BleepingComputer.com: Malware Removed but O/S Problems Remain

Hello, My name is wayne c. in the Forum. I have been in the MALWARE forum for the last week or so working with Myrti to remove a SINOWAL trojan. The infection seems to be removed but there are some problems with my Windows XP SP3 Home O/S caused by the trojan and/or it's removal. Please read the topic entitled "SINOWAL Trojan infection" to get some background info. Myrti said I should post a new topic in this forum as her area of expertise is in malware removal vice internal O/S problems. As I indicated in my Topic description I believe my no. 1 problem is geting the COM+ System Application service started. When I try to start it manually in Services it starts but immediately encounters an unexpected error. In the MALWARE forum I sent Myrti the first 4 error message in the Application Log that get logged after this attempted start up. I actually found a MS article (916254) that describe the errors I see but the article has to do with installing SP2 whereas my system is SP3. It also talks about a solution that involves running secpol.msc which is not on my system. There as some other problems that I'm having as well such as my CD Writing Wizard no longer recognizes that there is a CD in my drive. This & some other issues are also discussed in the Malware Forum topic thread.

Thanks for any assistance you can provide,
wayne c.

What are these O/S problems that you refer to?

What information is provided on such in Event Viewer?

How To Use Event Viewer - http://www.bleepingcomputer.com/forums/topic40108.html

What onscreen error messages appear?

Have you tried a repair install of XP?

FWIW: Malware and removal of such...may damage key system files. Contrary to what some believe...removing the malware may not be enough to restore system performance to normal.

Louis

Hi Louis, All my problems are documented in the post entitled Sinowal Trojan infection. When I try to manually start the COM+ System Appliction Service I get the error :"Could not start the COM+ System Application Service on Local Computer. Error 1067. The process terminated unexpectantly." I get a bunch of errors resulting from this attempted start in both the system and application logs of Event Viewer. These are also documented in the Sinowal Trojan infection topic posts. I have not tried a repair installation. One problem I would have with this is my Dell reinstallation CD is SP2 and I'm running SP3...so repairing anything upgraded to SP3 would be a problem.. besides I ran SFC and it does not find anything corrupted. I realy believe if I could find the solution to this one problem, it might be the key to some of my other problems. I found a MS article entitled 916254 which describes my com probs to a T. I don't know how to implement their solution tho because they talk about running something called secpol.msc which is not on my system. This seems kinda strange since the article applies to XP Prof & XP Home Edition. ANY ideas here? IS MSCPOL something that I could download & use on my XP Home system.
Thanks, Wayne

<<...besides I ran SFC and it does not find anything corrupted.>>

I'm not sure what you did, but...

FWIW: You cannot run sfc /scannow...with a CD that does not reflect the current SP...and expect it to be accurate. My experience is that it won't even run under such circumstances.

If you had SP3 installed and then attempted a repair via a CD with SP2...that might account for your current problems.

http://support.microsoft.com/kb/916254

Even though that portion of the article...appears to relate to XP Home and XP Pro..it does not.

XP Home users cannot join a domain, that's one of the differences between XP Home and XP Pro.

Secpol.msc is part of XP Pro installs, local security policy management console. Does not exist for XP Home users.

Sooo...unless you have XP Pro installed, the above link really cannot refer to your situation, even though the error message appears to be the same.

My guess would be that you should create a slipstreamed CD (which includes SP3) or reinstall SP3 in an effort to correct things. In any case, those are the two things I would try.

I don't know whether your CD can be easily slipstreamed, but I would try it. Others seem to think that Dell reinstall CDs are the same as Microsoft XP install CDs...it won't hurt to try slipstreaming it, I suppose.

Louis

Louis, I'm going to back up a bit and tell you why I focused in on trying to find out why I could not start my COM+ System Application service. Looking at my System log with Event viewer I get the following errors everytime I boot up.

-17 of these errors in succession

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 3/21/2010
Time: 7:12:09 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: WCUSHING
Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

FOLLOWED BY SEVERAL OF THESE MESSAGES

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 3/20/2010
Time: 8:15:45 AM
User: NT AUTHORITY\SYSTEM
Computer: WCUSHING
Description:
The server {E579AB5F-1CC4-44B4-BED9-DE0991FF0623} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


SO NATURALLY I GO TRY TO OPEN THE COMPONENT SERVICES TOOL TO MODIFY THE PERMISSIONS FOR THIS COM SERVER APPLICATION (IE, WMI ). WHEN I TRY TO OPEN THE COMPUTERS FOLDER, IT WON'T OPEN & I GET THE FOLLOWING ERRORS IN THE SYSTEM LOG



Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 3/22/2010
Time: 6:38:24 PM
User: NT AUTHORITY\SYSTEM
Computer: WCUSHING
Description:
The COM+ System Application service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 3/22/2010
Time: 6:38:24 PM
User: N/A
Computer: WCUSHING
Description:
The COM+ System Application service entered the running state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 3/22/2010
Time: 6:38:24 PM
User: N/A
Computer: WCUSHING
Description:
The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


THIS SEQUENCE REPEATS A BUNCH OF TIMES. SO I FIGURE THAT COMPONENT SERVICES IS ATTEMPTING TO START THE COM+ SYSTEM APPLICATION SERVICE

THUS, I AM TRYING TO RESOLVE WHY THE COM+SYSTEM APPLICATION SERVICE TERMINATES BECAUSE I WANT TO GET INTO COMPONENT SERVICES TO FIX THE WMI SECURITY PERMISSION PROBLEM.

