After Trojan Removal - Repairs Needed

Dec 8, 2007

Dec 8, 2007

Hello Majors,

I will reiterate all the steps I've already taken in purging malware. It started about a week ago, and I did almost everything you have on your list to deal with the trojans and malware. Now there is NO trace of malware. Repeated scans with the cafeteria of online and installed malware fighters is consistently coming up clean.

But some damage was done to my "Application Management Services", and my browsers, which I will discuss below, after going down the list of steps taken so far.

I ordinarily do basic PC maintenance steps regularly. Disk defrag'ing (JKDefrag), disk clean-ups, CC Cleaner, ATF cleaner, and purging past restore points except the most recent. When virus's strike I get the latest updates and run the scans in safe-mode with System Restore turned 'off'.

I have these anti-malware apps installed on my PC: 1) AVG Anti-Virus (subscription); 2) SUPER Anti-Spyware - Free Ed.; 3) Spybot S&D; 4) SpywareBlaster; 5)SpywareGuard; 6) CWShredder; 7) Lava-soft Ad-Aware Free; 8) and Windows XP Firewall. I used to use Sygate firewall, but it wasn't 'co-operating' with all these scans, so I uninstalled it and re-enabled the XP Firewall. I also had AVG Free Anti-Spyware, but with Super-Anti-spyware it seemed redundant to have two free apps like this, so I chose to uninstall the AVG one.
As well, in the course of doing the scans last week, I used the free trial of Trojan Remover and online scans of Kaspersky and Panda.
We did scan after scan after scan, until all traces were removed. We also ran fix-tools, like Dr Web CureIt, SDFix, ComboFix, etc......

So here is the checklist of all I did to my rig up to today:

1, Removed any superfluous apps not in use from Add/Remove Programs, and hunted up and down the list for malware progs....found none.
2. Ran AFT Cleaner and CC Cleaner.
3. Opened my start-up menu from Run > msconfig > start-up, and removed (unchecked) any extraneous or non-necessary items. My start-up run menu is down to bare necessity !!
4. Do regular maintenance of PC with JKDefragger, Disk Clean-up, and reseting system restore points, and purging past sytem restore points.
5. Have and run Norton's 'System Tools 2003' utilities like 'One Button Check-up', WinDoctor, and Disk Doctor (a hard-disk checker and fixer on restart). No problems of great import appeared, so I moved on......

Now, here is a list of scans done, just to assuage your curiosity:

AVG A/V; Spybot S&D; Ad-Aware; SUPER Anti-Spyware; Trojan Remover; Online free Kaspersky; and online free Panda. I also did a few AVG Anti-spyware scans while it was still installed on my PC, an eMachine W3502, with 1024MB RAM, and two internal HD's of 80GB each.

I also wanted to test the hardware, just to make sure, so here is a list of my tests run on the hard stuff:
HD Tune - all reports okay.
SiSoft's 'SANDRA Lite' - a neat little app with lots of tests and diagrams, none of which indicated any hardware problems.
MemTest86 - Ran this one all night on my two 512 MB RAM sticks, which came up clean with 0 errors.
ComboFix - more on this later.
SDFix - more on this later.
ERUNT - not sure I know what to do with it, or the logs....
Everest Home - logs, logs, logs....
Norton Removal Tool - been a while, can't even remember this one !!
VundoFix - ran a scan twice and came up clean.
CWShredder - no traces from any recent scan.

Emptied all quarantine vaults and recycle bins. The hidden AVG vault in C:\ has an 'FIL' file named 99101179.FIL, 53 KBs, and it says it is a system file and not to delete it...

I rebooted the machine with the msconfig radio button for 'Normal Start-up mode'....noticed no rogue processes running in the background on their own.

By the way, when I downloaded ComboFix and SDFix I got two trojans, and a virus from the site/download links you have there!! My AVG A-V quickly caught them and the names are:

1. Trojan HorseGeneric9.ACFR{__}
2. Trojan HorseGeneric5.GYX
3. Tool.Prockill

We all appreciate the info regarding these diag/fix tools, but please make sure your download sources and lines of communication aren't being hijacked to spread even more malware. It can be dangerous just getting the tools we need.

It did immediate damage to my machine, like being hit by a torpedo, in mili-seconds. I was booted offline, couldn't get my browser to open, and could feel the hit. It mega-hurted.

I had a past copy of Dr Web CureIt, so I could start the damage control. Real drama. Diahreah drama. Got the browser to open, and found SDFix and ComboFix from CNET Downloads, and ran them. (Deleted first copies of ComboFix and SDFix because they were infected carriers of trojans). SDFix was run in Safe-mode, 'System Restore' turned off.
Came back, and purged all old restore points except last one (after repairs) setting up a new restore point, from the Disk Cleanup options tab.
Heck of a way to get infected trying to fix old infections.

By the way, last week after all these fixes, when IE7 and Firefox were behaving badly, I got out the dinky little XP System Restore disk that they give you when you buy an eMachine with XP burned in the cabinets. I ran the restore disk from boot-up, and chose to do a 'non-destructive' system file restore. All went well. But the browser and 'Application Management Service' terminating error 126 problem hadn't gone away.


I ran MGTools and got 4 logs which I will zip in an archive and include.

And so, after all my troubles with getting malware out and cleaning the system up, I find there is still broken parts that need to be fixed. No other tech-ers I know have a clue about it. It involves the "Application Management Services", which are terminated with an error 126. From the Event Viewer I see numerous error entries. Is it a back-up and reformat issue ?

THAT is what I came here to get straightened out. I ran a diagnostic called WinPFind3 and have a lengthy log report, if anyone is interested.

Is this a back-up and reformat issue ??

