1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Run-time Error 53

Discussion in 'Virus & Other Malware Removal' started by mrajoiner, Jan 25, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. mrajoiner

    mrajoiner Thread Starter

    Joined:
    Jan 25, 2005
    Messages:
    27
    First of all, let me apologize for posting a questtion that's been previously answered. :confused: The fix I read, however doesn't work for me. I've ran HJT several times and deleted numerous registry entries, and startup files and nothing works.

    This is my boss' laptop and I'm pretty much at wits end.

    And yes...it's the run-time error 53 with 'sex' in the upper left hand corner.


    With all that being said, here's my HJT log:

    Logfile of HijackThis v1.99.0
    Scan saved at 4:59:06 PM, on 1/25/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\msaxc.exe
    C:\WINNT\system32\srunner.exe
    C:\WINNT\system32\srunner.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\update.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PrinterSpool] C:\WINNT\SYSTEM32\PLUGINS\restore.exe C:\WINNT\SYSTEM32\PLUGINS\spool.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Windows Update] update.exe
    O4 - HKLM\..\RunServices: [Windows Update] update.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Windows Update] update.exe
    O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = radco.local
    O17 - HKLM\Software\..\Telephony: DomainName = radco.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = radco.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = radco.local
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: MS Update - Unknown - execute.exe (file missing)
    O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Python - Unknown - msaxc.exe (file missing)

    Please help!!!
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Did you save any of the older logs by any chance? Could you post the earliest one you have?
     
  3. mrajoiner

    mrajoiner Thread Starter

    Joined:
    Jan 25, 2005
    Messages:
    27
    unfortunately i did not save any earlier logs...in my frustration, i replaced the earlier version. arrrggghhh...

    thanks for the links to those articles--

    Awesome information!!
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, You do have some malware showing.

    Try these online scans when you have time:

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    http://housecall.antivirus.com/housecall/start_corp.asp

    If you have never used them, both of those scans will take a while to get the Active X controls loaded and then scan all files....I would estimate a good 2 hours and have seen it take quite a lot longer. Not much you can do...

    Set the settings to scan all files, Scan the whole computer, all hard drives...whatever each has. AUTOCLEAN should be checked, too. You don't get to scan unless you let the ActiveX control load, that is what gets tiring, but it should finish> it does seem to stop but you should wait and scan!
    Panda will let you save a Report as Activescan.txt when it finishes, which you should post here in your next reply. Housecall only shows you what it found, cleaned, could not fix, or deleted....so, do Panda first and Housecall next to keep the manual filename recording to a minimum, but we should have you post the filenames it found infected, the locations of files, and what the exact trojan name is for each.


    Do you have the programs AdAware SE personal edition v. 1.05 and SpyBot Search and Destroy v. 1.3?

    You will need both of these programs, and these versions...though you might have both, one or the other may be older than what I am posting and will not be as effective as they can be! You need to check the Build of AdAware you have, it's right on the main window, we are using AdAware SE personal edition (the free one) v. 1.05 now, and even though you are just installing it, it will have some detection updates just after you install it, unless you get very lucky!

    SpyBot Search and Destroy v. 1.3> is the latest. The older versions are abandoned and will not give you any more updates!

    Both of those programs are available here:

    http://www.majorgeeks.com/downloads31.html

    Here are the directions for installing, updating, and using them:
    AdAware:

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.

    [b[SpyBot 1.3:[/b]

    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.


    Post a new log when you are ready, no rush, be sure you do things correctly. Not everything will be fixed but it should improve.
     
  5. mrajoiner

    mrajoiner Thread Starter

    Joined:
    Jan 25, 2005
    Messages:
    27
    Thanks so much. I just got in to work, and this is a huge help. I will post new logs after I follow each step you listed.

    By the way, I do have the latest versions of Adaware, and Spybot S&D.
     
  6. mrajoiner

    mrajoiner Thread Starter

    Joined:
    Jan 25, 2005
    Messages:
    27
    Thanks Byteman! I've scanned and found mucho virii. I'll post the logs from panda, followed by the new logs from HJT. The error message still comes up though.

