunServices: [ConfiggLoader] cart322.exe
Once in safe mode delete the following:
C:\WINDOWS\System32\cart322.exe
C:\WINDOWS\System32\svdhost.exe
C:\WINDOWS\SYSTEM32\winhlpp32.exe
Reboot to Windows and see this on how to disable & re-enable system restore.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Response Number 15

Name: danielgrigson
Date: November 28, 2003 at 08:58:10 Pacific

Reply:

Thanks guys! My computer is up, along with NAV. One problem, though . . .
My Desktop Items and IE Favorites keep disappearing. I cannot find them anywhere, but when I try to add a desktop icon or a favorites item that I used to have, it says that it already exists!
What now?
DAniel

Sponsored Link

Ads by Google

wifi, network, security?

pops are bad! please help...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: nav, task manager wont start, virus

task manager wont open!

Summary

www.computing.net/answers/security/task-manager-wont-open/12698.html

Cant open task manager, start menu

Summary

www.computing.net/answers/security/cant-open-task-manager-start-menu/23386.html

Virus alert and task manager disabl

Summary

www.computing.net/answers/security/virus-alert-and-task-manager-disabl/23421.html

From the Geek Dictionary
New Blood - A new person to a group such as a programming team, or MMORPG Guild.

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 3 Days.
Discuss in The Lounge
Poll History

Recent Posts
Explorer Crash - associating file types

If And statement using Excel

Right-click, Left-click buttons

SaaS (Software as a Service)

Not Reading Graphics card

All Awaiting Reply

Tom's News
Microsoft Fires Back at Xbox Live Lawsuit

Xbox 360 is Now Four Years Old

Star Trek Online Goes Open Beta in January

AOL Getting New Logos Made From Random Stuff

AT&T Sets the Coverage Map Record Straight

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE