Solve : Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help?

1.	Solve : Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help?
Answer» The only steps I could complete was running CCleaner and updating Java. All of the links provided all give me the same message "Internet Explorer cannot display" message. I tried using google to get to the sites and was redirected to a random site. I was finally able to download the programs needed by using cut and paste to arrive at the sites needed. When I try to run them for install, it says "Program has encountered an error and needs to close". So I am unable to supply the logs required in steps 3, 4, and 6. I ran a scan using AVG before finding this site, 4 infections found... C:..\..\application data\gadcom\gadcom.exe Trojan Horse Downloader.Generic8.HPC C:..\..\application data\gadcom\gadcom.exe Trojan Horse Downloader.Generic8.HPC C:..\..\Local Settings\Temp\csrscc.exe Trojan Horse SHeur2.gas HKU\S-1-5-21-4064284459-4068832260-2367868486-1006\Software\Microsoft\Windows\CurrentVersion\Run\\gadcom Found Registry key with reference to infected file Other things of note: I am unable to connect to AVG update. It disabled my Windows Firewall (which I was able ENABLE afterwards) It disabled automatic updates from windows (which I cannot enable now) No pictures are being shown on any websites, unless I right click -> show picture. It says AVG is running scans on my desktop toolbar at the bottom, and it is not. I'm not sure what other information I can provide. I noticed several other ppl posting here are having the same problem. Please advise. Thanks.Welcome to CH. Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices. Scroll down to “Non-plug and Play DRIVERS” and click the plus icon to open those drivers. Then search for TDSSserv.sys Let me know if you find this or not. If you do find it, right click on it, and select “Disable”. Do not try to uninstall it. Also if this is found and you disable it. Now reboot and see if you can run the other scans that would not run. Yes it was there, now disabled. I am now able to get updates and run my anti-virus programs. I was also able to get MBAM to run by renaming the exe file. I am now running SUPERAntiSpyware. Reports to follow soon. Thanks and I love you.Glad it worked Here are the reports. [attachment deleted by admin]Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html - O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\CBXQIJBA.DLL (file missing) - O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL (file missing) - O2 - BHO: (no name) - {F1D26A44-CC06-47E6-908D-B4AD07C96AA2} - C:\WINDOWS\system32\xxyaxuvv.dll (file missing) - O4 - Startup: PowerReg Scheduler V3.exe - O20 - AppInit_DLLs: avgrsstx.dll reniix.dll - O20 - Winlogon Notify: cbXQiJba - cbXQiJba.dll (file missing) - O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL (file missing) Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. Run CCleaner and then restart the computer. ---------- Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. For Windows XP SYSTEMS install the Recovery Console: - If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes*. - If for some reason your Internet is not working click No. - If you are not using Windows XP, you will not be prompted. - When prompted to accept the EULA click OK. - Accept Microsoft's EULA (Click Yes). - When you are told that the RC is installed correctly click YES* to continue scanning for malware. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. *Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.The log is attached below. Pictures are still not showing up unless I right click -> show. Is this of any major concern or any easy fix? Thanks. [attachment deleted by admin]What pictures? Download the OTMoveIt3 by OldTimer Note:* If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator. * Save it to your Desktop. * Double-click OTMoveIt3.exe to run it. * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy) Code: [Select]:Processes explorer.exe :files c:\docume~1\DEVAST~1\LOCALS~1\Temp\efipsk.sys :Commands [purity] [emptytemp] [start explorer] [Reboot] * Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. * Click the red Moveit! button. * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.Quote from: evilfantasy on December 21, 2008, 10:45:28 PM What pictures? Any pictures on any website, the picture for your avatar for example or the pictures for any of the little smiley faces. In place of the pictures are text, if I right click -> show picture they appear as the picture and not text. Its probably something very simple, but I just dont know what it is. It started after I got the virus. Anyway, thanks again. Log posted below. [attachment deleted by admin]Try this. Internet Explorer right? Reset Web Settings & Default Security Settings Open Internet Explorer and choose Tools > Internet Options > then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings. Restart IE and see if it is back to normal.PERFECT! I am now completely free of the plague that existed on my PC. THANK YOU!! What a wonderful service you provide here on this site. Praise be to you and the others that help troubled people and their computers. I could not be happier at this moment. I hope everyone appreciates you as much as I. I really cant thank you enough. Its so nice to have things back to normal here. Have a happy holiday!! Glad it worked. Now time to clean up and secure the work you have done. Let me know if you have any questions. Click START then RUN Now TYPE Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. The above procedure will: Delete the following: ComboFix and its associated files and folders. Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- 1. Double click OTMoveIt3.exe to launch it. If using Vista Right-Click OTMoveIt and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) When finished exit out of OTMoveIt3 . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable THOROUGH system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Answer»

