Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gadcom malware removal


  • This topic is locked This topic is locked
4 replies to this topic

#1 michellemm

michellemm

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 07 January 2009 - 07:16 PM

Hey, I'm back after a few glitch free years -I am relatively adept and have avoided major issues, but am also a 40 plus mom of 4 who just cant figure it all out and am SO grateful to all of you that spend your free time helping us out. I seem to have picked up the gadcom mallware. I started getting popups today. Ran CCleaner, checked the start up programs and found gadcom.exe. I did not delete it in start up as I know there are mor steps to take. I have Windows XP, am running AVG antivirus which didn't find the virus Here's my logfile and THANKS for any help you can give! :thumbsup: :
DDS (Ver_09-01-07.01) - NTFSx86
Run by mmills at 18:03:24.26 on Wed 01/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2450 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\DOCUME~1\mmills\LOCALS~1\Temp\stfD.tmp
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mmills\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.jacksonacademy.org/NetCommunity/Page.aspx?pid=183&srcid=-2
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070813
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm801YYUS&fl=0&ptb=3bNYGQZKA.DsjWaXOCQ9CQ&url=http://www.ask.com/web&q={searchTerms}&l=zc&o=sb
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SearchPerks! Perk Counter: {2787ea8e-8d87-48af-88ad-b30246c917ab} - c:\program files\searchperks! perk counter\Bmbho.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\khfGyVnL.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {89ce2601-36e7-42a7-b0f5-4a6be2393a7e} - c:\windows\system32\rqRLcYPh.dll
BHO: {5f7763de-3e95-97d8-23f4-9ad1f395eb2f}: {f2be593f-1da9-4f32-8d79-59e3ed3677f5} - c:\windows\system32\clsrcw.dll
TB: SearchPerks! Perk Counter: {2787ea8e-8d87-48af-88ad-b30246c917ab} - c:\program files\searchperks! perk counter\Bmbho.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [gadcom] "c:\documents and settings\mmills\application data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: khfGyVnL - khfGyVnL.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: avgrsstx.dll clsrcw.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\khfGyVnL.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRLcYPh

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-20 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-11-16 26824]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-1-18 109616]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080116.038\naveng.sys [2008-1-18 82256]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080116.038\navex15.sys [2008-1-18 895312]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-20 231704]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [2004-6-15 7882]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
S3 WipeFile;WipeFile;c:\windows\system32\drivers\WipeFile.sys [2007-3-3 57472]

=============== Created Last 30 ================

2009-01-07 17:27 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-07 17:26 <DIR> --d----- c:\program files\Panda Security
2009-01-07 17:19 <DIR> --d----- c:\program files\Trend Micro
2009-01-07 17:15 144 a------- c:\documents and settings\mmills\delete.reg
2009-01-06 23:46 1,320,839 ---sh--- c:\windows\system32\uayjkgsd.ini
2009-01-06 23:45 86,528 a------- c:\windows\system32\dsgkjyau.dll
2009-01-06 23:43 137,728 a------- c:\windows\system32\clsrcw.dll
2009-01-06 23:42 137,728 a------- c:\windows\system32\kvlgculv.dll
2009-01-06 23:36 714,917 a--sh--- c:\windows\system32\hPYcLRqr.ini2
2009-01-06 23:36 714,917 a--sh--- c:\windows\system32\hPYcLRqr.ini
2009-01-06 23:36 290,816 a------- c:\windows\system32\rqRLcYPh.dll
2009-01-06 23:31 <DIR> --d----- c:\docume~1\mmills\applic~1\gadcom
2009-01-06 23:31 57,856 a------- c:\windows\system32\khfGyVnL.dll
2008-12-26 13:17 <DIR> --dsh--- C:\found.000
2008-12-25 15:07 441 a------- c:\windows\system32\TDSSosvd.dat
2008-12-24 14:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2008-12-23 20:14 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-23 20:14 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-01-04 22:46 41,096 a------- c:\windows\system32\nvModes.dat
2008-12-28 14:36 40,960 ac------ c:\windows\DelPiv.exe
2008-12-13 00:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-15 14:11 88,923 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-07 16:45 2,174,976 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-12-08 10:00 381,012 ac------ c:\program files\Uninstall Fun Web Products.dll

============= FINISH: 18:07:06.42 ===============

Attached Files


Edited by michellemm, 07 January 2009 - 11:59 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:50 PM

Posted 08 January 2009 - 04:38 AM

Hi,

Your computer is indeed severly infected.
I also see you have the SearchPerks! Perk Counter Toolbar installed. I actually do not really recommend this one. See here why. So it may be better to uninstall it unless you believe this toolbar is really useful.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 michellemm

michellemm
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 09 January 2009 - 10:52 AM

Thanks for trying to help! I got rid of Search perks. I tried to download the combofix using the instructions - went to all 3 sites and a few more I found. I disabled AVG and firewall, as instructed. When I downloaded it I didn't get the icon on the desktop, it was a different look but it was an appication file. I tried several times to run it but when it started to install I got a pop up box with a message saying something along the lines of Computer/Users/Mmills/Desktop/Combofix.exe is not a valid Win32 application. I reinstalled, tried several things but could not install it - got the same message each time. I rebooted (bad idea) and now I can't get past the Windows log in screen. The Windows message comes up although it looks a little different - then the login screen. I can enter my password but that's as far as it goes - just stays on login page. I tried starting in Safe mode several ways, still never got past that. I'm assuming whatever infection I have is causing this now. Do you have any references I can use to try and resolve this so I can get back to the combofix process? I'm sorry this is such a problem~ THANKS AGAIN

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:50 PM

Posted 09 January 2009 - 11:37 AM

Hi,

It looks like we are in a lost case situation because of the malware that already damaged too much. The fact that Combofix didn't look like how it's supposed to be and displayed a "not a valid win32 application" + the fact that you can't boot anymore makes me think you were also dealing with a file infector. This means that all your executable files (legitimate ones) may be infected. This means also the system files and may explain why your system won't boot anymore.
So what I suggest is, please format and reinstall Windows as this is the fastest and especially the safest way.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:50 PM

Posted 16 January 2009 - 05:43 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users