• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3073
  • Last Modified:

Globalroot error message & Infected with Winiguard

I am cleaning up a friends machine that was infected with Winiguard, Baloon.exe and cFrog.exe. The machine is a Dell Desktop with Vista Home Basic running just over 2gigs of RAM. When I got the machine, it was running EXTREMELY slow, I could not connect to my network, and I kept receiving Winiguard popups.

I have already ran MalwareBytes, HijackThis, and Combofix and will post the logs. It appears that I have successfully removed Winiguard, Baloon.exe and cFrog using MB, HT, and Combofix as well as some manual registry deletions. However, I am still seeing that the machine is running extremely slow and every window that opens shows a "(not responding)" message in the header for about 45 seconds. I am still unable to connect to my network, as well.

Whenever I try to open Symantec or IE I get an error message that reads as follows:

"Globalroot\systemroot\system32\gaopdxwmjrmfos.dll...is not designed to run on windows or contains errors"

The header of the error box reads "iexplore.exe - Bad Image"

When I close the error box, the system tries to open Internet Explorer.

I'm just wondering if anyone has seen this error message before, if it's related to a Malware item that I've missed, and if it could be causing the problems that I'm seeing with the machine...i.e. ridiculously slow load times, ie not working, no networking...etc....Also, how can I fix it...hopefully short of reinstalling the entire OS. Any help is greatly appreciated in advance!!!

p.s. the HijackThis Log File attached is after I removed Winiguard and related malware, but the MalwareBytes log is before the removal of the infections. I ran MB just a short while ago and it returned no infections...however, the issues persist. ComboFix did not show me a Log file, but I'm sure it put one in the directory folder somewhere, and I can get it if needed. Thanks again!!!
hijackthis.log
mbam-log-2009-02-18--00-40-54-.txt
0
mjgreenley
Asked:
mjgreenley
  • 6
  • 2
  • 2
  • +1
3 Solutions
 
rstorm1Commented:
Chances are good that the OS is corrupted and that your best bet is to save data to another drive and reload the computer.  You reach a point of diminishing returns when it is just much faster and less aggravating to reload and start fresh.  Even if you manage to eliminate all the present infections, you may not be able to eliminate the damage they have done.  Typically, if I can't clean up a machine in a couple of hours, for me, it is better time management to save data to a USB hard drive and reload the OS and applications.  I know that is not what you wanted to hear, but it would likely save you some hair pulling and teeth gnashing to reload the OS.
0
 
mjgreenleyAuthor Commented:
I was afraid of that, but I think you're absolutely right. I think maybe I just needed to hear it from someone else. I enjoy the troubleshooting...but, It's gotten to the point where this machine has become the bane of my existence, haha. I'll see if they have a problem with a re-install and go from there.

Thanks, rstorm1!
0
 
rstorm1Commented:
You're welcome, best of luck!
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
DooflegnaCommented:
The unfortunate truth about MBAM is that although it's good at removing some of the brand name/most popular infections, it just doesn't do a really decent job at finding all of the variants of viruses and spyware out there.

I would recommend a few different things if you still want to try tackling this beast.

Run CCleaner to remove any temporary files.  Temporary files are often the first place viruses and spyware load from. http://www.ccleaner.com/download

Two free installable AV Scanners which have crazy heuristics and high detection rates, I'd give them a try as well:
http://www.avast.com/eng/download-avast-home.html
http://www.free-av.com/en/download/index.html

If you're curious on a specific file, upload it to virustotal and have it scanned by thirty different virus scanners! http://www.virustotal.com/

The following Hijack this items are bad.  Feel free to remove them, reboot, rescan Hijack This to see if they regenerate.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16

This entry looks suspicious. I don't recognize it.  If you know it to be a good process leave it, but I have a hunch it's bad.
O4 - HKLM\..\Run: [V0500Mon.exe] C:\Windows\V0500Mon.exe
0
 
mjgreenleyAuthor Commented:
Thanks Dooflegna, I'm waiting for the owner to give me the ok on the re-install, won't hear from him until tomorrow, so I'll give it a try and see what happens while I wait! Thanks!
0
 
rpggamergirlCommented:
gaopdxwmjrmfos.dll <-- is a rootkit, it's very similar to TDSS rootkit, it should also have a driver gaopdxwmjrmfos.sys
Can you attach the Combofix log? It should be in the --> C:\combofix.txt
0
 
mjgreenleyAuthor Commented:
Absolutely, rpggamergirl! I'm away on business for the weekend, but will be home Sunday night...I'll post it then! Thanks
0
 
mjgreenleyAuthor Commented:
sorry for the delay everyone, I'm just getting around again. Attached is the ComboFix log...

Thanks
ComboFix.txt
0
 
rpggamergirlCommented:
Thanks for the log.

Your combofix version is expired, you needed to update it or delete that and download the latest version.
Your MBAM is also outdated that's why it didn't detect the bad files showing in the CF log.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\baloon.exe
c:\windows\system32\cfrog.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\windows\system32\baloon.exe"=-
"c:\windows\system32\cfrog.exe"=-
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as your combofix.exe --> c:\users\Bruce\Desktop\ComboFix.exe
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
0
 
mjgreenleyAuthor Commented:
Thanks rpggamergirl,
When I booted the machine back up to try your solution, the machine was stuck in a boot loop. I tried running a repair on it, but it just became one thing after another so I ended up doing a clean install of the OS...
0
 
mjgreenleyAuthor Commented:
I want to thank everyone for taking the time to help me with my problem. I had to end up reinstalling the OS to solve the problem, but I believe that all of the information given was very helpful in trying to resolve my issue. Many users having similar issues could definitely benifit from using the tools and advice given here. Thanks again!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now