The only steps I could complete was running CCleaner and updating Java. All of the links provided all give me the same message "Internet Explorer cannot display" message. I tried using google to get to the sites and was redirected to a random site. I was finally able to download the programs needed by using cut and paste to arrive at the sites needed. When I try to run them for install, it says "Program has encountered an error and needs to close". So I am unable to supply the logs required in steps 3, 4, and 6.

I ran a scan using AVG before finding this site, 4 infections found...

C:..\..\application data\gadcom\gadcom.exe

Trojan Horse Downloader.Generic8.HPC

C:..\..\application data\gadcom\gadcom.exe

Trojan Horse Downloader.Generic8.HPC

C:..\..\Local Settings\Temp\csrscc.exe

Trojan Horse SHeur2.gas

HKU\S-1-5-21-4064284459-4068832260-2367868486-1006\Software\Microsoft\Windows\CurrentVersion\Run\\gadcom

Found Registry key with reference to infected file

Other things of note:

I am unable to connect to AVG update.

It disabled my Windows Firewall (which I was able ENABLE afterwards)

It disabled automatic updates from windows (which I cannot enable now)

No pictures are being shown on any websites, unless I right click -> show picture.

It says AVG is running scans on my desktop toolbar at the bottom, and it is not.

I'm not sure what other information I can provide. I noticed several other ppl posting here are having the same problem.

Please advise.

Thanks.Welcome to CH.

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

Scroll down to “Non-plug and Play DRIVERS” and click the plus icon to open those drivers.
Then search for TDSSserv.sys
Let me know if you find this or not.
If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
Also if this is found and you disable it.
Now reboot and see if you can run the other scans that would not run.

Yes it was there, now disabled.

I am now able to get updates and run my anti-virus programs.

I was also able to get MBAM to run by renaming the exe file.

I am now running SUPERAntiSpyware.

Reports to follow soon.

Thanks and I love you.Glad it worked Here are the reports.

[attachment deleted by admin]Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
- O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\CBXQIJBA.DLL (file missing)
- O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL (file missing)
- O2 - BHO: (no name) - {F1D26A44-CC06-47E6-908D-B4AD07C96AA2} - C:\WINDOWS\system32\xxyaxuvv.dll (file missing)
- O4 - Startup: PowerReg Scheduler V3.exe
- O20 - AppInit_DLLs: avgrsstx.dll reniix.dll
- O20 - Winlogon Notify: cbXQiJba - cbXQiJba.dll (file missing)
- O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

Run CCleaner and then restart the computer.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP SYSTEMS install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.The log is attached below.

Pictures are still not showing up unless I right click -> show. Is this of any major concern or any easy fix?

Thanks.

[attachment deleted by admin]What pictures?

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]:Processes
explorer.exe

:files
c:\docume~1\DEVAST~1\LOCALS~1\Temp\efipsk.sys

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.Quote from: evilfantasy on December 21, 2008, 10:45:28 PM

What pictures?

Any pictures on any website, the picture for your avatar for example or the pictures for any of the little smiley faces. In place of the pictures are text, if I right click -> show picture they appear as the picture and not text. Its probably something very simple, but I just dont know what it is. It started after I got the virus.

Anyway, thanks again. Log posted below.

[attachment deleted by admin]Try this.

Internet Explorer right?

Reset Web Settings & Default Security Settings

Open Internet Explorer and choose Tools > Internet Options > then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Restart IE and see if it is back to normal.PERFECT!

I am now completely free of the plague that existed on my PC.

THANK YOU!!

What a wonderful service you provide here on this site. Praise be to you and the others that help troubled people and their computers. I could not be happier at this moment. I hope everyone appreciates you as much as I. I really cant thank you enough. Its so nice to have things back to normal here.

Have a happy holiday!!

Click START then RUN
Now TYPE Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

OTMoveIt3.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

When finished exit out of OTMoveIt3

.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable THOROUGH system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Solve : Trojans, Gadcom.exe SHeur2.GAS csrssc.exe - Please help?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment