Disabled by pdf attack gadcom.exe
- Thread starter zronin99
- Start date
- Status
DDo this next:
Download SD Fix to Desktop among other things Catchme to look for RootKits.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-click to RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
Mike
Download SD Fix to Desktop among other things Catchme to look for RootKits.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-click to RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
Mike
Hi zronin99
Post a HJT log! A pseudo hjt log is included in the DDS below but I need a regular HJT also.
D/L to Desktop: DDS by sUBs from one of these locations:
http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds
double click DDS.scr to run
When complete, DDS.txt will open.
Click Yes for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt
Attach the contents of both logs back here.
Then do the below:
Download http://majorgeeks.com/Kaspersky_AVP_Tool_d4515.html
After download boot to Safe Mode and run it.
It is one of the most thorough Scans I know of and as such could run for hours. But you definitely need it.
I highly advise you take the time to do it! But do all the above first.
Mike
Post a HJT log! A pseudo hjt log is included in the DDS below but I need a regular HJT also.
D/L to Desktop: DDS by sUBs from one of these locations:
http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds
double click DDS.scr to run
When complete, DDS.txt will open.
Click Yes for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt
Attach the contents of both logs back here.
Then do the below:
Download http://majorgeeks.com/Kaspersky_AVP_Tool_d4515.html
After download boot to Safe Mode and run it.
It is one of the most thorough Scans I know of and as such could run for hours. But you definitely need it.
I highly advise you take the time to do it! But do all the above first.
Mike
OK all the last logs were clean! Finish the last post the AVP tool and we should finally be finished.
Flash Disinfector and instructions: http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/
Before using a Flash Drive (accessing in any way) plug in and run Flash Disinfector
After you report back we will begin thread finishing steps.
Mike
Flash Disinfector and instructions: http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/
Before using a Flash Drive (accessing in any way) plug in and run Flash Disinfector
After you report back we will begin thread finishing steps.
Mike
Rescan
Sorry I had to leave the house and I forgot to plug the laptop in while the scan was running so when I came back its juice was gone. So im rerunnning the malware scan then i'lll do the manual core scan. But I still have to figure out a way to do the flash disinfect thing, cause the cdrom drive dosnt work most of the time on the laptop (my idea of using my recovery discs if nothing else worked just went poof).
Maybe ill have to buy a cheap little usb to use an download the program on my mac to move it to the laptop.... would that work?
Sorry I had to leave the house and I forgot to plug the laptop in while the scan was running so when I came back its juice was gone. So im rerunnning the malware scan then i'lll do the manual core scan. But I still have to figure out a way to do the flash disinfect thing, cause the cdrom drive dosnt work most of the time on the laptop (my idea of using my recovery discs if nothing else worked just went poof).
Maybe ill have to buy a cheap little usb to use an download the program on my mac to move it to the laptop.... would that work?
Updates
The malware scan is probbaly going to be awhile its at 16% with a ran time of 2 hours 55 mins.
Only problems are with my dvdrom and connection. They dvd stopped reading dvds without a jerky play about a year ago so I feel its laser might have been going out. But this year I used it for a few cd burns after I learned that if I burned a dvd it would do it but the sound on the dvd would come out wrong. (So I saved dvd burning for any of th eother two laptops in the house) But now it the dvd rom dosnt even show up in my computer area. Just C drive and D (Recovery partition)
The wireless connection starting getting ify afew months ago when I tried playing a real demanding ommrpg using it so I switched to a wired connection with it and stopped playing the game, and the wireless had gotten back togather but I stuck with the wire since it was faster and that laptop stays in one part of the house mostly. But now I have this problem where working on.
Thank you to every one for helping.
The malware scan is probbaly going to be awhile its at 16% with a ran time of 2 hours 55 mins.
