Globalroot and Win32 trojan horse

After reading one of the forum answered by Essexboy I downloaded Malwaresbytes and OTL and did as instructed. It found 163 items and they got quarantine and deleted successfully. I ran Avast and it pop up the alert screen again and win32:dnscharger - VJ [trj] was the file name and the Trojan name was globalroot. For some reason the names got inversed…!? The first time the virus was win32 and file name was globalroot. I can’t access the internet from the infected computer. It runs windows XP and its the free avast version that is on it. Oh… i tried a full scan and nothing came up. I can’t start the computer in safe mode for some reason it freezes. I’m running out of ideas… could you please help ??? ???

Thank you :slight_smile:

After reading one of the forum answered by Essexboy I downloaded Malwaresbytes and OTL and did as instructed.
Then you should post the log here that MBAM and OTL prodused so Essexboy can have a look ( http://forum.avast.com/index.php?topic=53253.0 ) If the log are big use Attach, see down left corner: Additional Options > Attach

You may try this
http://live.sunbeltsoftware.com/

I had to redo the OTL has I couldn’t find the file :frowning: Hope that’s ok? I tried to “save as” to see where it had save last night but it won’t allow me to :frowning: Its getting pretty hard to get anything out of it…

you did not run update before you scanned with MBAM so you scanned with an old database, latest is 4099

I send Essexboy a PM, then he will take a look when he arrives

Since i have no internet connection it was not possible to get the update directly… however i got the update on this one and tried to transfer it by using a usb key but the infected computer didn’t take it or it didn’t work when it transfered…

Hi I see it - it is the latest TDSS variant - to kill this we must have the recovery console installed

First I will kill what I can with OTL

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2010/05/13 10:43:36 | 000,000,320 | -HS- | M] () -- C:\WINDOWS\tasks\nlmkv.job
[2010/04/27 20:18:04 | 000,016,652 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KLry0l
[2010/04/27 19:41:03 | 000,093,184 | RHS- | M] () -- C:\WINDOWS\System32\qmgrprxyq.dll
[2010/04/27 19:41:03 | 000,093,184 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\qmgrprxyq.dll

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.


Download ComboFix from one of these locations:

Link 1
Link 2

Note: It is important that it is saved directly to your desktop


With malware infections being as they are today, it’s strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft’s website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that’s appropriate for your Operating System. Download the file & save it as it’s originally named.

Note: If you have SP3, use the SP2 package.


Transfer all files you just downloaded, to the desktop of the infected computer.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

[*]Drag the setup package onto ComboFix.exe and drop it.

[*]Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

http://img.photobucket.com/albums/v706/ried7/whatnext.png

[*]At the next prompt, click ‘Yes’ to run the full ComboFix scan.

[*]When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

After the OTL fix the computer had te be hard booted (waited 20 minutes) so hopefully it had time to do what was needed… BTW in the post you referred to geeks to go so yesterday i did the process explained there. The console was installed from the disk i had and combo fix had been run along with TFC.exe… :-[ So i hope this won’t hamper the fix you sent. Promise i wont do anything else unelss you say so!! Here’s the logs… I included the OTL fix log also, just in case :slight_smile:

OTL was not strong enough to kill that file - On completion of this could your re-run GMER as before. Also could you ensure that the OTL log is saved in ANSI format please

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


Rootkit::
c:\windows\system32\qmgrprxyq.dll

File::
c:\windows\system32\qmgrprxyq.dll

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTL log.

Oops! forgot to mention Gmer… :-[ Alright, here’s the logs and forgot to say this earlier but thank you so much… :slight_smile:

the Gmer scan gets stop (i’m not sure if its normal) when it encounter a rootkit, so i save it at that point (the scan button had reappeared, so its possible that the scan was done…)

Thanks again

OK I would like to check out one further file - what problems do you have now ?

Download TDSSKiller and save it to your Desktop.

[*]Extract the file and run it.
[*]Once completed it will create a log in your [b]C:[/b] drive
[]Reboot your computer
[
]Please post the contents of that log

Same flags about Avast pops up (Mail scanner warning) at the beginning, still can’t connect to the internet, but the avast scan came clean! Woohoo :slight_smile: Here’s the log… Is there a way to “reset” Avast so the pop ups stop?

Try this for the connection problem

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

And for Firefox there are instructions on this page and you want the setting to be no proxy

What mail warnings are you getting ?

The flags are from Avast: Mail scanner warning - avast will not be able to protect =outgoing email (SMTP protocol) error 10050, incoming email (POP3 protocol) error 10050, incoming email (IMAP protocol) error 10050, news (NNTP protocol) error 10050. The Proxy server had no tick in the box… And the internet is working for the laptop (obviously :)), i tried to match the setting for both and could not find a difference (i’m no genius concerning IT trouble though).

Again, thank you so much for helping :slight_smile: Its pretty cool to think of the distance between our country, but online there’s no problem that can’t be solve :slight_smile:

OK that is because Avast will manage the secure mail network if you let it - I had that problem, no I just need to remember how I fixed it. The answer is here in the forum somewhere. I’ll look

What error do you get when you try to connect to the net ?

OK lets try the winsockXP fix

Grab a copy from here and run it http://majorgeeks.com/WinSock_XP_Fix_d4372.html

won’t be able to do so until thursday as i had to leave for business, but will try as soon as i return :slight_smile:

Have a nice trip ;D

I’m back!! Ok i’ve applied the fix, the flags reappeared and still no internet… :frowning: I rechecked the physical connection and all are plugged in. :-\ One small question…now that the console is active, it keep asking which program to run it with (XP or console) is there a way to go to the log in screen right away?

Thanks for your time :slight_smile:

To bypass the boot menu

Right click My Computer and select Properties
Select the Advanced tab
Under Startup and Recovery select Settings
Remove the tick from Time to display list of operating systems
OK out of the dialogues
Next time you boot you will go straight to XP

What error do you get when you try to connect to the net

First “Internet Explorer cannot display the webpage” appear, then i click on the " diagnostic" button and this message shows up "Windows has detected a problem with the winsock provider catalog. It ask to reset said catalog, which i do and this diagnostic log appear…

Last diagnostic run time: 05/22/10 11:19:57
WinSock Diagnostic
WinSock status

info All base service provider entries are present in the Winsock catalog.
info The Winsock Service provider chains are valid.
error Provider entry MSAFD Tcpip [TCP/IP] could not perform simple loopback communication. Error 10050.
error Provider entry MSAFD Tcpip [UDP/IP] could not perform simple loopback communication. Error 10050.
error Provider entry RSVP UDP Service Provider could not perform simple loopback communication. Error 10091.
error Provider entry RSVP TCP Service Provider could not perform simple loopback communication. Error 10091.
error A connectivity problem exists with an installed LSP.
action Automated repair: Reset WinSock catalog
action Successfully executed: netsh winsock reset catalog
info System restart required

Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection, Device=Realtek RTL8169/8110 Family Gigabit Ethernet NIC, MediaType=LAN, SubMediaType=LAN
info Ethernet connection selected
Network adapter status

info Network connection status: Connected

HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.