cjohn Posted February 14, 2013 Share Posted February 14, 2013 Hi all,Yesterday, I installed the latest Windows Update, which includes some Windows Malicious Software Remover (maybe not exactly this name, but almost it). After installed, it starts up and reports that some virus or malware are found, asking me whether to remove it. Of course I clicked yes. So far so good, and then I turned off my notebook and went to bed.But today, when I started up my XP system (SP3), in the bottom-right tray, it always saying that it is "acquiring network address". It is forever in this state, though I can connect to the internet and "ipconfig" in the console shows that my notebook already got assigned a DHCP address.Later, I googled this symptom, and found that it is because NLA (Network Location Awareness) service didn't get started. OK, I tried to start the service, but come across the following error:Error 127: The specified procedure could not be found.I tried "sfc /scannow" while inserting my Dell Windows XP Reinstallation CD. After the process is finished, the problem remains the same.Looks like something is wrong with the svchost process, but I don't know what the problem is. I have a vague impression that the Windows Malicious Software Remover removed some virus/malware in svchost. Is it the cause? But the removing process is irreversible, so I don't have a way to test it.I tried Windows Update, and it says my system is up to date.At my wit's end now. Hopefully, I can get some suggestions here. Link to comment Share on other sites More sharing options...
Guest Posted February 14, 2013 Share Posted February 14, 2013 Can you attach the mrt.log? It's located in C:\Windows\Debug\ Link to comment Share on other sites More sharing options...
cjohn Posted February 14, 2013 Author Share Posted February 14, 2013 Can you attach the mrt.log? It's located in C:\Windows\Debug\Here it is:---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.12, October 2010Started On Wed Oct 27 13:11:05 2010WARNING: Security policy doesn't allow for all actions MSRT may require.Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 27 13:11:44 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.12, October 2010Started On Wed Oct 27 13:17:44 2010WARNING: Security policy doesn't allow for all actions MSRT may require.Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 27 13:18:20 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.13, November 2010Started On Wed Nov 10 12:35:43 2010->Scan ERROR: resource process://pid:2180 (code 0x00000005 (5))Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 10 12:37:19 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.14, December 2010Started On Thu Dec 16 09:55:32 2010Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Thu Dec 16 09:57:09 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.15, January 2011Started On Wed Jan 12 09:30:21 2011Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 12 09:36:04 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.16, February 2011Started On Wed Feb 09 11:46:49 2011Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Feb 09 11:51:27 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.17, March 2011Started On Thu Mar 10 12:12:35 2011->Scan ERROR: resource process://pid:1832 (code 0x00000490 (1168))Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Thu Mar 10 12:15:21 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.17, March 2011Started On Fri Apr 01 13:17:04 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Fri Apr 01 13:22:04 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.18, April 2011Started On Thu Apr 14 18:03:07 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Thu Apr 14 18:05:43 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.18, April 2011Started On Wed Apr 27 11:45:34 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 27 11:53:04 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.19, May 2011Started On Wed May 11 09:09:10 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed May 11 09:11:40 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.20, June 2011Started On Wed Jun 15 09:34:49 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 15 09:37:07 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.21, July 2011Started On Wed Jul 13 10:29:54 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Jul 13 10:32:55 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.22, August 2011Started On Wed Aug 10 09:28:15 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 10 09:31:14 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.0, September 2011Started On Wed Sep 14 07:27:49 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 14 07:30:28 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.0, September 2011Started On Wed Sep 28 21:57:00 2011->Scan ERROR: resource process://pid:1816 (code 0x00000005 (5))->Scan ERROR: resource process://pid:2372 (code 0x00000490 (1168))Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 28 21:59:42 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.1, October 2011Started On Wed Oct 12 10:24:45 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 12 10:27:09 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.2, November 2011Started On Wed Nov 09 21:56:31 2011Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 09 21:58:46 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.3, December 2011Started On Wed Dec 14 19:42:49 2011->Scan ERROR: resource rootkit:// (code 0x0000054F (1359))Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Dec 14 19:45:17 2011Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.4, January 2012Started On Wed Jan 11 21:46:55 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 11 21:49:08 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.5, February 2012Started On Wed Feb 15 20:54:30 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Feb 15 20:57:27 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.6, March 2012Started On Tue Mar 13 18:29:50 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Tue Mar 13 18:32:42 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.7, April 2012Started On Wed Apr 11 11:22:20 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 11 11:32:57 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.8, May 2012Started On Thu May 10 23:54:34 2012->Scan ERROR: resource rootkit:// (code 0x0000054F (1359))Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Thu May 10 23:57:16 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.9, June 2012Started On Wed Jun 13 00:47:30 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 13 00:50:02 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.10, July 2012Started On Tue Jul 10 19:49:08 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Tue Jul 10 19:51:51 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.11, August 2012Started On Thu Aug 16 20:58:56 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Thu Aug 16 21:01:55 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.12, September 2012Started On Wed Sep 12 02:06:13 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 12 02:08:52 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.13, October 2012Started