Trojan - Win32/Gael.d

P

pomes

New Member
I have a Trojan that Windows Malicious Software Removal Tool has defined as "Win32/Gael.d". Does anybody have any clues about how to getr rid of it?
It has made my computer slower and I can't open some applictations. I saw on the internet that it infected the files inside 'C:/WINDOWS'.
Can anyone help?
 
Let's see what's going on your computer:


Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


In your next reply I will need:
  • The Combofix log
  • The Hijackthis log
 
HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:53:14 AM, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [Hide Windows 2.0] C:\Program Files\Hide Windows\Hide Windows 2.0.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Startup: Favourites -- 4 and 5 Star Rated.lnk = C:\Documents and Settings\James\My Documents\My Music\My Playlists\My Favourites.wpl
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Favourites -- 4 and 5 Star Rated.lnk = C:\Documents and Settings\James\My Documents\My Music\My Playlists\My Favourites.wpl
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192611096484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1192910693875
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
ComboFix Log

ComboFix 08-05-21.3 - James 2008-05-25 8:55:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT 10:00]
Running from: G:\virus stuff\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James\Application Data\ezpinst.log
C:\Documents and Settings\James\Application Data\inst.exe
C:\WINDOWS\clofghls.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-22 20:04 . 2008-05-22 20:05 <DIR> d-------- C:\Program Files\DebugMode
2008-05-22 19:21 . 2008-05-22 19:21 <DIR> d-------- C:\Program Files\Free Audio Pack
2008-05-22 19:21 . 2003-08-07 15:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-05-11 21:09 . 2008-05-11 21:09 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-11 18:17 . 2008-05-11 21:07 234 --a------ C:\Documents and Settings\James\dl.exe
2008-04-30 19:52 . 2008-05-11 19:30 <DIR> d-------- C:\WINDOWS\speech
2008-04-30 19:52 . 2008-04-30 19:52 <DIR> d-------- C:\DVDVideoSoft
2008-04-30 19:48 . 2008-05-11 19:36 <DIR> d-------- C:\Program Files\Convert
2008-04-30 19:48 . 2008-04-30 19:48 <DIR> d-------- C:\Program Files\Blaiz Enterprises
2008-04-30 19:45 . 2008-04-30 19:51 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-04-30 17:22 . 2008-04-11 11:51 <DIR> d-------- C:\Documents and Settings\James\.gimp-2.4
2008-04-30 17:21 . 2008-04-30 19:48 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-04-27 17:19 . 2008-05-11 19:35 <DIR> d-------- C:\Program Files\ReadPlease 2003
2008-04-27 14:46 . 2005-02-24 14:10 2,084,864 --a------ C:\WINDOWS\system32\AudDesign.dll
2008-04-27 14:46 . 2005-03-11 19:37 1,986,560 --a------ C:\WINDOWS\system32\AudFile.dll
2008-04-27 14:46 . 2005-02-24 14:11 1,212,416 --a------ C:\WINDOWS\system32\AudioInfos.dll
2008-04-27 14:46 . 2005-02-24 14:11 479,232 --a------ C:\WINDOWS\system32\AudioVisu.dll
2008-04-27 14:46 . 2005-02-24 17:21 458,752 --a------ C:\WINDOWS\system32\AudPlayer.dll
2008-04-27 14:46 . 2005-03-10 18:00 454,656 --a------ C:\WINDOWS\system32\AudioRecord.dll
2008-04-27 14:46 . 2005-02-24 14:10 417,792 --a------ C:\WINDOWS\system32\AudDisplay.dll
2008-04-27 14:46 . 2005-02-24 13:51 348,160 --a------ C:\WINDOWS\system32\WMAFile.dll
