Malware Damage to Browser/OS; Application Management Services Errors 126

Dec 12, 2002

I have an eMachine W3502 desktop PC. It came with XP Home v.2002 SP2 pre-installed, and supplied with a system restore disk.

The question of the day is this:

Can we fix this PC without a destructive take-down and reformat?

I would abhor the whole process, and will do anything reasonable to avoid such a drastic and time consuming endeavor.
I was infected with three trojans last wek and have spent many days cleaning and scanning and running tools like SDFix, ComboFix, and Dr Web CureIt. I lost no data (Whew!).
I already ran an a "non-destructible" system restore, and before and after that ran
sfc/ scannow three times to make sure that all protected files were intact. The tests said they were, thrice.
Let me quickly list the key symptoms that have beset my rig....which is now free of malware, but apparently not malware damage.
My default browser, Mozilla Firefox, will not launch. An error message pops saying an instance is already running, so reboot. I haven't been able to see that browser since Dec 2nd !!
Next, My IE7 browser will not connect to a site if I'm surfing and see a link to click. Normally, you just hover and click on a hyper-link and a new window opens and the page is loaded. Well, the window opens, but stays white....in limbo.....never arriving at the destination.
Also, I have run Symantec's online virus scan dozens of times through IE7 in times past without being 'script-blocked'. But now, since the malware attack, I cannot get the script to run through this browser, hence, no scan.
Finally, I used the 'Camera/Scanner Wizard' alot to upload photos from the little memory card that slides right into a slot, drive:\J, and the wizard always found the data and fed it into a folder. Now, it no longer functions. The wizard refuses to detect, even when I plug the camera in via a USB cord, and there's an installed driver for the camera where it should be.
Oh yeah, one last symptom (besides all the error messages in the "Event Viewer"): On reboot yesterday morning a warning shield in the icon tray popped saying my firewall was disabled. This is in a 'malware clean' machine. I went to XP firewall and saw I had to 'Start' the Internet Connection Sharing Service....which was now reverted to 'manual'. When I checked this service two days before it was set correctly on 'Automatic' and 'Started'. Somehow (?) it switched to 'manual' and needed manual starting. No idea how this happened, but it hasn't happened since. Just that one time.
I think the malware specifically broke something that goofs-up browsers pretty seriously.
Like I say, if you go to control panel > administrative tools > application management > "Event Viewer" > services tab......you find many red X's and errors since around Dec 4, while I was still clearing out malware. A tech expert told me about this place to look and see the errors, and he saw a WinPFind3 scan log I had done. He said it was an "Application Management Services" issue, and was generating an error # 126.
Error # 126 - Could not get local SMS.INI for current machine.
Applies to : Microsoft Systems Management Server 1.0 • Microsoft Systems Management Server 1.1 • Microsoft Systems Management Server 1.2
I got that when I went to the MS site and researched this issue, error 126, and Application Services Manager.....here is the link:
http://support.microsoft.com/kb/328213/en-us
The article boils down to this summation of the cause (different symptoms, but same terminology):

CAUSE (from MS article 328213)
"The Application Management service is not supported in Microsoft Windows XP Home Edition, and the Appmgmt.dll file is not included with Windows XP Home Edition. However, the registry setting that disables this service is not configured correctly in Windows XP Home Edition. Therefore, the Add Program routine tries to find the Appmgmt.dll file. When the Add Program routine cannot find the Appmgmt.dll file, the entry appears in the system log."
And..."Note This fix was repackaged on March 27, 2003, with an updated Windows Service Pack Setup installer (Update.exe) that corrects the issue that is documented in Microsoft Knowledge Base article 817084.
We will have to work through my "Event Log" error messages, and this "Application Management Services" error 126 issue .
Maybe I deleted some DLLs that are now needed by the system. Maybe it's the wrong version of appmgmts.dll .....? I wonder if I can fix it with one of MS's 'patches'. I wonder if I can get it free?
The line that gets me the most in the article is this one:
"....the registry setting that disables this service is not configured correctly in Windows XP Home Edition. Therefore, the system's routine tries to find the Appmgmt.dll file, and fails."
If MS never had "Application Management Services" supported in XP Home, and the registry settings that support this service is 'not configured correctly', then how was I able to manage my services (and browsers) 'automatically' for a year and a half until this malware attack ? Like I said, I think the malware specifically broke something that goofs-up browsers pretty seriously.
If I know the name of a missing file that I need, and it's on an XP OS full install disk, then maybe I can get a friend to copy that one file and let me put it where it belongs.
Please find a patch, a fix, or a way to repair this without a destructive tear-down and re-build. I'm loath to do a destructive re-build.
So see if there are any 'browser repair experts' there at MG's who might have a clue as to an easy way out for me.
I can submit the WinPFind3 log if you would find it useful. I also have a ComboFix log, and can make you up a HiJackThis log in a minute.
Please help me iron out this bug, and we will all have a happy holiday season.