    Here we go -- Panda --
    Incident Status Location

    Virus:W32/Bagle.AH.worm Disinfected C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\ACDSee 9.exe


    C:\Program Files\McAfee\McAfee Shared Components\ACDSee 9.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Adobe Photoshop 9 full.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Ahead Nero 7.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Kaspersky Antivirus 5.0
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\KAV 5.0
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Matrix 3 Revolution English Subtitles.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Microsoft Office 2003 Crack, Working!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Microsoft Office XP working Crack, Keygen.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Microsoft Windows XP, WinXP Crack, working Keygen.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Opera 8 New!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Porno pics arhive, xxx.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Porno Screensaver.scr
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Porno, sex, oral, anal cool, awesome!!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Serials.txt.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\WinAmp 5 Pro Keygen Crack Update.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\WinAmp 6 New!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Windown Longhorn Beta Leak.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Windows Sourcecode update.doc.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\XXX hardcore images.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\ACDSee 9.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Adobe Photoshop 9 full.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Ahead Nero 7.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Kaspersky Antivirus 5.0
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\KAV 5.0
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Matrix 3 Revolution English Subtitles.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Microsoft Office 2003 Crack, Working!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Microsoft Office XP working Crack, Keygen.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Opera 8 New!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Porno pics arhive, xxx.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Porno Screensaver.scr
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Porno, sex, oral, anal cool, awesome!!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Serials.txt.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\WinAmp 5 Pro Keygen Crack Update.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\WinAmp 6 New!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Windown Longhorn Beta Leak.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Windows Sourcecode update.doc.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\XXX hardcore images.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\cjector.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\ACDSee 9.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Adobe Photoshop 9 full.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Ahead Nero 7.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Kaspersky Antivirus 5.0
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\KAV 5.0
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Matrix 3 Revolution English Subtitles.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Microsoft Office 2003 Crack, Working!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Microsoft Office XP working Crack, Keygen.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Opera 8 New!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Porno pics arhive, xxx.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Porno Screensaver.scr
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Porno, sex, oral, anal cool, awesome!!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Serials.txt.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\WinAmp 5 Pro Keygen Crack Update.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\WinAmp 6 New!.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Windown Longhorn Beta Leak.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Windows Sourcecode update.doc.exe
    Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\XXX hardcore images.exe
    Virus:Bck/mIRCBased.O Disinfected C:\WINNT\system32\download\msx.exe
    Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\addreg.bat
    Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\addreg.reg
    Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\addregnt.reg
    Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\addregxp.reg
    Virus:Bck/mIRCBased.O Disinfected C:\WINNT\system32\plugins\download\msaxc.exe
    Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\init.bat
    Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\navupd.exe
    Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\preset.ini
    Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\test.ini
    Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\upd.bat
    Virus:W32/Gaobot.gen.worm Disinfected C:\WINNT\system32\update.exe
    Virus:Trj/Agent.ES Disinfected C:\WINNT\system32\zzzx32ntw.exe
    Virus:W32/Sdbot.BPE.worm Disinfected C:\WINNT\system32\zzzxts.exe
    Virus:Trj/Agent.ES Disinfected C:\WINNT\system32\zzzxvlece.exe

    Now for HJT:

    Logfile of HijackThis v1.99.0
    Scan saved at 9:11:42 AM, on 1/26/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\msaxc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\system32\srunner.exe
    C:\WINNT\system32\srunner.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SYSTEM32\PLUGINS\restore.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PrinterSpool] C:\WINNT\SYSTEM32\PLUGINS\restore.exe C:\WINNT\SYSTEM32\PLUGINS\spool.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = radco.local
    O17 - HKLM\Software\..\Telephony: DomainName = radco.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = radco.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = radco.local
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: MS Update - Unknown - execute.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Python - Unknown - msaxc.exe (file missing)
    O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    I'm following your lead -- :D
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Can't imagine why your Norton A/V did not alert you about Bagle...is it active, and are you subscribed to updates???????? That's to ponder later...now for some action:


    Download Stinger by McAfee, it's a very small remover that takes out some of the most common worms etc.

    http://vil.nai.com/vil/stinger/

    Just run it and let it clean what it can. You may have to turn off Norton temporarily.


    Reboot, run AdAware and SpyBpot (check for updates for each before you scan) and run full scans, reboot between scans.

    You will be in Safe Mode to do the rest...so copy these directions to a Notepad file like Help1.txt and save on the desktop so you can have it to look at in Safe Mode.

    To get to Safe Mode, in case you don't know how, simply tap the F8 key repeatedly when the system starts or you restart it, just as you see text on screen...when you get the startup menu, select "Safe Mode" (only) and hit Enter key once, give it plenty of time to get to the desktop.