Only problems are with my dvdrom and connection. They dvd stopped reading dvds without a jerky play about a year ago so I feel its laser might have been going out. But this year I used it for a few cd burns after I learned that if I burned a dvd it would do it but the sound on the dvd would come out wrong. (So I saved dvd burning for any of th eother two laptops in the house) But now it the dvd rom dosnt even show up in my computer area. Just C drive and D (Recovery partition)
The wireless connection starting getting ify afew months ago when I tried playing a real demanding ommrpg using it so I switched to a wired connection with it and stopped playing the game, and the wireless had gotten back togather but I stuck with the wire since it was faster and that laptop stays in one part of the house mostly. But now I have this problem where working on.
Thank you to every one for helping.
I still didn't after the DAF scan, i'll check again after this malware scan is done i think it needs another 5 hours its 51% at 5 hours and 20 mins run time. Id need to reboot to check it cause I dont think i booted into safe mode with network.
Ok heres the logs from my first AVP scans. There was one trojan so im running the scan again so it will probally be another 15 hours, then ill run the flash disenfect and another HJT if you need it.
Sorry the syscheck was in html format unziped so I couldn't upload it like that. So just incase I opened it and copied it into a doc file, if I opened it on the laptop could I just click on delete to delete the stuff Comodo left behind when I deleted it? (My connection had been working before I downloaded Comodo, MBA, HJT and SAS I had even updated one program I think but after that my connection went out during a scan or before or after, not really sure exactly when)
Ok sorry totally forgot to add the log before I posted that reply.... The file is 4kb over the litmit for attachments. Could I just post it as a reply or as a text edit to this post?
Ok heres the logs from my first AVP scans. There was one trojan so im running the scan again so it will probally be another 15 hours, then ill run the flash disenfect and another HJT if you need it.
Sorry the syscheck was in html format unziped so I couldn't upload it like that. So just incase I opened it and copied it into a doc file, if I opened it on the laptop could I just click on delete to delete the stuff Comodo left behind when I deleted it? (My connection had been working before I downloaded Comodo, MBA, HJT and SAS I had even updated one program I think but after that my connection went out during a scan or before or after, not really sure exactly when)
Ok sorry totally forgot to add the log before I posted that reply.... The file is 4kb over the litmit for attachments. Could I just post it as a reply or as a text edit to this post?
Current status
The only remaining problem is my inability to connect to the internet by wire or wireless on the laptop.
After I got the virus the internet connection was fine, and thats how I relized I had one since I was getting a large amount of popups and being sent to all kinds of pages no matter what I put in.
So to avoid the problem of unstopable pop ups I unplug the wire for the laptop and shut it down. Using my Imac I came I found people on forums with simular problems, So I downloaded the software that was recomended: MBA, SAS, Comodo firewall, HJT and Avira virus scan.
I moved the programs to my latop by USB and started installing them I was even able to update one before my connection dropped. I also was able to look at SAS's virus database to see what gadcom.exe was.
After finding that the scans where taking horrible long I a two year old backup folder in the C drive that took up 16gb and crunched the newer (but also 2 year old) backup folder down to 5gb. And left the D partition that has a locked recovery folder in it.
It was after all of this when I was trying to update MBA and SAS to run there scans that I relized thaat I was getting limited or no connectivity on that laptop and then I tried repairing the wired connection and after saying it was renewing the IP address for some time, it finally say there was a problem renewing the ip and to contact my network manager. So I tried enabling my wireless on the laptop and it quickly gave me a connection failed error.
The only remaining problem is my inability to connect to the internet by wire or wireless on the laptop.
After I got the virus the internet connection was fine, and thats how I relized I had one since I was getting a large amount of popups and being sent to all kinds of pages no matter what I put in.
So to avoid the problem of unstopable pop ups I unplug the wire for the laptop and shut it down. Using my Imac I came I found people on forums with simular problems, So I downloaded the software that was recomended: MBA, SAS, Comodo firewall, HJT and Avira virus scan.
I moved the programs to my latop by USB and started installing them I was even able to update one before my connection dropped. I also was able to look at SAS's virus database to see what gadcom.exe was.
After finding that the scans where taking horrible long I a two year old backup folder in the C drive that took up 16gb and crunched the newer (but also 2 year old) backup folder down to 5gb. And left the D partition that has a locked recovery folder in it.