On Wed Oct 10 16:13:39 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 10 16:16:32 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.14, November 2012Started On Sat Nov 17 17:32:51 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Sat Nov 17 17:35:56 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.15, December 2012Started On Thu Dec 13 01:14:21 2012Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Thu Dec 13 01:17:08 2012Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.16, January 2013Started On Wed Jan 09 22:18:07 2013Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 09 22:21:04 2013Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.17, February 2013Started On Tue Feb 12 20:16:26 2013Quick Scan Results for 56F05F79-C63B-4FBC-8C81-A34537370F19:----------------->Scan ERROR: resource rootkit:// (code 0x0000054F (1359))Threat detected: TrojanDropper:Win32/Sirefef.B file://C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\X SigSeq: 0x0000B378189736F0 SHA1: 72745000207FF4261713407035983239611AE6C2 winlogonshell://HKCU@S-1-5-21-1482476501-1532298954-839522115-500\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\XThreat detected: Trojan:Win32/Sirefef.H driver://Serial file://C:\WINDOWS\system32\DRIVERS\serial.sys SigSeq: 0x00009C7852D46378 SHA1: 073D45D442D82FDB8B08C063DAE0A5ECF39CE997Threat detected: Trojan:Win32/Sirefef.O file://C:\WINDOWS\3326800765:2181870905.exe SigSeq: 0x00001020ABA6821F SHA1: F5F7AF21AD46782C562291A280482216DAFA6204 regkey://HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\7df34ac6Threat detected: Trojan:Win32/Sirefef.BB file://C:\WINDOWS\assembly\GAC_MSIL\desktop.ini SigSeq: 0x00000555145B4DD0 SHA1: 4721B18F4F974FC9D889CC160EA08ED0F93CFB04Quick Scan Removal Results----------------Start 'remove' for regkey://HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\7df34ac6Operation succeeded !Start 'remove' for winlogonshell://HKCU@S-1-5-21-1482476501-1532298954-839522115-500\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\XOperation succeeded !Start 'remove' for driver://SerialOperation was scheduled to be completed after next reboot.Start 'remove' for file://\\?\C:\WINDOWS\system32\DRIVERS\serial.sysOperation succeeded !Start 'remove' for file://\\?\C:\WINDOWS\assembly\GAC_MSIL\desktop.iniOperation succeeded !Start 'remove' for file://\\?\C:\WINDOWS\3326800765:2181870905.exeOperation succeeded !Start 'remove' for file://\\?\C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\XOperation succeeded !Results Summary:----------------For cleaning Trojan:Win32/Sirefef.H, the system needs to be restarted.Found Trojan:Win32/Sirefef.BB and Removed!Found Trojan:Win32/Sirefef.O and Removed!Found TrojanDropper:Win32/Sirefef.B and Removed!Microsoft Windows Malicious Software Removal Tool Finished On Tue Feb 12 20:22:50 2013Return code: 10 (0xa)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v4.17, February 2013Started On Tue Feb 12 20:24:41 2013Microsoft Windows Malicious Software Removal Tool Finished On Tue Feb 12 20:25:47 2013Return code: 6 (0x6) Link to comment Share on other sites More sharing options...
Guest Posted February 14, 2013 Share Posted February 14, 2013 Looks like you were infected with the Trojan:WinNT/Sirefef.H. Did you run any keygens or cracks lately?I don't see anything the MSRT cleaned that could be causing the problem. Please run the Eset online scanner and post the results. Link to comment Share on other sites More sharing options...
cjohn Posted February 14, 2013 Author Share Posted February 14, 2013 Looks like you were infected with the Trojan:WinNT/Sirefef.H. Did you run any keygens or cracks lately?I don't see anything the MSRT cleaned that could be causing the problem. Please run the Eset online scanner and post the results.No, I haven't use any keygen/crack for a long time.Here is the online scan report:C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\U\00000001.@ a variant of Win32/Sirefef.CR trojan C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\U\000000c0.@ Win32/Conedex.A trojan C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\U\000000cf.@ Win32/Conedex.A trojan C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\U\80000000.@ probably a variant of Win32/Sirefef.FA trojan C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\U\800000c0.@ Win32/Sirefef.EN trojan C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\U\800000cb.@ a variant of Win32/Sirefef.FL trojan C:\Documents and Settings\Administrator\Local Settings\Application Data\7df34ac6\U\800000cf.@ Win32/Sirefef.DV trojan C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Win32/Patched.HN trojan C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe Win32/Patched.HN trojan But none of them can be cleaned.Any further measure to be taken? Link to comment Share on other sites More sharing options...
Guest Posted February 15, 2013 Share Posted February 15, 2013 Format and reinstall. Link to comment Share on other sites More sharing options...
cjohn Posted February 15, 2013 Author Share Posted February 15, 2013 Format and reinstall.Too time consuming. Out of the question. Link to comment Share on other sites More sharing options...
CharlotteTheHarlot Posted February 15, 2013 Share Posted February 15, 2013 (edited) Format and reinstall.Too time consuming. Out of the question.Take this HDD out, place it into another computer (e.g., as drive D:). From that computer scan it first using MBAM and then with AV (like MSE). Both software should be configured to scan ALL FILES, not just programs and documents. Be prepared to this several times with each software because it cannot be pronounced "safe" until they each come up clean. This can be very time-consuming, on the orders of hours for each scan depending on the size of the HDD and the PATA/SATA, CPU and bus speed of the host computer.Supplemental tasks can be accomplished while you are there, for example emptying out all the temp folders, deleting the pagefile and hibernate file (they will be re-created as needed, but cleanly) and you can also manually target internet cache folders and all other locations where malware might be hiding. This also allows you to remotely edit BOOT.INI and/or replace the boot sector if necessary without interference from the original system.FYI: It helps if you have an alternate computer already setup for these purposes. Certain things need to be tamed to make the mounting of other HDD's painless. For example, telling system restore and disk indexing to not monitor other mounted HDDs ( or just kill the silly things). AutoRun should be disabled for other HDD's so the system doesn't try to run something the root folder of this infected HDD. ADDED: actually AutoRun should only execute if you attach the drive via a IDE/SATA to USB adapter, so naturally ignore this if you connect the HDD internally.EDIT: typosEDIT2: to cjohn ... you might want to encapsulate that virusscan result in Post #3 ( use "Full Editor" ) in SPOILER tags to collapse it which will shorten the vertical height of the page. Some people stop scrolling through those kinds of results once they get too long! Edited February 17, 2013 by CharlotteTheHarlot Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now