"Application Management Problem after Malware Removal"
Applic Mgt Service terminated, error 126

There is still a problem with IE7, it won't allow Symantec's free Online Security Response scan to update or run. I usually do this free scan every month or so, or if I suspect a virus after my AVG scan comes up clean. Also, IE7 doesn't want to launch open when a hyper-link is clicked....it freezes up. This might be an Operating System issue for that forum....

....and my Mozilla (default) browser has not opened in days. It sends a window proclaiming that an instance of Firefox is already running (?) or restart the system. I uninstalled and re-installed Firefox, but the problem is still the same.

Again, when I go to the Event Viewer and hit 'services', I find a long log with many errors, and many that say SideBySide on the right column. All new to me.....


So help me find my way out of the wilderness. We need to get down and dirty here with this little rig of mine.....

Very truly yours,

-scottportraits

 

Dec 9

Right. I went through many processes and proceedures I learned by trial and error from over the years BEFORE I EVEN GOT HERE.

Sorry my work isn't regulation general issue stuff. It's a clean system now, except for the 'Application Management Services' failing with an error 126.....which no Googling could find.....

So I'm here in the wilderness and trying to get back. Sorry I didn't follow your rules to a 'T', but that's the way it works out sometimes.

Sorry again,

- s

 

Dec 9, 2007

Hello,

Right. Some repairable corrupt files.....not a whole back-up and reformat job.
Okay, so I've run the sfc/ scannow tool that XP has from the control panel > run box three times now, last week, two days ago, and a few hours before this reply. Each scan has come up clean, proclaiming that "all protected windows system files were intact". So we know this for sure, without question. Right ? At least the important protected files.

Sorry I got off to a bad start here, it is feels so military-like and I was groping in the dark....and the other forum is where I finally mastered posting to these 'forum' deals, following their protocols, doing the steps in order, etc. I'm a newbie here, so cut a little slack, please.

Let's see....I am assuming, then, that the logs you want are the following:
- ComboFix
- Spybot S&D
- AVG Anti-Spyware (Is SUPER Anti-Spy as good?)
- MGTools Logs

And I herewith attach two zipped files with these items inside: the latest ComboFix log, and the 4 latest MGTools logs. Just take my word for it, since I've been running all these scans every day for a week or so, that the online Kaspersky and Panda scans come up clean, Spybot S&D comes up clean, and SUPER Anti-Spyware free keeps coming up clean. So does A-Squared Trojan scans. I also have a subscription to AVG A-V, and it's scans are all clean too.

I will attach the two logs here. This may not be the exact protocol, but hey, I'm just learning here. I'll get the hang of it soon enough. Please accept them as they are.

Listen, I know it's a b____, but I have no official XP install disk. Just the little dinky 'system restore' deal they sell with eMachines (and many others) that have XP home built-in to the CABS. If we need the genuine real article, it may take some doing. Maybe we won't need it.

If this post is acceptable and we go any further, then I will explain the symptoms regarding the "Application Management Services" being stuck and getting error 126 messages. Basically, the browsers are damaged; I can't follow a link if it needs to open a new tab or window.....also, at 'Event Viewer', clicking 'services', we find a long list with lots of errors. More about this later.

Sorry again for the misunderstandings,

-scottportraits

 

Dec 10 5.45pm est

Hello,
So sorry I have been having trouble figuring all this out....but I think the attachment here is what you are asking for, finally (whew!). Again, so sorry. Don't we learn alot from mistakes ??

I went to the MS site link you had posted. NONE of the symptoms at the top are like any I have, and I don't have the ones they list there. The following excerpt from the article is informative, but it may be a false lead.....which would be easy to check if they made it easy to get that patch. But they don't. You have to contact MS.....and ask (probably pay $35. for an 'incident')....I'll look into later.

"The Application Management service is not supported in Microsoft Windows XP Home Edition, and the Appmgmt.dll file is not included with Windows XP Home Edition. However, the registry setting that disables this service is not configured correctly in Windows XP Home Edition. Therefore, the Add Program routine tries to find the Appmgmt.dll file. When the Add Program routine cannot find the Appmgmt.dll file, the entry appears in the system log."

- Italics are mine. It seems like a good lead, but the patch is not instantly available. Also, since I never had the browser problems like this, or seen errors galore in the "Event Viewer' 'Services' tab, I can't see why XP Home's intrinsic weakness should be killing me now, after a serious two week bout with trojans. At any rate, I can e-mail all that to MS and see if they agree that the patch is right, or if they should charge me $35., or whatever.

By the way, isn't it so very nice of MS to sell the XP OS to eMachines, Dell, etc with no real installation disk, so they can charge us a second time for the one system that they have already installed and sold once. Sometimes I think MS only cares about money.....trying to charge twice for one product !!! I looked deep into the files for a i386 file, I think, that I saw in a PC magazine, which stated that if you can find that file and copy/burn it to a CD then you would have an XP install disk. I didn't see this file deep in there where the article said it would be, so MS must be leaving it out or hiding it somewhere else. Bottom line: no XP install CD.

The right .zip file is attached to this post. I didn't think you'd need to see the comboFix log again. As I said earlier, I did the sfc/ scannow check from start > run, and they all said the protected files were intact.

I think the malware specifically smashed the browser-capabilities, because they were the first signs that I was already infected, two weeks ago. This one problem persists. Firefox won't launch at all, and IE7 won't launch a new window to any hyper-link that is clicked. And the Event Viewer is riddled with errors.

Hope I have not strained your patience too much. The holiday seasons are hard on alot of us. Me in particular. It will be a Herculean chore to fix this right again.

- yours truly,

-scottportraits