Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gadcom.exe infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 blackswordsman

blackswordsman

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 27 December 2008 - 06:54 PM

Hello,
I think I fixed this infection but I want to make sure that my logs look correct now. This is what happened I went to wowhead.com, this is a World of Warcraft item database site, and was searching for an item and all of a sudden I get a notification that Windows firewall was disabled. I had not clicked or opened anything I was just looking at the page. I quickly reenabled it but it was too late. I have AVG Free Edition and it started screaming about a Trojan so I closed all internet explorer windows and started a scan. AVG found the program gadcom.exe and a registry settting and cleaned them. I rebooted and was still getting windows pop up when opening IE. I did some research and these are the steps I did.

1) Download Malware-bytes Anti-Malware run a scan and remove all that was found
2) Reboot
3) Run Combofix
4) Reboot
5) Download latest version of Java JRE
6) Run JavaRa
7) Install latest Java
8) Run ATF Cleaner On Main Tab chose Select all and Empty Selected
9) Reboot

After this I get no more popups and no more warnings from AVG but I want to be sure I do not know what I am looking at when I look at a Hijack This file or the DDS file so I want to run it past you guys to make sure that I am clean.
DDS File:

DDS (Version 1.1.0) - NTFSx86
Run by Kiba at 18:40:16.35 on Sat 12/27/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1357 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Samsung\NetworkScan\NSCSysTrayUI.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Samsung\Samsung CLX-3160 Series\SPanel\PSU\Scan2pc.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Kiba\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.16\AsRunHelp.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [NSCSysTrayUI] "c:\program files\samsung\networkscan\NSCSysTrayUI.exe" /HIDEUI
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe"
mRun: [IRIS_S2P] c:\program files\samsung\samsung clx-3160 series\spanel\psu\Scan2pc.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll nxcywi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kiba\applic~1\mozilla\firefox\profiles\tcbb50jf.default\
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-25 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-4-22 26824]
R1 SSHDRV85;SSHDRV85;\??\c:\windows\system32\drivers\SSHDRV85.sys [2008-9-2 78848]
R1 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;\??\c:\windows\system32\ZDCNDIS5.SYS [2008-10-15 20736]
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2007-7-20 557056]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-25 76040]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\microsoft sql server\100\shared\SQLADHLP.EXE" [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE" -i SQLEXPRESS [2008-7-10 369688]

=============== Created Last 30 ================

2008-12-27 18:26 <DIR> --d----- C:\Malware_Fix
2008-12-27 18:14 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-27 18:00 <DIR> a-dshr-- C:\cmdcons
2008-12-27 17:59 <DIR> --d----- C:\ComboFix
2008-12-27 17:47 161,792 a------- c:\windows\SWREG.exe
2008-12-27 17:47 98,816 a------- c:\windows\sed.exe
2008-12-27 16:24 <DIR> --d----- C:\VundoFix Backups
2008-12-27 15:41 <DIR> --d----- c:\docume~1\kiba\applic~1\Malwarebytes
2008-12-27 15:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-27 15:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 15:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 15:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 14:55 <DIR> --d----- c:\program files\Trend Micro
2008-12-24 12:39 <DIR> --d----- c:\program files\Curse
2008-12-10 16:02 <DIR> --d----- c:\program files\common files\Merge Modules
2008-12-07 17:17 <DIR> --d----- c:\docume~1\kiba\applic~1\Windows Search
2008-12-07 15:48 <DIR> --d----- c:\docume~1\kiba\applic~1\Windows Desktop Search
2008-12-07 15:48 <DIR> --d----- c:\windows\system32\GroupPolicy
2008-12-07 15:48 <DIR> --d----- c:\program files\Windows Desktop Search
2008-12-07 15:47 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2008-12-07 15:47 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2008-12-07 15:47 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2008-12-07 15:47 <DIR> --d----- C:\6ff2649acc8a6305a5711026e132e0ca
2008-12-07 15:34 50,200 a------- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2008-12-07 15:34 79,896 a------- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2008-12-07 15:34 <DIR> --d----- c:\windows\system32\RsFx
2008-12-07 15:17 <DIR> --d----- c:\program files\Microsoft SQL Server
2008-12-07 15:17 <DIR> --d----- c:\program files\Microsoft Synchronization Services
2008-12-07 15:17 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2008-12-07 15:12 <DIR> --d----- C:\3c132d9fab3940e005d994f665
2008-12-07 15:12 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2008-10-31 18:40 413,696 a------- c:\windows\system32\wrap_oal.dll
2008-10-31 18:40 102,400 a------- c:\windows\system32\OpenAL32.dll
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-18 21:49 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-02 11:07 107,832 a------- c:\windows\system32\PnkBstrB.exe
2008-10-02 09:26 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-10-02 09:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-03-05 15:38 0 a------- c:\program files\temp01
2007-10-01 11:06 22,328 a------- c:\docume~1\kiba\applic~1\PnkBstrK.sys
2008-05-21 09:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052120080522\index.dat

============= FINISH: 18:40:37.81 ===============

BC AdBot (Login to Remove)

 


#2 blackswordsman

blackswordsman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 28 December 2008 - 08:36 AM

I have some new Information on this I thought I was fine last night but when I went to my computer this morning AVG had found a file A0163573.dll and categorized it as a Trojan Horse BHO.GSS. I am still not getting popups but I am afraid that the virus is trying to reinstall itself somehow.

#3 blackswordsman

blackswordsman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 03 January 2009 - 02:45 PM

Please close this thread I have resolved the issue

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 05 January 2009 - 09:35 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HijackThis Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users