Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Can't access NAV website/Virus def updates

  • Please log in to reply
8 replies to this topic

#1 Frank C

Frank C

  • Members
  • 14 posts
  • Location:Boston, MA
  • Local time:10:00 PM

Posted 18 June 2005 - 02:07 PM


I'm having intermittant, (mostly unable), problems connecting to Symantic websites in order to download the latest NAV virus definitions via Intelligent Updater. Sometimes I get to the site and am able to select the file for download
and I get "Page cannot be displayed" (IE) or "The connection was refused" (FF).
Other times I'm not able to connect to the website at all. note: I've tried connecting through; securityresponse.symantec.com, sarc.com, and symantec.com
Once in a while, I've been able to DL the file, and once I was able to DL but got a CRC error when I attempted to install the file.

I'm running Windows 2000sp4, have all the latest MS critical updates, Firefox 1.04
is used as well as IE with all the latest patches. I've checked the hosts file. I've run NAV 2004, AVG, Spybot S&D 1.3, Adaware SE, MS Antispyware (beta 1), CWSshredder, and SpywareBlaster (All with the latest updates, and run in Safe mode as well as normal mode). I've run Mcafee's latest "Stinger" and Trendmicro's
"Housecall" and Symantec's "FxGaobot". I've checked IE's advanced internet options to ensure DL's are enabled, and security settings for restricted websites aren't blocking access. I've cleared the cache using Steven Gould's "Cleanup" utility. I use Norton's Personal Firewall but have ruled that out as a source of the problem because the problem is intermittant.

Other questionable symptoms include the inability to connect to trendmicro.com and what I thought was a once or twice inability of AVG to update its definitions.

I'll post HJT log below, and hope that someone can help. This may be an assault
on the ability of users to update their AV scanners or to contact AV vendors sites!

Thanks for your help, Frank

Logfile of HijackThis v1.99.1
Scan saved at 1:56:29 PM, on 6/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\Administrator\Desktop\Utility\HJThis\HijackThis 1.99.1 Apr 05.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C2D47BA-08C0-48CE-8296-6C11422CB265}: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C2D47BA-08C0-48CE-8296-6C11422CB265}: NameServer =
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)



#2 g2i2r4


    Malware remover

  • Members
  • 900 posts
  • Gender:Not Telling
  • Local time:04:00 AM

Posted 18 June 2005 - 02:45 PM

Welcome back Frank C

You say you are using both AVG and Norton. It's definitly not a good idea to use two AntiVirus programs at once. Instead of helping you, they start fighting eachother and leave you behind.

Remove one, update the other.


You use Spybot 1.3
Open Spybot and disable SD Helper and Teatimer. Rightclick the icon for teatimer next to your computer clock.
Reboot the computer and download the latest version (1.4).
A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware, Malware, and Hijackers


Your HijackThis log is clean.

A few questions:- last time you had some problems that were cured after disabling SpySubstract. Did you try that this time?
- are you using a firewall? Is the AV Updater allow access?
- can you connect to secure sites (like hotmail login)?

Posted Image
Life is what happens while you're making other plans

#3 Frank C

Frank C
  • Topic Starter

  • Members
  • 14 posts
  • Location:Boston, MA
  • Local time:10:00 PM

Posted 18 June 2005 - 04:57 PM

Hi q2i2r4,

Thanks for the reply. I'm going to update Spybot to v1.4 and run it.

The other suggestions are appreciated but they don't seem to lead to resolution of the problem.

I will disable AVG for the moment, but I've been using NAV and AVG
simultaneously for over a year without problem. They "play" well together and compliment each other. The AV software should have no affect on the ability to access a webpage or to link from one page on a website to the next. If either of the AV's had a problem with the DL'd file they would alert me or log the problem.
That's not happened. The alert that I do receive is from the browser, for IE it says,
"page cannot be displayed"; for FF it says "Connection was refused".

I can connect to all other sites that I usually frequent and these include secure sites. Note: the Symantec and Trendmicro sites are not even secure sites.