Yours truly,
-scottportraits

 

Dec 12, 2007 5.40pm est

Hello MG's,

Here are the logs I have from Combo.fix, and MGTools. I ran Spybot and there was nothing found, so that log is probably unnecessary. I'll include it here because there are some 'log' entries that look funny, although they are not considered an immediate threat. "Webmess" always looked suspicious to me.
Also Ran SUPER Anti-Virus freeware and it too keeps coming up clean. And I ran my AVG anti-virus subscription....it too came up clean. There are logs, but why would you want them if they report no infection ?

Here is the ComboFix log. Your system would not let me upload the MGlogs.zip..............because it has already been posted in this thread - http://forums.majorgeeks.com/showthread.php?t=145370, so I guess someone will need to navigate there and downloadf it. So sorry, it just wouldn't allow it.

I can also send you a WinPFind3 log I ran a few days ago, and the SDFix log, the CatchMe log, Deckert's system info scan log, if you want any of them.

Thanks, and sorry I couldn't get the MGLogs.zip to upload here...click the link and you can find it there.

Yours truly,

-scottportraits

 

1. Ctrl+alt+del and see if firefox.exe is running; if it is, end the process then try to launch your browser.
2. If you click on programs, Mozilla Firefox, click on Mozilla Firefox (Safe Mode) and see if it will launch without any addons nor themes. If it does, we can create a new profile and delete the old broken one.
3. If the browser doesn't launch, it might be easier to add/remove it thru control panel and then just install a fresh copy.

Here is an article on resetting values in IE 7
http://support.microsoft.com/kb/923737
If that doesn't appear to fix it, again, you may need to add/remove IE 7 thru control panel and revert back to IE 6 for a short time until you can update again and hope it is loaded with the proper settings.

 

Dec 13, 2007

Hi Sgt,

From the Task Manager, under running 'Processes', there is no firefox.exe on the list.......

The first thing I did when Firefox wouldn't launch last week on Dec 2, was to uninstall and re-install a fresh copy from the Mozilla site. Now, for some reason, it does NOT show up on the list when you go to Start > Programs. I remember you could start it in a safe-mode, but it is not on the list anymore. Mozilla Firefox is listed as an installed app in the Add/Remove programs...

....So I uninstalled it, deleted the remaining folder in C:\Program files, rebooted, went to the Mozilla site for a fresh download, and installed it again.
It still generates the same error message...that it is already running...even if I try to start it from 'sage-mode'.


The malware attack included a trojan that I think aimed to damage our browsers. This is one of the Trojans from the Kapersky scan log of Dec 5:


"","","Trojan horse Generic5.GYX","D:\System Volume Information\_restore{4AC2E5A3-6484-4101-B094-201A739FC30E}\RP171\A0050827.exe","12/3/2007 12:10:33 AM","A0050827.exe","5.14 KB"

As for IE7, I already went to Tools > Internet Options > Advanced and hit the Reset Advanced Defaults button a few days ago; and I just tried it again last night....but it made no difference. Still same problem.

I am wary of uninstalling IE because I heard it is a hard task to do, for some reason. Does IE7 revert back to IE6 when you try to uninstall it from Add/Remove Programs ??

-Thanx Sgt.,

scottportraits

 

IE 7 is supposed to revert to IE 6 when you uninstall it but since it is from MS, there are no guarantees.
If you search for Firefox, can you find firefox.exe? Check every location and delete any that are not dated from the fresh install.

Let's try a fresh browser - Opera. Can you get that installed and working?

I know malware removal can really take it's toll. If Opera doesn't work, I'd say, grab everything you want, burn it to a CD for safe keeping and then do a clean install.

Another option, create another user. See if you can install FF or get IE working for this user.
If so, someone more familiar with XP might be able to tell you how to get your data from the broken user account into the new working account.