It was after all of this when I was trying to update MBA and SAS to run there scans that I relized thaat I was getting limited or no connectivity on that laptop and then I tried repairing the wired connection and after saying it was renewing the IP address for some time, it finally say there was a problem renewing the ip and to contact my network manager. So I tried enabling my wireless on the laptop and it quickly gave me a connection failed error.
OK now I understand!
Boot to Safe Mode Networking and see if you can browse there.
If not get this there and run it!
So do the below instead.
----------------------------------------------------------------------------------------------------------------------------------
Run SAS click Preferences-Repairs.
Counting from top do the below:
5-7-9-10-11-13-14-15-16-19-20-21-22
Reboot retest!
----------------------------------------------------------------------------------------------------------------------------------
If the above don't work then continue below. Do not do the below if above works!
Copy all in the box then paste to an open command prompt. Should close when complete.
Reboot before testing.
Attach back the files created on Desktop then you may delete them.
Boot to Safe Mode Networking and see if you can browse there.
If not get this there and run it!
So do the below instead.
----------------------------------------------------------------------------------------------------------------------------------
Run SAS click Preferences-Repairs.
Counting from top do the below:
5-7-9-10-11-13-14-15-16-19-20-21-22
Reboot retest!
----------------------------------------------------------------------------------------------------------------------------------
If the above don't work then continue below. Do not do the below if above works!
Copy all in the box then paste to an open command prompt. Should close when complete.
Code:
@echo off
ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.out
;Saves ip settings
netsh interface ip delete arpcache
ipconfig /flushdns
ipconfig /release *
ipconfig /renew *
ipconfig /registerdns
nbtstat -RR
netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
;saves log of current settings
netsh winsock reset catalog
;resets Winsock
netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
;winsock after rest
netsh int ip reset "%USERPROFILE%"\Desktop\tcpreset.txt
;reset TCP stackReboot before testing.
Attach back the files created on Desktop then you may delete them.
SAS
No improvement trying to access the net from safemode with network. So now im running sas on it, When it ask to reboot just keep repairing everything I need to repair before rebooting into back into safe mode to try net again, or reboot back to safe mode after every fix that requires a reboot?
Ok ran all the SAS repairs and afterwards rebooted back into normal boot. No luck on fixing the problem there, I
ll put up a new post when I get the logs from the command prompt.
No improvement trying to access the net from safemode with network. So now im running sas on it, When it ask to reboot just keep repairing everything I need to repair before rebooting into back into safe mode to try net again, or reboot back to safe mode after every fix that requires a reboot?
Ok ran all the SAS repairs and afterwards rebooted back into normal boot. No luck on fixing the problem there, I
ll put up a new post when I get the logs from the command prompt.
Still not working
Ok did the command prompt stuff, but I didn't reboot after netsh winsock reset catalog
like it asks instead I entered the last three commands then rebooted. After reboot it still l didn't work same error message. Should I do it again rebooting after netsh winsock reset catalog then reopening the command prompt and entering the last two commands then testing it?
Heres the tcp log cause each time I tried uploading it it said " tcpreset.txt:
You have already attached this file in thread : Disabled by pdf attack gadcom.exe " Even when I renamed it to tcpreset2.txt.... :/
One or more essential parameters were not entered.
Verify the required parameters, and reenter them.
The syntax supplied for this command is not valid. Check help for the correct syntax.
Usage: reset [name=]<string>
Parameters:
Tag Value
name - The name of a file to which to append information
regarding what settings were reset.
Remarks: Resets TCP/IP and related components to a clean state.
Examples:
reset resetlog.txt
Oh one last question with ipconfig /release and ipconfig /renew am I supposed to be putting something where that * is or just leave the *?
Ok did the command prompt stuff, but I didn't reboot after netsh winsock reset catalog
like it asks instead I entered the last three commands then rebooted. After reboot it still l didn't work same error message. Should I do it again rebooting after netsh winsock reset catalog then reopening the command prompt and entering the last two commands then testing it?