I will try disabling TeaTimer and SDhelper but that will leave me open to other threats, and again these functions of Spybot should have no bearing on the"connection refused error" that I receive from the Symantec sites.

Also, my previous problem with Spysubtract is not an issue. I disabled it a long time ago.

"http:definitions.symantec.com/defs/20050618-i32.exe" is the page that gives me the most trouble. I have been able to access and download the needed file 3 times over the last 4 days (This was in 25+ attempts), sometimes I can navigate the site by clicking on links on the main site page, sometimes not.

Twice after placing calls to Symantec technical support, I was able to connect, navigate the site, and DL the needed file. Then I imediately tried again and was blocked. Symantec was not able to resolve the problem and has escalated the issue to their advanced troubleshooting experts. They said they need time to research it. I have a case# and will try them again after some time has passed.

As for my firewall, I use Noton Personal Firwall. I'm not very adept at configuration, but I did check and the AV updater is allowed access, but that should not be a factor because this is a manual download that I'm attempting.
I've also used this same procedure for many months without fault until last week.

Sorry for the long reply but The Devil may be in the Details,

Thanks again, Frank

#4 g2i2r4


    Malware remover

  • Members
  • 900 posts
  • Gender:Not Telling
  • Local time:04:00 AM

Posted 18 June 2005 - 05:05 PM

Did you try using this startpage:

The part about disabling teatime and SDhelper was just meant for the old version of Spybot. That is needed to uninstall the old version, reboot and install the new version.

I'm not going to leave you unprotected!!

Posted Image
Life is what happens while you're making other plans

#5 Frank C

Frank C
  • Topic Starter

  • Members
  • 14 posts
  • Location:Boston, MA
  • Local time:10:00 PM

Posted 18 June 2005 - 07:15 PM


I DL'd Spybot 1.4, installed the latest updates, imunized, and ran the scan.
No malware was detected.

While in Spybot I noticed that six new entries were visable in the "System Startup" section of "Tools". They were all listed as Winlogon Keys with values:
crypt32chain, cryptnet, cscdll, sclgntfy, senslogn, and wzcnotif. They were listed
respectively under the column "Command Line" as crpt32.dll, cryptnet.dll, cscdll.dll, sclgntfy.dll, winotify.dll and wzcdlg.dll. Are they legit ? Perhaps stuff that was always there but only now visable due to the new Spybot version ? Unlike the other startup entries listed, Spybot had no additional information on them.

I'm apprehensive about them and not sure whether to uncheck them so they
won't load the next time I reboot. I'll leave them enabled for now, but your advice
regarding them is appreciated.

Getting back to the original problem, I tried the link that you posted. It also responded that the connection was refused.

I'm still stuck. Please Help. Thanks!

#6 g2i2r4


    Malware remover

  • Members
  • 900 posts
  • Gender:Not Telling
  • Local time:04:00 AM

Posted 19 June 2005 - 04:30 AM

All those entries are legit.

Try this - with all browser windows closed, Go to Start->Run and copy and paste each of the following, hitting ok after each:
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll
Reboot, then try to access the sites that were giving you problems again.

Posted Image
Life is what happens while you're making other plans

#7 Frank C

Frank C
  • Topic Starter

  • Members
  • 14 posts
  • Location:Boston, MA
  • Local time:10:00 PM

Posted 21 June 2005 - 12:15 PM

Greetings g2i2r4,

Sorry to take so long responding. I've been in computer hell for a few days.

After trying everything that you suggested, and all that I could think of, to verify
my machine's operation. I tried following the packets to the Symantec site. What I found after doing some Ping and Tracert tests to my target, is that the request was
going to my ISP, and "bouncing" back and forth between two of their routers. The communication attempt eventually exceeded the max. hop count and was disgarded. (hence the inability to contact those sites in question).

NOTE: The sites that I observed the problem on were; Symantec, Trendmicro, and
MLB.com. All other websites I tried were able to be ping'd, tracrt'd, and were accessable.