2008-04-27 14:46 . 2005-01-10 12:54 116,296 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-04-27 11:26 . 2008-04-27 18:01 263,168 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-04-27 11:26 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-26 16:12 . 2008-04-30 19:51 <DIR> d-------- C:\Documents and Settings\James\Application Data\Nvu
2008-04-25 13:18 . 2008-04-30 19:48 <DIR> d-------- C:\Program Files\Hide Windows
2008-04-25 13:16 . 2008-05-11 19:36 <DIR> d-------- C:\Program Files\Nvu
2008-04-25 13:10 . 2008-05-11 19:36 <DIR> d-------- C:\Program Files\7-Zip
2008-04-25 13:07 . 2008-05-25 07:25 <DIR> d-------- C:\Program Files\Taskbar Shuffle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 09:03 --------- d-----w C:\Documents and Settings\James\Application Data\Any Video Converter
2008-05-11 09:35 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-11 09:35 --------- d-----w C:\Program Files\VIDEOzilla
2008-05-11 09:35 --------- d-----w C:\Program Files\VectorWorks 12.5.1
2008-05-11 09:35 --------- d-----w C:\Program Files\Turret Wars
2008-05-11 09:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-11 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-10 09:54 196,608 ----a-w C:\WINDOWS\system32\TubeFinder.exe
2008-04-30 10:36 --------- d-----w C:\Program Files\Macromedia
2008-04-30 10:35 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-04-27 08:00 94,208 -c--a-w C:\WINDOWS\system32\igfxext.exe
2008-04-27 07:59 9,728 -c--a-w C:\WINDOWS\system32\cisvc.exe
2008-04-27 07:58 772,096 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
2008-04-27 07:58 747,520 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2008-04-27 07:58 741,376 -c--a-w C:\WINDOWS\iun6002.exe
2008-04-27 07:58 72,704 ----a-w C:\WINDOWS\notepad.exe
2008-04-27 07:58 38,912 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\notiflag.exe
2008-04-27 07:58 310,272 ----a-w C:\WINDOWS\IsUninst.exe
2008-04-27 07:58 22,528 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\hscupd.exe
2008-04-27 07:58 162,304 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
2008-04-27 07:58 154,624 -c--a-w C:\WINDOWS\PCHEALTH\UploadLB\Binaries\uploadm.exe
2008-04-27 07:58 150,016 -c--a-w C:\WINDOWS\regedit.exe
2008-04-27 07:58 103,424 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpHost.exe
2008-04-27 07:57 9,728 ----a-w C:\WINDOWS\delttsul.exe
2008-04-27 07:57 380,928 -c--a-w C:\WINDOWS\Help\Tours\mmTour\tour.exe
2008-04-27 07:57 14,336 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:47 --------- d-----w C:\Program Files\Infogrames
2008-04-13 01:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 00:57 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-04-13 00:47 --------- d-----w C:\Documents and Settings\James\Application Data\AVS4YOU
2008-04-13 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-13 00:32 --------- d-----w C:\Program Files\Ashampoo
2008-04-13 00:32 --------- d-----w C:\Documents and Settings\James\Application Data\Ashampoo
2008-04-11 05:26 --------- d-----w C:\Program Files\Google
2008-03-30 08:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle VideoSpin
2008-03-30 03:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 02:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\VideoSpin
2008-03-30 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 09:28 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-25 09:28 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-10-20 23:40 47,360 -c--a-w C:\Documents and Settings\James\Application Data\pcouffin.sys
2007-05-19 07:26 16 -csha-w C:\WINDOWS\emjlhgdm.dat
.

