Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help  (Read 5316 times)

0 Members and 1 Guest are viewing this topic.

Devx

    Topic Starter


    Greenhorn

    Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
    « on: December 21, 2008, 04:37:45 PM »
    The only steps I could complete was running CCleaner and updating Java. All of the links provided all give me the same message "Internet Explorer cannot display" message. I tried using google to get to the sites and was redirected to a random site. I was finally able to download the programs needed by using cut and paste to arrive at the sites needed. When I try to run them for install, it says "Program has encountered an error and needs to close". So I am unable to supply the logs required in steps 3, 4, and 6.

    I ran a scan using AVG before finding this site, 4 infections found...

    C:..\..\application data\gadcom\gadcom.exe

    Trojan Horse Downloader.Generic8.HPC

    C:..\..\application data\gadcom\gadcom.exe

    Trojan Horse Downloader.Generic8.HPC

    C:..\..\Local Settings\Temp\csrscc.exe

    Trojan Horse SHeur2.gas

    HKU\S-1-5-21-4064284459-4068832260-2367868486-1006\Software\Microsoft\Windows\CurrentVersion\Run\\gadcom

    Found Registry key with reference to infected file

    Other things of note:

    I am unable to connect to AVG update.

    It disabled my Windows Firewall (which I was able enable afterwards)

    It disabled automatic updates from windows (which I cannot enable now)

    No pictures are being shown on any websites, unless I right click -> show picture.

    It says AVG is running scans on my desktop toolbar at the bottom, and it is not.

    I'm not sure what other information I can provide. I noticed several other ppl posting here are having the same problem.

    Please advise.

    Thanks.

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
    « Reply #1 on: December 21, 2008, 07:22:16 PM »
    Welcome to CH.

    Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
    • Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
    • Then search for TDSSserv.sys
    • Let me know if you find this or not.
    • If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
    • Also if this is found and you disable it.
    • Now reboot and see if you can run the other scans that would not run.

    Devx

      Topic Starter


      Greenhorn

      Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
      « Reply #2 on: December 21, 2008, 08:38:29 PM »
      Yes it was there, now disabled.

      I am now able to get updates and run my anti-virus programs.

      I was also able to get MBAM to run by renaming the exe file.

      I am now running SUPERAntiSpyware.

      Reports to follow soon.

      Thanks and I love you.

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
      « Reply #3 on: December 21, 2008, 08:42:25 PM »
      Glad it worked

      Devx

        Topic Starter


        Greenhorn

        Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
        « Reply #4 on: December 21, 2008, 09:20:45 PM »
        Here are the reports.

        [attachment deleted by admin]

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 489
        • Experience: Familiar
        • OS: Windows 10
        Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
        « Reply #5 on: December 21, 2008, 09:36:56 PM »
        Open HijackThis and select Do a system scan only.

        Place a check mark next to the following entries: (if there)

        - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
        - O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\CBXQIJBA.DLL (file missing)
        - O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL (file missing)
        - O2 - BHO: (no name) - {F1D26A44-CC06-47E6-908D-B4AD07C96AA2} - C:\WINDOWS\system32\xxyaxuvv.dll (file missing)
        - O4 - Startup: PowerReg Scheduler V3.exe
        - O20 - AppInit_DLLs: avgrsstx.dll reniix.dll
        - O20 - Winlogon Notify: cbXQiJba - cbXQiJba.dll (file missing)
        - O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL (file missing)


        Important: Close all windows except for HijackThis and then click Fix checked.

        Exit HijackThis.

        Run CCleaner and then restart the computer.

        ----------

        Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

        Link #1
        Link #2

        **Note:  It is important that it is saved directly to your Desktop

        Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

        Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
         
        Double click combofix.exe & follow the prompts.

        For Windows XP Systems install the Recovery Console:

        - If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
        - If for some reason your Internet is not working click No.
        - If you are not using Windows XP, you will not be prompted.
        - When prompted to accept the EULA click OK.
        - Accept Microsoft's EULA (Click Yes).
        - When you are told that the RC is installed correctly click YES to continue scanning for malware.