I contacted the ISP on Sunday and they corrected the problem by Monday morning. It took awhile because in the process of escallating the issue through their help desk, the level 1 and level 2 support staff insisted that the problem was with my machine. They "helped" me by instructing me to try disabling my firewall (I did not do that!), lowering the security settings in IE (should have no effect because FF also exhibited the problem). Then they also tried repairing a "broken" winsocket in my TCP/IP protocol stack. Since I did not, at the time, have my Win2000 disk to reinstall TCP/IP, we tried using the LSPfix utility to repair the socket. The socket was probably not broken in the 1st place, but our unfamilarity
with the LSPfix utility resulted in the removal of several DLL's essential for communication on the internet, (we killed my machine's capability to browse webites all together).

I was able to find my Win2000 disk, re-install TCP/IP, and restore the machine to full functionality. I had the help of the "master" technician Jeff also from my ISP.

ps. I also built a second system from an old laptop I'd had sitting around, and was able to verify the "bounce" problem and its resoluton, on the 2'nd machine. It was
a painful time consuming process to build the second machine, I had to DL all Windows Upade critical patches (23 of them), as well as AVG, Zone alarm, Spybot,
etc. etc. over dialup!

Anyway, I really appreciate that you guys are out there to help, and I wanted to let
you know what happened.

Thanks, Freak'n Geek'n, Frank C.

Close Topic.

#8 Frank C

Frank C
  • Topic Starter

  • Members
  • 14 posts
  • Location:Boston, MA
  • Local time:10:00 PM

Posted 21 June 2005 - 02:12 PM

Wait ! Don't close topic. The bounce is baack !

I just went out to update my NAV virus defs at Symantec and can't get to the site.

Then I tracert'd and see the attempted comunication "bounce" back and forth on the same two routers of my ISP, until it exceeds 30 hops and is dropped.

DNS resolution of the IP address is good; (securityresponse.symantec.com resolves to, but the packets never get off the ISP routers.

I tried sarc.com with similar results. Then tried securityresponse.symantec.com
a second time and it works! Problem seems intermittant. I'm going to get the DL
while I'm able to connect, then monitor the situation.

Here are the results of my latest tracert. Let me know what you think? I'll keep you posted but may have to engage with the real world a bit. I've been at the machines too many hrs.

Thanks, Frank C

Tracing route to a568.d.akamai.net []

over a maximum of 30 hops:

1 147 ms 148 ms 143 ms acn02-lo-1.ma-quincy1.ne.earthlink.net []

2 171 ms 138 ms 140 ms

3 148 ms 148 ms 145 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

4 143 ms 143 ms 139 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

5 149 ms 145 ms 142 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

6 142 ms 137 ms 139 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

7 139 ms 144 ms 138 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

8 142 ms 139 ms 139 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

9 146 ms 143 ms 143 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

10 145 ms 137 ms 141 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

11 146 ms 143 ms 145 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

12 142 ms 145 ms 144 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

13 143 ms 144 ms 144 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

14 145 ms 145 ms 143 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

15 143 ms 149 ms 149 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

16 149 ms 143 ms 145 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

17 150 ms 149 ms 149 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

18 153 ms 149 ms 150 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

19 151 ms 149 ms 153 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

20 145 ms 144 ms 148 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

21 153 ms 148 ms 145 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

22 146 ms 154 ms 149 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

23 154 ms 154 ms 153 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

24 153 ms 153 ms 154 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

25 161 ms 149 ms 154 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

26 174 ms 154 ms 154 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

27 157 ms 154 ms 154 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

28 160 ms 154 ms 155 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

29 159 ms 153 ms 154 ms dir01-se-1-1-0.ma-cambridg0.ne.earthlink.net []

30 161 ms 160 ms 153 ms cor01-se-3-0-1.ma-quincy1.ne.earthlink.net []

Trace complete.

#9 g2i2r4


    Malware remover

  • Members
  • 900 posts
  • Gender:Not Telling
  • Local time:04:00 AM

Posted 21 June 2005 - 04:12 PM

I consulted a collegue and we think the problem is with your provider.

I can consult the team to see what they think...

Posted Image
Life is what happens while you're making other plans

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users