------- Sigcheck -------

2008-04-27 17:55 2060544 86f88c7e4f9baeaeee6f6ce0c0ca962d C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2008-04-27 17:56 2063104 21ed0d422ad9c6e476afec47dd9e8b87 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-04-27 17:56 1873408 3d8cb7ea3ee8c1f33f9d858256f75246 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2008-04-27 17:56 2018816 f610be5d7da1ce9dfda6b9a708c700ab C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2008-04-27 17:57 2018816 e49eeb20d18d7ed4402eaac167b82c58 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-27 17:57 2061312 aa4dea75ac68120641664c6205bfd561 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2008-04-27 17:59 2060544 f8408d01888b6b670983a2a0059a4ae2 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-27 18:01 2019328 07364e9c91bd375af1486d8b53baff54 C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-27 18:00 2061312 aa4dea75ac68120641664c6205bfd561 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2008-04-27 17:47 1961984]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-05-25 07:28 167936]
"Taskbar Shuffle"="C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe" [2008-05-25 07:29 822272]
"Hide Windows 2.0"="C:\Program Files\Hide Windows\Hide Windows 2.0.exe" [2008-05-25 07:28 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 10:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 10:11 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-11 10:45 774144]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-04-27 18:01 155648]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [2008-04-27 17:53 30720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-25 19:28 185896]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-25 07:29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-04-27 17:50 33280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-27 18:01 57856 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 37888]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 733184]
Favourites -- 4 and 5 Star Rated.lnk - C:\Documents and Settings\James\My Documents\My Music\My Playlists\My Favourites.wpl [2007-11-01 18:55:18 118907]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2007-11-08 16:40:11 58880]
Windows Media Player.lnk - C:\Program Files\Windows Media Player\wmplayer.exe [2005-01-28 13:44:28 67584]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 ScFBPNT2;CanoScan FBP2 Port Driver;C:\WINDOWS\system32\drivers\ScFBPNT2.SYS [1999-05-21 01:00]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 08:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c086a790-ecdd-11dc-9eb9-000cf17faae0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6571ac8-6cf4-11dc-90a9-000cf17faae0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 21:45:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 08:59:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-25 9:02:33
ComboFix-quarantined-files.txt 2008-05-24 23:01:31

Pre-Run: 6,692,642,816 bytes free
Post-Run: 6,734,999,552 bytes free

166 --- E O F --- 2008-04-27 06:29:54
 
Win32/Gaelicum.A

I have discovered that it has infected .exe files. I am unable to run many of my programs from the .exe files and my stored setup .exe files are corrupted, with the error message: "The setup files are corrupted. Please obtain a new copy of the setup files". I have researched this online and it says that error message happens when the file isn't completely downloaded. I know this isn't right, as the same copy worked fine minutes earlier on my other machine.

I have tried many virus scanners to remove the infection, such as Spybot Search and Destroy, SUPERAntiSpyware & Ad-Aware. SUPERAntiSpyware found one or two infected files on two different occasions: one belonging to realplayer, but I can't remember which program the other belonged to. I did a scan with AVG 8.01 and it found around 2000 infected files. It called the infection Win32/Gaelicum.A. When I tried to open Task Manager, AVG popped up and said that taskmgr.exe was infected. So I moved the file to the vault, hoping to fix the problem. The same happened when I right-clicked the desktop and clicked Properties to try and change my wallpaper. Again, I moved rundll.exe (or something similar) to the vault. I now know from research online that this was a bad idea and wish to undo this. After the scan, AVG said that to complete the scan it must reboot the computer, with optioins "Yes" and "No". I clicked yes and the system restarted. When it booted up, I heard the bootup sound, and then the screen changed from the usual popup bootup window to "Logging You Off". This now happens whenever I try to bootup my computer, even when I start in safe mode. Please help!
 
Ok it has been a long time since your post, I'm sorry I didn't reply sooner.

Please a new combofix log, download a new version of combofix by following the instructions I gave you earlier in this thread.
 
Unable to bootup

I'm sorry, but I am unable to boot up my computer, even in safe mode. Is there any chance of fixing this?
 
You can't turn it on?

If not I don't know how we can fix this. I'll ask other experts to have a look at your infection.
 
Bootup

pomes said:
After the scan, AVG said that to complete the scan it must reboot the computer, with optioins "Yes" and "No". I clicked yes and the system restarted. When it booted up, I heard the bootup sound, and then the screen changed from the usual popup bootup window to "Logging You Off". This now happens whenever I try to bootup my computer, even when I start in safe mode.
Click to expand...

Thank you for your help and quick reply. I will take it to my local PC shop and ask them to have a look at it if we are unable to fix it
 
you can't turn it on??? Does it power up?? It should be able to do a restore before the combo fix log...... :cool:
 
I'm afraid I have some bad news.

As you already know, Win32/Gaelicum.A is a nasty file infector which infects all of your executable files. It is also network aware and can spread to other machines on the network. For that reason, I suggest you run a scan of any other machines you have on the same network as the infected one.