Heres the tcp log cause each time I tried uploading it it said " tcpreset.txt:
You have already attached this file in thread : Disabled by pdf attack gadcom.exe " Even when I renamed it to tcpreset2.txt.... :/
One or more essential parameters were not entered.
Verify the required parameters, and reenter them.
The syntax supplied for this command is not valid. Check help for the correct syntax.
Usage: reset [name=]<string>
Parameters:
Tag Value
name - The name of a file to which to append information
regarding what settings were reset.
Remarks: Resets TCP/IP and related components to a clean state.
Examples:
reset resetlog.txt
Oh one last question with ipconfig /release and ipconfig /renew am I supposed to be putting something where that * is or just leave the *?
There was a typeo in the following line so Paste the below to the comand prompt and get me the tcpreset.txt
Mike
EDIT:
OK lets do 1 connection at a time. So plug up the Wired network cable.
Confirm you have a light on the router for the cable by plugging and unplugging. This confirms the cable is OK and is connecting.
Then do the below.
Start-Run
type
Services.msc
click OK or hit enter
Maximize to see better.
Confirm the following services are set to Automatic and started.
Computer Browser
DHCP Client
DNS Client
Server
Wired Autoconfig
Wireless Zero configuration
Workstation
Let me know which ones were off.
Mike
Mike
EDIT:
OK lets do 1 connection at a time. So plug up the Wired network cable.
Confirm you have a light on the router for the cable by plugging and unplugging. This confirms the cable is OK and is connecting.
Then do the below.
Start-Run
type
Services.msc
click OK or hit enter
Maximize to see better.
Confirm the following services are set to Automatic and started.
Computer Browser
DHCP Client
DNS Client
Server
Wired Autoconfig
Wireless Zero configuration
Workstation
Let me know which ones were off.
Mike
Wired autoconfig
Wired autoconfig was the only one not started and not automatic it is on manual and its status is blank.
Seems I see all your new posts real late cause ever 10 or twenty minutes I refresh to see if there's a update if someone is on, but I normally only see them if I leave for an hour and when I refresh it says there is new messages from before that hour or however long i left. :/
Ok I turned the Wired autoconfig on auto startup and ran winsockfix, then restarted plugged the wire in and tried testing it, still not working.... But I have relized when I leave the wire plugged into that laptop for awhile and try repairing it again and again. My router bottoms out, it disconnects form the internet (Its internet icon starts flashing yellow) so I have to unplug the laptop and then the router for a couple seconds before I can get the internet on my other computers again.
Wired autoconfig was the only one not started and not automatic it is on manual and its status is blank.
Seems I see all your new posts real late cause ever 10 or twenty minutes I refresh to see if there's a update if someone is on, but I normally only see them if I leave for an hour and when I refresh it says there is new messages from before that hour or however long i left. :/
Ok I turned the Wired autoconfig on auto startup and ran winsockfix, then restarted plugged the wire in and tried testing it, still not working.... But I have relized when I leave the wire plugged into that laptop for awhile and try repairing it again and again. My router bottoms out, it disconnects form the internet (Its internet icon starts flashing yellow) so I have to unplug the laptop and then the router for a couple seconds before I can get the internet on my other computers again.
I am not sure if the network connection problem was finally answered.
Your specific question was for using /bootlog
boot ini switches
To edit boot ini, I suggest
Start > run > control sysdm.cpl,,3 > Advance tab > Settings > edit >
I would duplicate the entry that matches the same one referenced by "default" and probably begins ...
I would add switches to the dupliicate line and name it "xp with bootlog".
This alters the boot in that you are offered choices. You can shorten the display timeout for this menu (on the 'settings' panel)
Additional info
DSS scanner gives info for errors detected in the events logs. After all the cleaning to-date, it would be helpful to restart the computer & run DSS for a fresh view.
Your specific question was for using /bootlog
boot ini switches
To edit boot ini, I suggest
Start > run > control sysdm.cpl,,3 > Advance tab > Settings > edit >
I would duplicate the entry that matches the same one referenced by "default" and probably begins ...
- multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="XP Professional
I would add switches to the dupliicate line and name it "xp with bootlog".
This alters the boot in that you are offered choices. You can shorten the display timeout for this menu (on the 'settings' panel)
Additional info
DSS scanner gives info for errors detected in the events logs. After all the cleaning to-date, it would be helpful to restart the computer & run DSS for a fresh view.
Living with Gadcom.exe
Hello
After becoming inflicted with this nasty little trojanesq virus - I went to google to see what I could do to get rid of it. Everything seemed too complicated. My McAfee (free with cox cable internet) couldn't even find it and remove it.
So, I figured to mess with it myself:
I decided to delete it. Cannot be done.
I then decided to change its location and move it to a new folder on the desktop - since I couldn't delete it I wasn't sure I would be "allowed" to move it...but it moved to its new folder no problem. It also couldn't be "found" back in its old folder.
Okay - I thought genius that's done...I also thought I could then do the same thing and move to a cd and just get it off the computer altogether but that didn't work. At least it was not where the program that wrote said to look for it...but my troubles were not over. It was in my registry and still working behind the scenes...so my brother comes over and decides to rename it from gadcom.exe to gadcom.wpd (or whatever) then checks it off the registry start up. This seems to work. While it is still in the computer the program has no idea how to find it to get it going.
It only ever got in because my daughter was on with Picaboo tech support to make a wedding album and couldn’t download the program - they told her to turn off the firewall - never told her to turn it back on and she has no clue so unbeknownst to me - we were not protected in the very easiest of ways.
We now run the firewall and an antivirus program so I hope this thing won't activate again...any idea if this is the best fix for an untechy like me?
Hello
After becoming inflicted with this nasty little trojanesq virus - I went to google to see what I could do to get rid of it. Everything seemed too complicated. My McAfee (free with cox cable internet) couldn't even find it and remove it.
So, I figured to mess with it myself:
I decided to delete it. Cannot be done.
I then decided to change its location and move it to a new folder on the desktop - since I couldn't delete it I wasn't sure I would be "allowed" to move it...but it moved to its new folder no problem. It also couldn't be "found" back in its old folder.
Okay - I thought genius that's done...I also thought I could then do the same thing and move to a cd and just get it off the computer altogether but that didn't work. At least it was not where the program that wrote said to look for it...but my troubles were not over. It was in my registry and still working behind the scenes...so my brother comes over and decides to rename it from gadcom.exe to gadcom.wpd (or whatever) then checks it off the registry start up. This seems to work. While it is still in the computer the program has no idea how to find it to get it going.
It only ever got in because my daughter was on with Picaboo tech support to make a wedding album and couldn’t download the program - they told her to turn off the firewall - never told her to turn it back on and she has no clue so unbeknownst to me - we were not protected in the very easiest of ways.
We now run the firewall and an antivirus program so I hope this thing won't activate again...any idea if this is the best fix for an untechy like me?
Lindae - please open a new thread
Members should begin a new thread to discuss their problems or raise their questions. You are vague about your choice of protections, and one might assume you are fishing for recommendations. If this is the essence of your post, then read this. where the discussion turns to firewalls & protections.
Others may view this question applies to the method used to remove the infection. For this I suggest - Following the Guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions creates a common beginning for an initial assessment.
Members should begin a new thread to discuss their problems or raise their questions. You are vague about your choice of protections, and one might assume you are fishing for recommendations. If this is the essence of your post, then read this. where the discussion turns to firewalls & protections.
Others may view this question applies to the method used to remove the infection. For this I suggest - Following the Guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions creates a common beginning for an initial assessment.
- Status
Similar threads
Latest posts
-
PlayStation 5 Pro will be bigger, faster, and better using the same CPU- Squid Surprise replied
-
Apple is rolling out AirPlay support for TVs in hotel rooms- RudyBob replied
-
The Best Phones: Top Picks for Every Price Range- DanteSmith replied
-
Russia-backed hacking group suspected of attack on US water system- PurpaFur replied
