1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Disabled by pdf attack gadcom.exe

By zronin99 ยท 51 replies
Dec 14, 2008
  1. Ok i was browsing on the internet when my broswer suddenly started loading a pdf file I didnt click on or was even near. Of course every thing froze an I waited to long to reboot.

    After which whenever I opened a browser I would get attacked by popups and fake virus warnings asking me to download so and so program. Or windows security. It dosnt popup in firefox as much but even if im running firefox it will open IE and bring all the popups from there. Even if im not connect it will try this for a little while even when I dont open a browser. It also takes a long time to delete files.

    So i relized i had a problem, I ran AVG anti virus and it found gadcom.exe (Trojan horse agent.AOQC) It said it healed it an needed to reboot so I did but im still having popup trouble so I switched computers as looked the file up.

    So I found the 8-step Vires/spyware/Malware Preliminary Removal Instructions. An im starting to go through them so i can get some logs up.
    One problem so far I cant disable AVG anti-spyware since im using the AVG free edition (V.8.0.176) it dosnt have an option to just disable the function, I found a way to disable the whole resident shield would this do it? or should I just leave things as they are?

    I installed and updated both Avira and Comodo, but Avira keeps detecting HEUR/Crypted (C:\WINDOWS\system32\lhtops.dll) an no matter what i do, deny access, ignore or move to quarantine it keeps coming up. Right now im running a system scan with Comodo. An I think Avira is scaning in the background.

    Im adding the events log but this HEUR thing is now coming up every few seconds 3 at a time.

    This is getting real bad this things come up as fast as i can close them, im going to abandon the Comodo scan and shutdown that computer untill I get a reply. I tried getting the other event that keeps repeating but its getting hard to use the computer so here it is.

    I didnt know how to get all the events into one txt file, but they are all the same so I just put what repeated into seperate files then copied them into one.

    Another problem is i dont know how to setup the SMTP thing so you can send a quarantined file to Avira to look at.
    EDIT: When I turn my computer back on an am able to wade through all the dectections I found away to upload sample files to Avira without having to setup this SMTP thing.

    All the events are the same for the lhtops.dll and qbjjhpmg.dll file. The second error message concerning the lhtops file normaly happens when I try sending it or qbjjhpmg to quarantine sorry I couldnt get the same message from for it into the log but it was getting real bad with those messages popping up an I couldnt even shutdown without having to just hold down the laptops power button.

    Thanks for your time and awaiting your reply.

    Ok after taking 20 minutes clicking on the dections from Avira I finally shut it down an ran a full system scan with MBA. After rebooting im going to boot into safe mode (If i can) and run superantispyware and atf cleaner.

    EDIT: Ok now my laptop is stuck at the windows xp screen with that little blue bar going back and forth. Should I just power it off and back on or continue waiting? cause someone told me that MBA needed to have a normal reboot to get rid of those files that needed a reboot. (Nevermind on that part im just shutting it down an bringing it back up in safe mode if i can, cause its been on that screen for more then 45 minutes ago. But still any one have any clues from the log?)

    Sorry I dont know how to merg the post, but 44 views an no one has any advise on this issue?

    Iv had been trying to update MBA but it seems like my router cut off my computer (I checked my router web interface from another computer in the house the day my laptop was infected and its security log was spammed with something about some flooding) So I can't get the laptop to connect to the net by wire to my router or wireless, I even unplug both the router and modem for several minutes hoping to reboot them but still can't connect on that laptop. (If u have any advise here it would be very helpful or even if you just know where I could ask about this problem )

    So I ran MBA then when I tried rebooting afterwards it stuck at the windows xp boot screen for an hour. So I shutdown and turned it back on, It booted fine but to get into safe mode I had to use SAS since for some strange reason my laptop won't normally boot into safe mode.

    So I ran AFT then SAS (scan took 6 hours)

    Everything seems fine now other then my inability to connect to that laptop out of the four computers running in my house.
    I deleted Comodo, Avira, SAS, hijackthis, AFT-cleaner and MBA thinking maybe one of them was causing this but still nothing. (I still have AVG running though)

    So hows my viral status look?
  2. rf6647

    rf6647 TS Maniac Posts: 829

    HJT shows both AVG & Avira running. Part of the symptoms could have been contention among the security programs.

    You're on the right track trying to establish connection with the router. Disable the AVG resident shield & Avira & Comodo. Can you call up the router status page from the infected computer? Does the IP renew? Any changes for the properties? - dynamic ip expected.

