Computer Hope

Software => Computer viruses and spyware => Topic started by: Devx on December 21, 2008, 04:37:45 PM

Title: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: Devx on December 21, 2008, 04:37:45 PM
The only steps I could complete was running CCleaner and updating Java. All of the links provided all give me the same message "Internet Explorer cannot display" message. I tried using google to get to the sites and was redirected to a random site. I was finally able to download the programs needed by using cut and paste to arrive at the sites needed. When I try to run them for install, it says "Program has encountered an error and needs to close". So I am unable to supply the logs required in steps 3, 4, and 6.

I ran a scan using AVG before finding this site, 4 infections found...

C:..\..\application data\gadcom\gadcom.exe

Trojan Horse Downloader.Generic8.HPC

C:..\..\application data\gadcom\gadcom.exe

Trojan Horse Downloader.Generic8.HPC

C:..\..\Local Settings\Temp\csrscc.exe

Trojan Horse SHeur2.gas

HKU\S-1-5-21-4064284459-4068832260-2367868486-1006\Software\Microsoft\Windows\CurrentVersion\Run\\gadcom

Found Registry key with reference to infected file

Other things of note:

I am unable to connect to AVG update.

It disabled my Windows Firewall (which I was able enable afterwards)

It disabled automatic updates from windows (which I cannot enable now)

No pictures are being shown on any websites, unless I right click -> show picture.

It says AVG is running scans on my desktop toolbar at the bottom, and it is not.

I'm not sure what other information I can provide. I noticed several other ppl posting here are having the same problem.

Please advise.

Thanks.
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: evilfantasy on December 21, 2008, 07:22:16 PM
Welcome to CH.

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: Devx on December 21, 2008, 08:38:29 PM
Yes it was there, now disabled.

I am now able to get updates and run my anti-virus programs.

I was also able to get MBAM to run by renaming the exe file.

I am now running SUPERAntiSpyware.

Reports to follow soon.

Thanks and I love you.
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: evilfantasy on December 21, 2008, 08:42:25 PM
Glad it worked (http://www.vocinelweb.it/faccine/fattedanoi/donia/01.gif)
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: Devx on December 21, 2008, 09:20:45 PM
Here are the reports.

[attachment deleted by admin]
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: evilfantasy on December 21, 2008, 09:36:56 PM
Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
- O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\CBXQIJBA.DLL (file missing)
- O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL (file missing)
- O2 - BHO: (no name) - {F1D26A44-CC06-47E6-908D-B4AD07C96AA2} - C:\WINDOWS\system32\xxyaxuvv.dll (file missing)
- O4 - Startup: PowerReg Scheduler V3.exe
- O20 - AppInit_DLLs: avgrsstx.dll reniix.dll
- O20 - Winlogon Notify: cbXQiJba - cbXQiJba.dll (file missing)
- O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL (file missing)


Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

Run CCleaner and then restart the computer.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: Devx on December 21, 2008, 10:31:00 PM
The log is attached below.

Pictures are still not showing up unless I right click -> show. Is this of any major concern or any easy fix?

Thanks.

[attachment deleted by admin]
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: evilfantasy on December 21, 2008, 10:45:28 PM
What pictures?

Download the OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]
:Processes
explorer.exe

:files
c:\docume~1\DEVAST~1\LOCALS~1\Temp\efipsk.sys

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: Devx on December 21, 2008, 11:06:02 PM
What pictures?

Any pictures on any website, the picture for your avatar for example or the pictures for any of the little smiley faces. In place of the pictures are text, if I right click -> show picture they appear as the picture and not text. Its probably something very simple, but I just dont know what it is. It started after I got the virus.

Anyway, thanks again. Log posted below.

[attachment deleted by admin]
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: evilfantasy on December 21, 2008, 11:10:29 PM
Try this.

Internet Explorer right?

Reset Web Settings & Default Security Settings

Open Internet Explorer and choose  Tools > Internet Options > then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Restart IE and see if it is back to normal.
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: Devx on December 21, 2008, 11:27:27 PM
PERFECT!  :D

I am now completely free of the plague that existed on my PC.

THANK YOU!!

What a wonderful service you provide here on this site. Praise be to you and the others that help troubled people and their computers. I could not be happier at this moment. I hope everyone appreciates you as much as I. I really cant thank you enough. Its so nice to have things back to normal here.

Have a happy holiday!!
Title: Re: Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help
Post by: evilfantasy on December 21, 2008, 11:41:43 PM
OTMoveIt3.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
.
----------

Use the  Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
.
----------

Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 (http://www.spreadfirefox.com/node&id=224248&t=324) with Adblock Plus (https://addons.mozilla.org/en-US/firefox/addon/1865) and NoScript (http://noscript.net/)

To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
*  Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

I suggest using SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

 SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*  (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Check out  Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to help keep you safe in the future.

Also see  Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.