Go to Windows 7 Insider Guide
Spyware, viruses, & security : Trojan - Win32/Gael.d
Trojan - Win32/Gael.d
by pomes27 - 5/15/08 3:06 AMI have a Trojan that Windows Malicious Software Removal Tool has defined as "Win32/Gael.d". Does anybody have any clues about how to getr rid of it?
It has made my computer slower and I can't open some applictations. I saw on the internet that it infected the files inside 'C:/WINDOWS'.
Can anyone help?
W32/Gael.worm.a
by Marianna Schmudlach
- 5/15/08 9:00 AM
In reply to: Trojan - Win32/Gael.d by pomes27
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
http://vil.nai.com/vil/content/v_134857.htm
Try an on-line scan:
Please run the Housecall online virus scan located at:
http://housecall.trendmicro.com/
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please restart your computer.
Then please run the Panda scan here:
http://www.pandasoftware.com/
Panda ActiveScan on the left .
Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and restart your computer.
Finally, please run the WindowSecurity trojan scan here:
http://www.windowsecurity.com/trojanscan/
Remove any trojans found, and restart your computer.
RE: W32/Gael.worm.a
by pomes27 - 5/17/08 5:39 PM In reply to: W32/Gael.worm.a by Marianna Schmudlach
Thanks for your input, but I am unable to access the internet on the infected computer, so are there some fully updated downloadable scans that I can download and run offline on the computer with the virus?
Thank you for your help.
You could download......
by Marianna Schmudlach - 5/17/08 6:17 PM
In reply to: W32/Gael.worm.a by Marianna Schmudlach
Operating Systems: Microsoft ® Windows 2000, XP,
Please download Malwarebytes Anti-Malware or alternate download link
* Make sure you are connected to the Internet.
* Double-click on Download_mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
* - Update Malwarebytes' Anti-Malware
* - Launch Malwarebytes' Anti-Malware
* Then click Finish.
* MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
* On the Scanner tab:
* - Make sure the "Perform Quick Acan" option is selected.
* - Then click on the Scan button.
* The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
* Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* -- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Download and scan with SUPERAntiSpyware Free for Home Users
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
..
Trend Micro calls it: PE_TENGA.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_TENGA.A
Win32/Gaelicum.A
by pomes27 - 6/12/08 3:19 AM In reply to: You could download...... by Marianna Schmudlach
I have discovered that it has infected .exe files. I am unable to run many of my programs from the .exe files and my stored setup .exe files are corrupted, with the error message: "The setup files are corrupted. Please obtain a new copy of the setup files". I have researched this online and it says that error message happens when the file isn't completely downloaded. I know this isn't right, as the same copy worked fine minutes earlier on my other machine.
I have tried many virus scanners to remove the infection, such as Spybot Search and Destroy, SUPERAntiSpyware & Ad-Aware. SUPERAntiSpyware found one or two infected files on two different occasions: one belonging to realplayer, but I can't remember which program the other belonged to. I did a scan with AVG 8.01 and it found around 2000 infected files. It called the infection Win32/Gaelicum.A. When I tried to open Task Manager, AVG popped up and said that taskmgr.exe was infected. So I moved the file to the vault, hoping to fix the problem. The same happened when I right-clicked the desktop and clicked Properties to try and change my wallpaper. Again, I moved rundll.exe (or something similar) to the vault. I now know from research online that this was a bad idea and wish to undo this. After the scan, AVG said that to complete the scan it must reboot the computer, with optioins "Yes" and "No". I clicked yes and the system restarted. When it booted up, I heard the bootup sound, and then the screen changed from the usual popup bootup window to "Logging You Off". This now happens whenever I try to bootup my computer, even when I start in safe mode. Please help!
I have logs for Hijack This and Comboflix, about a fortnight old:
Logfile of HijackThis v1.99.1
Scan saved at 8:53:14 AM, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [Hide Windows 2.0] C:\Program Files\Hide Windows\Hide Windows 2.0.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Startup: Favourites -- 4 and 5 Star Rated.lnk = C:\Documents and Settings\James\My Documents\My Music\My Playlists\My Favourites.wpl
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Favourites -- 4 and 5 Star Rated.lnk = C:\Documents and Settings\James\My Documents\My Music\My Playlists\My Favourites.wpl
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192611096484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1192910693875
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.....;/en/crlocx.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
ComboFix:
ComboFix 08-05-21.3 - James 2008-05-25 8:55:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT 10:00]
Running from: G:\virus stuff\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\James\Application Data\ezpinst.log
C:\Documents and Settings\James\Application Data\inst.exe
C:\WINDOWS\clofghls.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.