DOES THIS MAKE SENSE??

R/ Wayne C.

Hi Wayne -
(Sorry to add to your post Louis)
this item from Paul Thurrett will show you how to "slipstream" your XP SP2 CD into an XP SP3 - You can then use it to run scf /scannow - I needed it to reinstall my Windows Defrag program as my CD was not SP3 (which I was running) - Hope it is helpful -
Also I am not sure if you have run a full 5 stage DSK CHK - Copy and paste this code into Start > Run Box then click OK to start it - It will run for about 30 mins and reboot your computer -

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

Thank You -

This post has been edited by noknojon: 22 March 2010 - 06:49 PM

I have XP Pro and looked at my ImpersonatePrivilege settings like the article said and user Jose is not listed (but I don't have your problem!).

I pretended I did not have secpol.msc and needed to add user Jose so I used the ntrights command from a command prompt to add to add user Jose to the ImpersonatePrivilge setting.

I checked secpol again and Jose is now there, then I removed Jose - not using secpol.msc.

If that is all you need to do, you can do it but I don't have your problem so I don't know if it will fix you up.

Read this article:

http://support.microsoft.com/kb/315276

Download the NT Resource Kit, from the link in the article and install it, open a command window, find ntrights.exe and run something like this:

ntrights -u Jose +r SeImpersonatePrivilege

Then I ran:

ntrights -u Jose -r SeImpersonatePrivilege

Running ntrights by itself will give you some poor help.

I got a success message both times and what I see in secpol.msc follows the commands I run by hand.

Now you can accomplish that indicated secpol function without using secpol.msc.

The referent for your CLSID 1F87137D-0E7C-44D5-8C73-4EFFB68962F2 (that's a registry entry) turns out to be WMI, a key component.

Info, http://www.liutilities.com/products/wintas...brary/wmiprvse/

Unfortunately...I'm not smart enough to know how to determine what the problem might be or how to fix it...other than an attempted repair install.

FWIW: Event Viewer items marked "information" normally do not require user action/concern. Lots of internal status reports generated by Windows result in these.

Louis

Hi, sfc /scannow runs to completion & never asks for a cd so I can only conclude that it has detected no corruption in my o/s files. Just outta curiosity, why do you think I should run chkdsk. I'm not really getting errors that I would associate with bad disk sectors or anything like that. Thanks for the slipstream article. The only issue there is I haven't tested my burner since I started having problems. Therefore, I'm not sure if it works. Roxio is the s/w I use for burning cds. I have been having trouble with my XP Writing Wizard recognizing that there is a cd in the drive but maybe Roxio will do ok.
Thanks, Wayne

...and I don't know if secpol.msc is supposed to be in XP Home or not. My secpol.msc for XP Pro is in c:\windows\system32 (you looked on your system for secpol.msc, right?)

I know Home does not have gpedit.msc (Group Policy Editor), but all that GPE stuff can be manipulated through the registry in Home, so you really don't "need" gpedit. The setting seem to want are not in the registry or I would have told you how to do that.

I wonder if you just copied secpol.msc or gpedit.msc from some XP Pro system to your XP Home system if it would work...

All, I think, before undertaking a repair, as some have suggested, I will try to clean up my COM+ catalog using the process described in MS article 315296. Has anyone tried this before? I'm not sure what it uses to reinstall COM+. It doesn't appear that it will ask for a CD so I assume it uses stuff in the I386 directory. Has anyone done this before?

All, Well back to the drawing board. Windows XP Home does not have a WINDOWS COMPONENT to Add/Remove as directed in KB article 315296

All, Forget that...I found it..it is on the lefthand side of the add/remove screen...I was looking for it as if it were a regular program

So what's your system status right now?

Louis

Well, Louis, I've gotten down to the last part of KB 315296 where it says to Add/Remove Windows Components and it brings up a list of components (non of which is COM+). Some are checked, some are not. They are:

Manage & Monitor
Fax Services
Indexing Services
Internet Explorer
Mgmt & Monitoring
MSN Explorer
Networking Service
Other Network File & Print Services
Outlook Express
Update Boot Certs
Windows Media Player
Windows Messenger

The instructions say to hit Next & continue w/o checking or unchecking items, ie,I did do take defaults. I'm uncomfortable doing that because I wasn't expectiong a list and if there was a list I was expecting it to at least list COM+

Have you or anyone at bleeping computer done this. I'm looking for someone to say...yeh, Wayne everything is fine...go ahead & hit NEXT. I did create a restore point so, hopefully, if it screws things up I can recover.

R/ Wayne