Help - Search - Members - Calendar
Full Version: ccEvtMgr.exe R6025 - Pure virtual function call
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
oberonop
Apr 29 2004, 12:44 AM
I am also having trouble with NAV.

On startup, I get a runtime error:
C:\Program files\Common Files\Symantec Shared\ccEvtMgr.exe
R6025 - Pure virtual function call

I had also lost NAV for a while, then removed 2 files (one an exe in root of C)instances of w32.Gaobot.AFJ, but following the advice in the 2 symantec links you posted for others, I seem to have NAV back. But I still get the above error on startup!

I have run AD-aware and Spybot, and here is my HijackThiw log:

Logfile of HijackThis v1.97.7
Scan saved at 7:37:34 PM, on 4/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\windows\system32\lsasvc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\netservices.dll
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\ias\netlogon.com
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\Downloads\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI699F~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwbf.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup142f1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Benson1
O17 - HKLM\Software\..\Telephony: DomainName = Benson1
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B6977E4-90F1-4D87-A6A2-0383D0C4B35A}: NameServer = 172.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Benson1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B6977E4-90F1-4D87-A6A2-0383D0C4B35A}: NameServer = 172.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Benson1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B6977E4-90F1-4D87-A6A2-0383D0C4B35A}: NameServer = 172.168.0.1

BTW, of all the things symantec suggested the one that finally got NAV booting again (Systemworks Pro 2003 on standalone machine) was uninstalling and then using MSCONFIG to resart withnothing but services, while reinstalling. As I said before, though, I still get the virtual function error every time I boot with all programs starting (not when services only)

Any suggestions would be greatly appreciated

Thanks,

oberonop
LoPhatPhuud
Apr 29 2004, 01:31 AM
First:
Please go here and do an AV scan at one (preferably two) of the following:
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx


Second:
If you do not recognize this files, please Zip and email to me for analysis:
c:\windows\system32\lsasvc.exe
C:\WINDOWS\ias\netlogon.com

mailto: submit@LoPhatPhuud.com

Third:
Check the following items in HijackThis.
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe

Close all windows except HijackThis and click Fix checked:

Reboot in Safe Mode* and delete the following: (you may need to show hidden files**)
(be very careful deleting the following file. Check the spelling!! The real file svchost.exe It will be in either c:\windows\ or c:\windows\system32\ )
scvhost.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show hidden files/folders as per the instructions here http://www.tacktech.com/display.cfm?ttid=190

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot.

Post another HiJackThis log in this thread for review.


Last:
For the NAV issue, try this link:
http://service1.symantec.com/SUPPORT/nav.n...nav&svy=&csm=no


If that fails, try this one:
http://service1.symantec.com/SUPPORT/nav.n...=&osv=&osv_lvl=
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.