2008-05-22 20:04 . 2008-05-22 20:05 <DIR> d-------- C:\Program Files\DebugMode
2008-05-22 19:21 . 2008-05-22 19:21 <DIR> d-------- C:\Program Files\Free Audio Pack
2008-05-22 19:21 . 2003-08-07 15:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-05-11 21:09 . 2008-05-11 21:09 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-11 18:17 . 2008-05-11 21:07 234 --a------ C:\Documents and Settings\James\dl.exe
2008-04-30 19:52 . 2008-05-11 19:30 <DIR> d-------- C:\WINDOWS\speech
2008-04-30 19:52 . 2008-04-30 19:52 <DIR> d-------- C:\DVDVideoSoft
2008-04-30 19:48 . 2008-05-11 19:36 <DIR> d-------- C:\Program Files\Convert
2008-04-30 19:48 . 2008-04-30 19:48 <DIR> d-------- C:\Program Files\Blaiz Enterprises
2008-04-30 19:45 . 2008-04-30 19:51 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-04-30 17:22 . 2008-04-11 11:51 <DIR> d-------- C:\Documents and Settings\James\.gimp-2.4
2008-04-30 17:21 . 2008-04-30 19:48 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-04-27 17:19 . 2008-05-11 19:35 <DIR> d-------- C:\Program Files\ReadPlease 2003
2008-04-27 14:46 . 2005-02-24 14:10 2,084,864 --a------ C:\WINDOWS\system32\AudDesign.dll
2008-04-27 14:46 . 2005-03-11 19:37 1,986,560 --a------ C:\WINDOWS\system32\AudFile.dll
2008-04-27 14:46 . 2005-02-24 14:11 1,212,416 --a------ C:\WINDOWS\system32\AudioInfos.dll
2008-04-27 14:46 . 2005-02-24 14:11 479,232 --a------ C:\WINDOWS\system32\AudioVisu.dll
2008-04-27 14:46 . 2005-02-24 17:21 458,752 --a------ C:\WINDOWS\system32\AudPlayer.dll
2008-04-27 14:46 . 2005-03-10 18:00 454,656 --a------ C:\WINDOWS\system32\AudioRecord.dll
2008-04-27 14:46 . 2005-02-24 14:10 417,792 --a------ C:\WINDOWS\system32\AudDisplay.dll
2008-04-27 14:46 . 2005-02-24 13:51 348,160 --a------ C:\WINDOWS\system32\WMAFile.dll
2008-04-27 14:46 . 2005-01-10 12:54 116,296 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-04-27 11:26 . 2008-04-27 18:01 263,168 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-04-27 11:26 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-26 16:12 . 2008-04-30 19:51 <DIR> d-------- C:\Documents and Settings\James\Application Data\Nvu
2008-04-25 13:18 . 2008-04-30 19:48 <DIR> d-------- C:\Program Files\Hide Windows
2008-04-25 13:16 . 2008-05-11 19:36 <DIR> d-------- C:\Program Files\Nvu
2008-04-25 13:10 . 2008-05-11 19:36 <DIR> d-------- C:\Program Files\7-Zip
2008-04-25 13:07 . 2008-05-25 07:25 <DIR> d-------- C:\Program Files\Taskbar Shuffle
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-24 09:03 --------- d-----w C:\Documents and Settings\James\Application Data\Any Video Converter
2008-05-11 09:35 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-11 09:35 --------- d-----w C:\Program Files\VIDEOzilla
2008-05-11 09:35 --------- d-----w C:\Program Files\VectorWorks 12.5.1
2008-05-11 09:35 --------- d-----w C:\Program Files\Turret Wars
2008-05-11 09:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-11 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-10 09:54 196,608 ----a-w C:\WINDOWS\system32\TubeFinder.exe
2008-04-30 10:36 --------- d-----w C:\Program Files\Macromedia
2008-04-30 10:35 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-04-27 08:00 94,208 -c--a-w C:\WINDOWS\system32\igfxext.exe
2008-04-27 07:59 9,728 -c--a-w C:\WINDOWS\system32\cisvc.exe
2008-04-27 07:58 772,096 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
2008-04-27 07:58 747,520 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2008-04-27 07:58 741,376 -c--a-w C:\WINDOWS\iun6002.exe
2008-04-27 07:58 72,704 ----a-w C:\WINDOWS\notepad.exe
2008-04-27 07:58 38,912 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\notiflag.exe
2008-04-27 07:58 310,272 ----a-w C:\WINDOWS\IsUninst.exe
2008-04-27 07:58 22,528 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\hscupd.exe
2008-04-27 07:58 162,304 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
2008-04-27 07:58 154,624 -c--a-w C:\WINDOWS\PCHEALTH\UploadLB\Binaries\uploadm.exe
2008-04-27 07:58 150,016 -c--a-w C:\WINDOWS\regedit.exe
2008-04-27 07:58 103,424 -c--a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpHost.exe
2008-04-27 07:57 9,728 ----a-w C:\WINDOWS\delttsul.exe
2008-04-27 07:57 380,928 -c--a-w C:\WINDOWS\Help\Tours\mmTour\tour.exe
2008-04-27 07:57 14,336 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:47 --------- d-----w C:\Program Files\Infogrames
2008-04-13 01:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 00:57 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-04-13 00:47 --------- d-----w C:\Documents and Settings\James\Application Data\AVS4YOU
2008-04-13 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-13 00:32 --------- d-----w C:\Program Files\Ashampoo
2008-04-13 00:32 --------- d-----w C:\Documents and Settings\James\Application Data\Ashampoo
2008-04-11 05:26 --------- d-----w C:\Program Files\Google
2008-03-30 08:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle VideoSpin
2008-03-30 03:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 02:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\VideoSpin
2008-03-30 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 09:28 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-25 09:28 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-10-20 23:40 47,360 -c--a-w C:\Documents and Settings\James\Application Data\pcouffin.sys
2007-05-19 07:26 16 -csha-w C:\WINDOWS\emjlhgdm.dat
.