    Run Hijackthis, if you see any of these items, put a check next to them and then, when you have them all, click "Fix checked": Have ALL OTHER windows closed please>

    O4 - HKLM\..\Run: [PrinterSpool] C:\WINNT\SYSTEM32\PLUGINS\restore.exe C:\WINNT\SYSTEM32\PLUGINS\spool.exe

    O23 - Service: MS Update - Unknown - execute.exe (file missing)

    You will need to set these settings:

    Now, the trick is to find these files and delete them:


    C:\WINNT\system32\msaxc.exe <no info found, do you recognize this file???? You can rename it to msaxc.txt...

    C:\WINNT\SYSTEM32\PLUGINS\restore.exe <file

    Next:
    Next: Here is a Bagle removal tool that may help further:

    Since you do not have an installed version of Panda, I think you would use these directions>

    """If you are not a Panda Software client:

    If you have a computerNetwork, you should disconnect the network cable from all the servers and workstations in order to prevent them from being affected again during the disinfection process.
    Carry out the following disinfection steps in each computer in your network.

    1. Download the free utility Panda QuickRemover by clicking on the icon below:"""

    http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=sol&idvirus=49863

    The remover tool link is the blue box labeled "pqremove.com" BE SURE you follow the directions. Especially these> Even if Panda QuickRemover indicates that it hasn't detected any active viruses, click on Continue in order to perform a full scan!!!!!

    Afterward, be sure you read and understand the "Means of Transmission" info, this worm is easy to get back, make sure all who use the computer and have access to email understand it too. It will infect entire networks easily. Apparently your Norton AV program is not updated or not configured to scan emails or your subscription to it has ended...if the year version is more than a year old, it's time to get something newer as the program engine will not be able to handle the newer things well even IF you keep it updated with detection updates. Panda might be a good choice for you!


    Post new HJT log when you are ready.
     
  8. mrajoiner

    mrajoiner Thread Starter

    Joined:
    Jan 25, 2005
    Messages:
    27
    Well, my as earlier stated, this is my boss' laptop. I recently took over this network, and this is a part of it. I have norton on our server, and installed it after i ran the virus scans you suggested.

    Thanks again for all your help and again, i'm chasing the rabbit -

    speak with you shortly --
     
  9. mrajoiner

    mrajoiner Thread Starter

    Joined:
    Jan 25, 2005
    Messages:
    27
    Bytman, you are the absolute greatest!!! It's finally fixed!! The msaxc is still there...but the pop-up is gone!! :D

    What in the world would I do without Tech Support Guy Forums?? Who knows - oh...go into Politics! (y) (y) (y) (y) (y) (y)

    Logfile of HijackThis v1.99.0
    Scan saved at 3:53:00 PM, on 1/26/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\system32\srunner.exe
    C:\WINNT\system32\srunner.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = radco.local
    O17 - HKLM\Software\..\Telephony: DomainName = radco.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = radco.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = radco.local
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: MS Update - Unknown - execute.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Python - Unknown - msaxc.exe (file missing)
    O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Great work! Sorry for the questions about Norton, I was just concerned about it not finding the worm...


    Couple of things to try and fix....run a new scan, Normal mode should do for this run: Fix, have all other windows/browsers etc closed:

    O23 - Service: MS Update - Unknown - execute.exe (file missing)

    O23 - Service: Python - Unknown - msaxc.exe (file missing)

    I have to say I don't know exactly what they are, but they do not look good and the files are gone anyway. Python I have seen, it's a programming language, but not seen very much in HJT logs. Might have been used by the malware.


    Make sure you get the latest Windows Updates for your system, but wait on Service Pack 2, as you may be using special settings and programs that are not fully tested with SP2.

    Your next step would be, after you make sure things are running OK, this:

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

    You turn it off, which removes all saved but infected Restore Points> reboot, as it tells you, and then create a new Restore Point.

    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.Wait for hourglass to stop and it says
    "Turned Off"

    Restart your computer, turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    Let us know how that goes. After another "while" it would be a good idea to mark your thread "Solved" if you feel it is. You can still come here and post to it if you mark it solved. To mark, use the Thread Tools button at the top of the page. You do pretty good work there yourself! (y)
     
  11. mrajoiner

    mrajoiner Thread Starter

    Joined:
    Jan 25, 2005
    Messages:
    27
    go figure - i walk into my office, and my boss has taken his laptop. he's on travel and will be gone for a few days. AAARRRGGGHHH!! We I.T. guys don't get any respect!!!

    Thanks again for all your help.
     
  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hiya---Heh> Let us know what he brings back! :eek:
     
  13. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Got a PM from mrajoiner saying that the laptop had a problem and am waiting for a new HJT log to be posted.
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I'll bet you're excited! :D
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323374

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice