Run-time Error 53

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mrajoiner

Thread Starter
Joined
Jan 25, 2005
Messages
27
First of all, let me apologize for posting a questtion that's been previously answered. :confused: The fix I read, however doesn't work for me. I've ran HJT several times and deleted numerous registry entries, and startup files and nothing works.

This is my boss' laptop and I'm pretty much at wits end.

And yes...it's the run-time error 53 with 'sex' in the upper left hand corner.


With all that being said, here's my HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 4:59:06 PM, on 1/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\msaxc.exe
C:\WINNT\system32\srunner.exe
C:\WINNT\system32\srunner.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\update.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinterSpool] C:\WINNT\SYSTEM32\PLUGINS\restore.exe C:\WINNT\SYSTEM32\PLUGINS\spool.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Update] update.exe
O4 - HKLM\..\RunServices: [Windows Update] update.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows Update] update.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = radco.local
O17 - HKLM\Software\..\Telephony: DomainName = radco.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = radco.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = radco.local
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: MS Update - Unknown - execute.exe (file missing)
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Python - Unknown - msaxc.exe (file missing)

Please help!!!
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Did you save any of the older logs by any chance? Could you post the earliest one you have?
 

mrajoiner

Thread Starter
Joined
Jan 25, 2005
Messages
27
unfortunately i did not save any earlier logs...in my frustration, i replaced the earlier version. arrrggghhh...

thanks for the links to those articles--

Awesome information!!
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, You do have some malware showing.

Try these online scans when you have time:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

http://housecall.antivirus.com/housecall/start_corp.asp

If you have never used them, both of those scans will take a while to get the Active X controls loaded and then scan all files....I would estimate a good 2 hours and have seen it take quite a lot longer. Not much you can do...

Set the settings to scan all files, Scan the whole computer, all hard drives...whatever each has. AUTOCLEAN should be checked, too. You don't get to scan unless you let the ActiveX control load, that is what gets tiring, but it should finish> it does seem to stop but you should wait and scan!
Panda will let you save a Report as Activescan.txt when it finishes, which you should post here in your next reply. Housecall only shows you what it found, cleaned, could not fix, or deleted....so, do Panda first and Housecall next to keep the manual filename recording to a minimum, but we should have you post the filenames it found infected, the locations of files, and what the exact trojan name is for each.


Do you have the programs AdAware SE personal edition v. 1.05 and SpyBot Search and Destroy v. 1.3?

You will need both of these programs, and these versions...though you might have both, one or the other may be older than what I am posting and will not be as effective as they can be! You need to check the Build of AdAware you have, it's right on the main window, we are using AdAware SE personal edition (the free one) v. 1.05 now, and even though you are just installing it, it will have some detection updates just after you install it, unless you get very lucky!

SpyBot Search and Destroy v. 1.3> is the latest. The older versions are abandoned and will not give you any more updates!

Both of those programs are available here:

http://www.majorgeeks.com/downloads31.html

Here are the directions for installing, updating, and using them:
AdAware:

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

[b[SpyBot 1.3:[/b]

Install the program and launch it.

Before scanning press Online and Search for Updates .

Put a check mark at and install all updates.

Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.


Post a new log when you are ready, no rush, be sure you do things correctly. Not everything will be fixed but it should improve.
 

mrajoiner

Thread Starter
Joined
Jan 25, 2005
Messages
27
Thanks so much. I just got in to work, and this is a huge help. I will post new logs after I follow each step you listed.

By the way, I do have the latest versions of Adaware, and Spybot S&D.
 

mrajoiner

Thread Starter
Joined
Jan 25, 2005
Messages
27
Thanks Byteman! I've scanned and found mucho virii. I'll post the logs from panda, followed by the new logs from HJT. The error message still comes up though.

Here we go -- Panda --
Incident Status Location

Virus:W32/Bagle.AH.worm Disinfected C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\ACDSee 9.exe


C:\Program Files\McAfee\McAfee Shared Components\ACDSee 9.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Adobe Photoshop 9 full.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Ahead Nero 7.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Kaspersky Antivirus 5.0
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\KAV 5.0
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Matrix 3 Revolution English Subtitles.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Microsoft Office 2003 Crack, Working!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Microsoft Office XP working Crack, Keygen.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Microsoft Windows XP, WinXP Crack, working Keygen.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Opera 8 New!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Porno pics arhive, xxx.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Porno Screensaver.scr
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Porno, sex, oral, anal cool, awesome!!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Serials.txt.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\WinAmp 5 Pro Keygen Crack Update.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\WinAmp 6 New!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Windown Longhorn Beta Leak.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\Windows Sourcecode update.doc.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\McAfee\McAfee Shared Components\XXX hardcore images.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\ACDSee 9.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Adobe Photoshop 9 full.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Ahead Nero 7.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Kaspersky Antivirus 5.0
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\KAV 5.0
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Matrix 3 Revolution English Subtitles.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Microsoft Office 2003 Crack, Working!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Microsoft Office XP working Crack, Keygen.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Opera 8 New!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Porno pics arhive, xxx.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Porno Screensaver.scr
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Porno, sex, oral, anal cool, awesome!!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Serials.txt.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\WinAmp 5 Pro Keygen Crack Update.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\WinAmp 6 New!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Windown Longhorn Beta Leak.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\Windows Sourcecode update.doc.exe
Virus:W32/Bagle.AH.worm Disinfected C:\Program Files\Seagate Software\Shared\XXX hardcore images.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\cjector.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\ACDSee 9.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Adobe Photoshop 9 full.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Ahead Nero 7.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Kaspersky Antivirus 5.0
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\KAV 5.0
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Matrix 3 Revolution English Subtitles.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Microsoft Office 2003 Crack, Working!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Microsoft Office XP working Crack, Keygen.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Opera 8 New!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Porno pics arhive, xxx.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Porno Screensaver.scr
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Porno, sex, oral, anal cool, awesome!!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Serials.txt.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\WinAmp 5 Pro Keygen Crack Update.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\WinAmp 6 New!.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Windown Longhorn Beta Leak.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\Windows Sourcecode update.doc.exe
Virus:W32/Bagle.AH.worm Disinfected C:\WINNT\ime\shared\XXX hardcore images.exe
Virus:Bck/mIRCBased.O Disinfected C:\WINNT\system32\download\msx.exe
Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\addreg.bat
Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\addreg.reg
Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\addregnt.reg
Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\addregxp.reg
Virus:Bck/mIRCBased.O Disinfected C:\WINNT\system32\plugins\download\msaxc.exe
Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\init.bat
Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\navupd.exe
Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\preset.ini
Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\test.ini
Virus:Bck/Upder.A Disinfected C:\WINNT\system32\plugins\upd.bat
Virus:W32/Gaobot.gen.worm Disinfected C:\WINNT\system32\update.exe
Virus:Trj/Agent.ES Disinfected C:\WINNT\system32\zzzx32ntw.exe
Virus:W32/Sdbot.BPE.worm Disinfected C:\WINNT\system32\zzzxts.exe
Virus:Trj/Agent.ES Disinfected C:\WINNT\system32\zzzxvlece.exe

Now for HJT:

Logfile of HijackThis v1.99.0
Scan saved at 9:11:42 AM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\msaxc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\srunner.exe
C:\WINNT\system32\srunner.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\PLUGINS\restore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinterSpool] C:\WINNT\SYSTEM32\PLUGINS\restore.exe C:\WINNT\SYSTEM32\PLUGINS\spool.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = radco.local
O17 - HKLM\Software\..\Telephony: DomainName = radco.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = radco.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = radco.local
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: MS Update - Unknown - execute.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Python - Unknown - msaxc.exe (file missing)
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

I'm following your lead -- :D
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Can't imagine why your Norton A/V did not alert you about Bagle...is it active, and are you subscribed to updates???????? That's to ponder later...now for some action:


Download Stinger by McAfee, it's a very small remover that takes out some of the most common worms etc.

http://vil.nai.com/vil/stinger/

Just run it and let it clean what it can. You may have to turn off Norton temporarily.


Reboot, run AdAware and SpyBpot (check for updates for each before you scan) and run full scans, reboot between scans.

You will be in Safe Mode to do the rest...so copy these directions to a Notepad file like Help1.txt and save on the desktop so you can have it to look at in Safe Mode.

To get to Safe Mode, in case you don't know how, simply tap the F8 key repeatedly when the system starts or you restart it, just as you see text on screen...when you get the startup menu, select "Safe Mode" (only) and hit Enter key once, give it plenty of time to get to the desktop.

Run Hijackthis, if you see any of these items, put a check next to them and then, when you have them all, click "Fix checked": Have ALL OTHER windows closed please>

O4 - HKLM\..\Run: [PrinterSpool] C:\WINNT\SYSTEM32\PLUGINS\restore.exe C:\WINNT\SYSTEM32\PLUGINS\spool.exe

O23 - Service: MS Update - Unknown - execute.exe (file missing)

You will need to set these settings:

flrman1 said:
Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Now, the trick is to find these files and delete them:


C:\WINNT\system32\msaxc.exe <no info found, do you recognize this file???? You can rename it to msaxc.txt...

C:\WINNT\SYSTEM32\PLUGINS\restore.exe <file

Next:
flrman1 said:
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box, and OK. The Temp folder will open. Click Edit > Select All then File > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.
Next: Here is a Bagle removal tool that may help further:

Since you do not have an installed version of Panda, I think you would use these directions>

"""If you are not a Panda Software client:

If you have a computerNetwork, you should disconnect the network cable from all the servers and workstations in order to prevent them from being affected again during the disinfection process.
Carry out the following disinfection steps in each computer in your network.

1. Download the free utility Panda QuickRemover by clicking on the icon below:"""

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=sol&idvirus=49863

The remover tool link is the blue box labeled "pqremove.com" BE SURE you follow the directions. Especially these> Even if Panda QuickRemover indicates that it hasn't detected any active viruses, click on Continue in order to perform a full scan!!!!!

Afterward, be sure you read and understand the "Means of Transmission" info, this worm is easy to get back, make sure all who use the computer and have access to email understand it too. It will infect entire networks easily. Apparently your Norton AV program is not updated or not configured to scan emails or your subscription to it has ended...if the year version is more than a year old, it's time to get something newer as the program engine will not be able to handle the newer things well even IF you keep it updated with detection updates. Panda might be a good choice for you!


Post new HJT log when you are ready.
 

mrajoiner

Thread Starter
Joined
Jan 25, 2005
Messages
27
Well, my as earlier stated, this is my boss' laptop. I recently took over this network, and this is a part of it. I have norton on our server, and installed it after i ran the virus scans you suggested.

Thanks again for all your help and again, i'm chasing the rabbit -

speak with you shortly --
 

mrajoiner

Thread Starter
Joined
Jan 25, 2005
Messages
27
Bytman, you are the absolute greatest!!! It's finally fixed!! The msaxc is still there...but the pop-up is gone!! :D

What in the world would I do without Tech Support Guy Forums?? Who knows - oh...go into Politics! (y) (y) (y) (y) (y) (y)

Logfile of HijackThis v1.99.0
Scan saved at 3:53:00 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\srunner.exe
C:\WINNT\system32\srunner.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = radco.local
O17 - HKLM\Software\..\Telephony: DomainName = radco.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = radco.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = radco.local
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: MS Update - Unknown - execute.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Python - Unknown - msaxc.exe (file missing)
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Great work! Sorry for the questions about Norton, I was just concerned about it not finding the worm...


Couple of things to try and fix....run a new scan, Normal mode should do for this run: Fix, have all other windows/browsers etc closed:

O23 - Service: MS Update - Unknown - execute.exe (file missing)

O23 - Service: Python - Unknown - msaxc.exe (file missing)

I have to say I don't know exactly what they are, but they do not look good and the files are gone anyway. Python I have seen, it's a programming language, but not seen very much in HJT logs. Might have been used by the malware.


Make sure you get the latest Windows Updates for your system, but wait on Service Pack 2, as you may be using special settings and programs that are not fully tested with SP2.

Your next step would be, after you make sure things are running OK, this:

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

You turn it off, which removes all saved but infected Restore Points> reboot, as it tells you, and then create a new Restore Point.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Wait for hourglass to stop and it says
"Turned Off"

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Let us know how that goes. After another "while" it would be a good idea to mark your thread "Solved" if you feel it is. You can still come here and post to it if you mark it solved. To mark, use the Thread Tools button at the top of the page. You do pretty good work there yourself! (y)
 

mrajoiner

Thread Starter
Joined
Jan 25, 2005
Messages
27
go figure - i walk into my office, and my boss has taken his laptop. he's on travel and will be gone for a few days. AAARRRGGGHHH!! We I.T. guys don't get any respect!!!

Thanks again for all your help.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Got a PM from mrajoiner saying that the laptop had a problem and am waiting for a new HJT log to be posted.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top