------- Sigcheck -------
2008-04-27 17:55 2060544 86f88c7e4f9baeaeee6f6ce0c0ca962d C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2008-04-27 17:56 2063104 21ed0d422ad9c6e476afec47dd9e8b87 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-04-27 17:56 1873408 3d8cb7ea3ee8c1f33f9d858256f75246 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2008-04-27 17:56 2018816 f610be5d7da1ce9dfda6b9a708c700ab C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2008-04-27 17:57 2018816 e49eeb20d18d7ed4402eaac167b82c58 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-27 17:57 2061312 aa4dea75ac68120641664c6205bfd561 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2008-04-27 17:59 2060544 f8408d01888b6b670983a2a0059a4ae2 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-27 18:01 2019328 07364e9c91bd375af1486d8b53baff54 C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-27 18:00 2061312 aa4dea75ac68120641664c6205bfd561 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2008-04-27 17:47 1961984]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-05-25 07:28 167936]
"Taskbar Shuffle"="C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe" [2008-05-25 07:29 822272]
"Hide Windows 2.0"="C:\Program Files\Hide Windows\Hide Windows 2.0.exe" [2008-05-25 07:28 221184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 10:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 10:11 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-11 10:45 774144]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2008-04-27 18:01 155648]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [2008-04-27 17:53 30720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-25 19:28 185896]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.e xe" [2002-03-19 17:30 45632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-25 07:29 286720]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2008-04-27 17:50 33280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-27 18:01 57856 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 37888]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 733184]
Favourites -- 4 and 5 Star Rated.lnk - C:\Documents and Settings\James\My Documents\My Music\My Playlists\My Favourites.wpl [2007-11-01 18:55:18 118907]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2007-11-08 16:40:11 58880]
Windows Media Player.lnk - C:\Program Files\Windows Media Player\wmplayer.exe [2005-01-28 13:44:28 67584]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 ScFBPNT2;CanoScan FBP2 Port Driver;C:\WINDOWS\system32\drivers\ScFBPNT2.SYS [1999-05-21 01:00]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 08:05]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c086a790-ecdd-11dc-9eb9-000cf17faae0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d6571ac8-6cf4-11dc-90a9-000cf17faae0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 21:45:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 08:59:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
************************************************** ************************
.
Completion time: 2008-05-25 9:02:33
ComboFix-quarantined-files.txt 2008-05-24 23:01:31
Pre-Run: 6,692,642,816 bytes free
Post-Run: 6,734,999,552 bytes free
166 --- E O F --- 2008-04-27 06:29:54
Sorry but we do not
by roddy32 - 6/12/08 7:43 AM
In reply to: Win32/Gaelicum.A by pomes27
do HJT logs here at CNET plus Marianna is going to be offline for a few days. I would recommend that you post your log at ONE of the forums listed in this thread here.
http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=255339&messageID=2533167
Sorry.. I failed to go back to see if there's reply
by Donna Buenaventura - 6/12/08 7:49 AM
In reply to: Sorry but we do not by roddy32
before I hit submit button 
(NT) :)
by roddy32 - 6/12/08 8:00 AM
In reply to: Sorry.. I failed to go back to see if there's reply by Donna Buenaventura
Hi pomes27
by Donna Buenaventura - 6/12/08 7:47 AM
In reply to: Win32/Gaelicum.A by pomes27
Sorry but we do not attend on HijackThis log here. You can try to post the said logs at HijackThis forums listed in this topic below:
http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=255339&messageID=2533167
or post the logs at:
http://temerc.com/forums/viewforum.php?f=12
http://forum.securitycadets.com/index.php?showforum=2
You can also try to use command line scanners (in case you have trouble running .exe files due to infection).
Download the "a-squared Command Line Scanner 3.5" from
http://www.emsisoft.com/en/software/download/
If you have USB/Flash drive, you can save it there also then plug-it in then scan the system.
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