With a file infector such as this the only way I would trust the system is to do a full format/reinstall of your operating system and all your programs. There is really no other way to be confident of your system being stable, as even if your files are disinfected they may be damaged beyond repair by the disinfection process.

You can see a guide on how to reinstall Windows XP at http://www.theeldergeek.com/xp_home_install_-_graphic.htm. Make sure you select the option to format the drive when prompted. Please note that this will destroy all data on the drive. If there is anything important on the drive that has not been backed up we can do so BEFORE the system is reformatted if you have an external drive that we can back up to, but since your system will not boot it will take time and effort. Also, you will not be able to back up any executable files as they will be infected as well. Please let me know if you'd like to attempt to do so.
 
ceewi1 said:
I'm afraid I have some bad news.

As you already know, Win32/Gaelicum.A is a nasty file infector which infects all of your executable files. It is also network aware and can spread to other machines on the network. For that reason, I suggest you run a scan of any other machines you have on the same network as the infected one.

With a file infector such as this the only way I would trust the system is to do a full format/reinstall of your operating system and all your programs. There is really no other way to be confident of your system being stable, as even if your files are disinfected they may be damaged beyond repair by the disinfection process.

You can see a guide on how to reinstall Windows XP at http://www.theeldergeek.com/xp_home_install_-_graphic.htm. Make sure you select the option to format the drive when prompted. Please note that this will destroy all data on the drive. If there is anything important on the drive that has not been backed up we can do so BEFORE the system is reformatted if you have an external drive that we can back up to, but since your system will not boot it will take time and effort. Also, you will not be able to back up any executable files as they will be infected as well. Please let me know if you'd like to attempt to do so.
Click to expand...

:eek::eek::eek::eek::eek: WOW!!! That must be bad!
 
My bootup

The computer does power on, but when it shows my wallpaper and "Loading Your Personal Settings", it changes to "Logging Off". It then returns to "Loading Your Personal Settings", then back to "Logging Off".
 
Backup

ceewi1 said:
I'm afraid I have some bad news.
If there is anything important on the drive that has not been backed up we can do so BEFORE the system is reformatted if you have an external drive that we can back up to, but since your system will not boot it will take time and effort.
Click to expand...

How do you think I should go about backing up my files? All my important files are inside My Documents and I think it is about 10GB
 
See the guide at http://www.nu2.nu/pebuilder/#start to create a BartPE CD using your good PC. Set your infected PC to boot from CD (see http://www.windowsreinstall.com/articles/bios/).

Insert the BartPE CD you created and boot from it. This should take you into a Windows like environment which you can use to copy your My Documents folder (which should be located at C:\Documents and Settings\<User Name>\My Documents) to a portable drive or separate drive/partition if your computer has one.

If you don't have a portable drive and want to burn to CD or DVD instead you will need to install a plugin as at http://www.nu2.nu/pebuilder/pluginhelp/deepburner.htm

If this is confusing, the steps to follow are:
1. Download and install the PE Builder from http://www.nu2.nu/pebuilder/#download
2. Only if you need CD/DVD Burning: Follow the instructions at http://www.nu2.nu/pebuilder/pluginhelp/deepburner.htm to add the DeepBurner plugin.
3. Run the PE Builder. If you need the DeepBurner plugin, click the Plugins button and add it. Click Build
4. Boot your from the PE CD created and use it to backup your files.
 
Another drive

cohen said:
Have you got another drive your able to install the OS on?
Click to expand...

Well, I don't have a blank hard drive. Are you also thinking that I could hook up that one as the master drive and install windows on it and then put my original drive as the slave and copy my files over?

Thank you very much!
 
Bart PE Builder

ceewi1 said:
See the guide at http://www.nu2.nu/pebuilder/#start to create a BartPE CD using your good PC. Set your infected PC to boot from CD (see http://www.windowsreinstall.com/articles/bios/).
Click to expand...

I did this and unfortunately no success. I got an error message:
File \i386\system32\ntkrnlmp.exe could not be loaded. The error code is 4096.
Setup cannot continue. Press any key to continue.

Thank you for your help but unfortunately it hasn't worked. Do you have any other ideas?
 
You must log in or register to reply here.
Back
Top