Globalroot and Win32 trojan horse

[Straagal]

won't be able to do so until thursday as i had to leave for business, but will try as soon as i return

[essexboy]

Have a nice trip 

[Straagal]

I'm back!!  Ok i've applied the fix, the flags reappeared and still no internet...   I rechecked the physical connection and all are plugged in.   One small question...now that the console is active, it keep asking which program to run it with (XP or console) is there a way to go to the log in screen right away?

Thanks for your time

[essexboy]

To bypass the boot menu

Right click My Computer and select Properties
Select the Advanced tab
Under Startup and Recovery select Settings
Remove the tick from Time to display list of operating systems
OK out of the dialogues
Next time you boot you will go straight to XP


What error do you get when you try to connect to the net

[Straagal]

First "Internet Explorer cannot display the webpage" appear, then i click on the " diagnostic" button and this message shows up "Windows has detected a problem with the winsock provider catalog.  It ask to reset said catalog, which i do and this diagnostic log appear...

Last diagnostic run time: 05/22/10 11:19:57
WinSock Diagnostic
WinSock status

info   All base service provider entries are present in the Winsock catalog.
info   The Winsock Service provider chains are valid.
error   Provider entry MSAFD Tcpip [TCP/IP] could not perform simple loopback communication. Error 10050.
error   Provider entry MSAFD Tcpip [UDP/IP] could not perform simple loopback communication. Error 10050.
error   Provider entry RSVP UDP Service Provider could not perform simple loopback communication. Error 10091.
error   Provider entry RSVP TCP Service Provider could not perform simple loopback communication. Error 10091.
error   A connectivity problem exists with an installed LSP.
action   Automated repair: Reset WinSock catalog
action   Successfully executed: netsh winsock reset catalog
info   System restart required

Network Adapter Diagnostic
Network location detection

info   Using home Internet connection
Network adapter identification

info   Network connection: Name=Local Area Connection, Device=Realtek RTL8169/8110 Family Gigabit Ethernet NIC, MediaType=LAN, SubMediaType=LAN
info   Ethernet connection selected
Network adapter status

info   Network connection status: Connected

HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn   FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn   HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn   HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn   FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn   HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
warn   HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
error   Could not make an HTTP connection.
error   Could not make an HTTPS connection.
error   Could not make an FTP connection.

[essexboy]

OK lets try the winsockxp repair next - a bit more robust than the MS version

Download and run winsockxp fix from http://majorgeeks.com/download4372.html  reboot and then try again

[Straagal]

We tried this one earlier and it didn't work.  Tried it again, just in case, but still no result.  I uninstall Avast to get rid of the flags...it worked    For some reason, it takes a while to start up, i can't start a program for longer than usual, i'll defrag to see if it change anything... 

[essexboy]

So with Avast uninstalled the internet works ?

SPRING CLEAN
 
Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

[Straagal]

I wish   No, it just stop the flags from driving me crazy...  See, i though this was the hold up (flags would appear as the hour glass pointer would become the arrow), it was taking so long for the computer to be operational (able to use any programs) that i was hoping that by removing Avast that it would help (maybe files had been corrupted), but no...  even after the clean up and defrag you suggested, it still takes longer than usual to be able to access any programs.  I'm wondering if by using combofix prior to you "showing" up, some vital files might have been deleted inadvertently by inexpert me   if you still have some tricks up your sleeves, i'll be happy to try them but if i'm beyond normal help, well...

I can never say thank you enough for you helping me get rid of the bad guy

Thank you a zillion times   And big hugs from across the ocean 

Straagal

[essexboy]

Are you connecting via router ?

Please download SINO by Artellos.

• Save SINO to a place you can remember and run SINO.exe. (If you downloaded the ZIP version you will need to extract it first)
  
• Then please check the following checkboxes:

System Info
Services
Boot Check
Tasklist
Startup Items
Event Log
Ipconfig
Ping
Netstat
Hosts file
Shares
Routing Table

• Once checked, hit the Run Scan! button and wait for the program to finish the scan.
  
• A notepad window will pop up. Please copy all of the content into your next reply.

Note: If you try to interact with the program once it’s started scanning it might appear to hang. The scan however will continue.

[Straagal]

Both computers are via router, the laptop is wireless and the "sick" one by cable (i don't think it makes a diff, but just in case).

Here's the results:
Actually the message exceeded the lenght allowed, so i included the log

Thanks for not giving up on me

[essexboy]

I found this

Wired AutoConfig (Dot3svc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k dot3svc

Dot3Svc Wired Auto-Config Service. Background Windows XP SP3 Service which enables and manages wired network connections (ie. connections via network cable through a network port on a PC or laptop, through a network card, or PCMCIA LAN adapters). This service was introduced by Service Pack 3 for Windows XP (wired network connections were managed by the WZCSVC Wireless Zero Configuration Service under Windows XP SP2). Without this service your network cards/adapters will not show in Network Connections and you simply won't be able to connect to any network via network cable.

Go to Control Panel > Administrative Tools > Services
Locate Wired AutoConfig
Right click and select Properties
Set the start up type to Automatic
OK out
Reboot and then try the net

[essexboy]

Forum is painfully slow

second screen shot

[Straagal]

didn't work   Could it be that the bug/trojan you fixed "fried" the internet card?

[essexboy]

Not fried the internet card, it may just be a coincidence, although the card is suspect - but this is what sino showed that put me on that track.  Do you have access to a wireless USB transmitter ? 

Pinging to www.opendns.com
There was a problem executing a ping to www.opendns.com
This can be due to various reasons. Missing a DNS Server or Internet Connection are the biggest cause of this error.

Windows IP Configuration

An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.

Additional information: Unable to query host name.

Could you go start > run and copy/paste the bolded text below then press enter.  Let me know what is displayed

ipconfig /all