    As routers add security measures, a hard reset may be needed to clear restrictions. Disconnect infected computer. For the router, use the 'hard reset' method for the router (usually microswitch on back or underside). From a healthy computer, add a password (not default) to the router.

    Is safe mode with networking usable? What about normal mode?

    Then get back with the Updated 8-steps. Those 3 logs are key. Pick your protection. Re-run MBAM. Reboot is needed to clear infections found.

    It will be helpful to summarize your problem. You have tried much. Give us your impression.
  3. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24


    Ok added new scans from MBA and hijackthis, also reinstalled MBA, hijackthis and SAS. When I installed one of these not sure which one it put a firewall on my wirless connecter and wired.

    I tried connected both in normaly boot and safe mode, however I get the same errors: If I try connecting by wire to the router then it says there was a error "Renewing the IP Adress" this same error happens if I try the repair option.

    When I try connecting with the wirless or repairing it, it says "Connection failed!"

    This are the same errors I get when none of the above programs are install and when they are and have there firewall up.

    I added the logs from MBA which found nothing *wipes brow* and hijackthis, however now I am still faced with the inability to connect to the internet from it. Oh I also tried connecting to the routers web interface with that computer but it timeout after trying to load it. The network connection shows up in the system tray as being limited or no connectivity.

    Do I still need to run SAS but that would take six and a half hours, should leave it out, try the hard reboot of the router first or just go ahead an start it so I can have its log up here by the morning? An one last thing could u explain about the adding of a password. (I have one that u have to enter to connect to the router if your computer never connected to it before but not one for if you log into the web interface)
  4. rf6647

    rf6647 TS Maniac Posts: 829

    This is one of three cases I'm studying that have networking problems following malware removal. Yours is the only one where safe mode with networking is not working.

    Going for the gusto (so to speak), if you can put ComboFix on a flash drive & load it on the infected computer, this is probably going to give diagnostic information, in addition to, a vigorous cleaning.

    Mflynn is leading this effort. The following post from mflynn has links to cleaning tools and ComboFix. You can expand that post to view the entire thread. Successive application of the tools removes parts of the infection that mask the 'real bad guy'. If practical, running the cleaners can't hurt, Every step improves the chances that the next step will succeed. Since MBAB has done its share to remove parts of the infestation, ComboFix will take it to the next level. 'Documents and Settings' is where I expect to find more of the infestation.

    This is a 'later', just-in-case piece of information. In the cited case, the member used the '/bootlog' switch in the boot.ini file. The 'ntbtlog.txt' file was scanned for oddities. It is difficult to judge if this was necessary before running ComboFix
  5. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24

    Failed TDSSserv

    So I just started working with the post you sent me to however when I enter the two commands sc stop TDSSserv.sys and sc delete TDSSserv.sys I get this error '[SC] Open Service FAILED 1060:

    the specified service dose not exist as an installed service."

    im continuing on with the post however to see what can be done.

    Ran AFT it did find anything with firefox but did found a bout 100 MB of info to from main.

    Here is the info from X-cleaner's first scan:

    Dection details:

    Dected Spybouncer:
    CLSIDs (1):

    Registry Keys (1):


    Name: WhenU-Ucontrol

    Dection details:

    Dected WhenU-Ucontrol:
    CLSIDs (1):

    Registry Keys (1):


    I ran a second scan an found nothing, im going to move on to Malware Removal Tool and mod the post when I get its info. Ok I tried to run it in normal boot mode but when I clicked scan it gave this eror message "Error opening parent key" Then said "Scannig complete. No malware was found on your system" i'll pause here and wait for feedback on how to continue.
  6. rf6647

    rf6647 TS Maniac Posts: 829

    The plan developed by mflynn is geared toward wide coverage. The 'tdssserv' exploit is high on the list, but it was not present on your computer or was already handled. When a tool does not work, make note as you did and move to the next tool. We are trying to get info and cleaning where we can.

    Periodically check if networking has been recovered. For the two threats found, neither appears to attack networking.

    If other tools receive similar errors, then it will be considered. I want the tools to do the heavy work for us.
  7. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24


    Ok I ran fixit and then MBA and then SAS, SAS found something so after a reboot a ran the two again. The second SAS scan is still going so i'll get it up when its finished. Then i'll move on to ComboFix and get a new HJT log after its done. The MBA logs are clean but SAS found one thing and im not sure what those logs from fixit really mean.

    (Still no luck with the connection though)
    (After the virus is dug out would WinsockXPFix.exe or something like that help?)
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok you are looking good so far.

    These scans take a while so look at logs if clean no need to run again. You have 2 clean logs here.

    Now the SAS did have 1 items cleaned that should be gone from the one you are running.

    Now for you connect issue this should fix the Winsock plus more:

    Run SAS Click Preferences-Repairs Do these counting from top 7-9-10-11-13-14-15-16-17-19-20-21-22.

  9. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24


    I ran the second SAS and it came out clean so i'll leave that log out and just load the Combofix log and the HJT that ran ran after.

    Im doing the repairs you said now you mean start from the seventh option and perform repair on that and the other numbers you mentioned right? An should I reboot as it asks to or wait until I repair everything thing restart?
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes counting from the top down for each number.

  11. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi zronin99

    Opps! That ComboFix had several removals.

    Reboot, close all possible apps and run ComboFix again.

    Run HJT Scan only select and remove the below.
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    After seeing that ComboFix we may have a few steps yet but get me a new ComboFix log.

  12. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24

    Still limited or no connectivity error

    Ran the SAS repairs and rebooted after, plug my wire into the laptop and after a few seconds I got the Limited or no connectivity sign. And when I tried repairing it failed to renew the IP address.

    Ok going back to redo the Combofix and HJT again.
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    OK, I jumped the gun, we really don't need to be fixing the connection issues until ComBofix is clean.

    Waiting for ComboFix log.

  14. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24

    New logs

    Ok Combofix closed and gave me a log without rebooting, here it is with the new HJT log before and after I deleted the urlhook thing.
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    OK do this this!

    D/L to Desktop: DDS by sUBs from one of these locations:


    double click DDS.scr to run

    When complete, DDS.txt will open.

    Click Yes for Optional Scan.
    Save both reports to your desktop.

    Attach the contents of both logs back here.

    Then do the below to hopefully get your access back.

    Copy for pasting all within the box then post to an open Command prompt. Disreguard any errors as it depends on config.
    @echo off
    ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.out
    ;Saves ip settings
    netsh interface ip delete arpcache
    ipconfig /flushdns
    ipconfig /release *
    ipconfig /renew *
    ipconfig /registerdns
    nbtstat -RR
    netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
    ;saves log of current settings
    netsh winsock reset catalog
    ;resets Winsock
    netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
    ;winsock after rest
    netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
    ;reset TCP stack
    Then Reboot before trying to access www to test if fixed.

  16. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24

    Here you go i'll try the command prompt stuff as soon as I finish my shower and let you know how it went.

    Thanks for all your help and time so far. :)

    should I have a cat wire connected while im doing this?
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Not necessary but plug in before booting back up.

  18. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24

    Still no luck

    Still no improvements :( you want the files that it put on the desktop?
  19. mflynn

    mflynn TS Rookie Posts: 2,655


  20. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24


    Here you go hope there useful. Just couldnt upload the ipconfig.out file. Oh and I just checked and found that it was SAS that was firewalling my connections, I turned off its boot at start up the second time I tried the connection and they were not listed as being firewalled.
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    Hmm why could you not get the ipconfig file?

    Try rebooting and try to post it again!

    Then do this:

    Download Dial-A-Fix (DAF)

    Have XP CD available in case DAF needs a file.

    Check all boxes on the screen (clear any restrictions if it shows any)
    Then click GO!

    When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

    Here 1 at a time do the below

    Flush DNS
    Repair Permissions
    Reset networking

    Watch for any File not found or other errors and make note as this may lead to the fix!

    Reboot retest!

  22. zronin99

    zronin99 TS Rookie Topic Starter Posts: 24


    its says its an invalid file :/ would it work if i make it a zip file and upload. and in the should I continue with the step that you just gave me or wait till you can read the file?
  23. mflynn

    mflynn TS Rookie Posts: 2,655

    Nope just do the DAF in the last post.

    I feel we are close here so grunt it out.

  24. rf6647

    rf6647 TS Maniac Posts: 829

    Mike, thanks for the rescue. I'm a 1-trick wonderment (combofix). I'm delighted that you watch my efforts, and jump in when needed.

    For later consideration - this cleaned O4
    ORPHANS REMOVED .... HKCU-Run-Awasu - c:\program files\Awasu\awasu.exe

    Not handled
    O8 - Extra context menu item: Add to Awasu workpad - C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\awasu4
    O8 - Extra context menu item: Open in Awasu - C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\awasu5
    O8 - Extra context menu item: Open in default browser - C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\awasu6
    O8 - Extra context menu item: Subscribe in A&wasu - C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\awasu7

    Based on runscanner for awasu I gave this application a pass.
  25. mflynn

    mflynn TS Rookie Posts: 2,655

    It is just an RSS reader.

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...