        When finished ComboFix will produce a log for you.
        Post the ComboFix log in your next reply.

        Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

        Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

        Devx

          Topic Starter


          Greenhorn

          Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
          « Reply #6 on: December 21, 2008, 10:31:00 PM »
          The log is attached below.

          Pictures are still not showing up unless I right click -> show. Is this of any major concern or any easy fix?

          Thanks.

          [attachment deleted by admin]

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
          « Reply #7 on: December 21, 2008, 10:45:28 PM »
          What pictures?

          Download the OTMoveIt3 by OldTimer

          Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

          * Save it to your Desktop.
          * Double-click OTMoveIt3.exe to run it.
          * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

          Code: [Select]
          :Processes
          explorer.exe

          :files
          c:\docume~1\DEVAST~1\LOCALS~1\Temp\efipsk.sys

          :Commands
          [purity]
          [emptytemp]
          [start explorer]
          [Reboot]

          * Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
          * Click the red Moveit! button.
          * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
          Close OTMoveIt3

          Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

          Devx

            Topic Starter


            Greenhorn

            Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
            « Reply #8 on: December 21, 2008, 11:06:02 PM »
            What pictures?

            Any pictures on any website, the picture for your avatar for example or the pictures for any of the little smiley faces. In place of the pictures are text, if I right click -> show picture they appear as the picture and not text. Its probably something very simple, but I just dont know what it is. It started after I got the virus.

            Anyway, thanks again. Log posted below.

            [attachment deleted by admin]

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
            « Reply #9 on: December 21, 2008, 11:10:29 PM »
            Try this.

            Internet Explorer right?

            Reset Web Settings & Default Security Settings

            Open Internet Explorer and choose  Tools > Internet Options > then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

            Restart IE and see if it is back to normal.

            Devx

              Topic Starter


              Greenhorn

              Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
              « Reply #10 on: December 21, 2008, 11:27:27 PM »
              PERFECT!  :D

              I am now completely free of the plague that existed on my PC.

              THANK YOU!!

              What a wonderful service you provide here on this site. Praise be to you and the others that help troubled people and their computers. I could not be happier at this moment. I hope everyone appreciates you as much as I. I really cant thank you enough. Its so nice to have things back to normal here.

              Have a happy holiday!!
              « Last Edit: December 21, 2008, 11:42:13 PM by Devx »

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 489
              • Experience: Familiar
              • OS: Windows 10
              Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
              « Reply #11 on: December 21, 2008, 11:41:43 PM »
                Glad it worked. Now time to clean up and secure the work you have done. Let me know if you have any questions.

                • Click START then RUN
                • Now type Combofix /u in the runbox
                • Make sure there's a space between Combofix and /u
                • Then hit Enter.
                • The above procedure will:
                • Delete the following:
                • ComboFix and its associated files and folders.
                • Reset the clock settings.
                • Hide file extensions, if required.
                • Hide System/Hidden files, if required.
                • Set a new, clean Restore Point.
                .
                ----------

                1. Double click
              OTMoveIt3.exe to launch it.
              If using Vista Right-Click OTMoveIt and choose Run As Administrator
              2. Click on the CleanUp! button.
              3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
              4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
              • When finished exit out of OTMoveIt3
              .
              ----------

              Use the Secunia Software Inspector to check for out of date software.
              • Click Start Now
              • Check the box next to Enable thorough system inspection.
              • Click Start
              • Allow the scan to finish and scroll down to see if any updates are needed.
              • Update anything listed.
              .
              ----------

              Go to Microsoft Windows Update and get all critical updates.

              ----------

              Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

              Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

              To prevent unknown applications from being installed on your computer install WinPatrol 2008
              * Using Winpatrol to protect your computer from malicious software

              I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

              SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
              * Using SpywareBlaster to protect your computer from Spyware and Malware
              * If you don't know what ActiveX controls are, see here

              Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

              Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.