# Trojan - Win32/Gael.d



## pomes

I have a Trojan that Windows Malicious Software Removal Tool has defined as "Win32/Gael.d". Does anybody have any clues about how to getr rid of it?
It has made my computer slower and I can't open some applictations. I saw on the internet that it infected the files inside 'C:/WINDOWS'.
Can anyone help?


----------



## Punk

Let's see what's going on your computer:


*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.



*Click here* to download *HJTsetup.exe*
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Additional Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


In your next reply I will need:

The Combofix log
The Hijackthis log


----------



## pomes

*HijackThis Log*

Logfile of HijackThis v1.99.1
Scan saved at 8:53:14 AM, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [Hide Windows 2.0] C:\Program Files\Hide Windows\Hide Windows 2.0.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Startup: Favourites -- 4 and 5 Star Rated.lnk = C:\Documents and Settings\James\My Documents\My Music\My Playlists\My Favourites.wpl
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Favourites -- 4 and 5 Star Rated.lnk = C:\Documents and Settings\James\My Documents\My Music\My Playlists\My Favourites.wpl
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192611096484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1192910693875
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


----------



## pomes

*ComboFix Log*

ComboFix 08-05-21.3 - James 2008-05-25  8:55:36.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.242 [GMT 10:00]
Running from: G:\virus stuff\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James\Application Data\ezpinst.log
C:\Documents and Settings\James\Application Data\inst.exe
C:\WINDOWS\clofghls.dll

.
(((((((((((((((((((((((((   Files Created from 2008-04-24 to 2008-05-24  )))))))))))))))))))))))))))))))
.

2008-05-22 20:04 . 2008-05-22 20:05	<DIR>	d--------	C:\Program Files\DebugMode
2008-05-22 19:21 . 2008-05-22 19:21	<DIR>	d--------	C:\Program Files\Free Audio Pack
2008-05-22 19:21 . 2003-08-07 15:01	237,568	--a------	C:\WINDOWS\system32\lame_enc.dll
2008-05-11 21:09 . 2008-05-11 21:09	<DIR>	d--------	C:\Program Files\Windows Defender
2008-05-11 18:17 . 2008-05-11 21:07	234	--a------	C:\Documents and Settings\James\dl.exe
2008-04-30 19:52 . 2008-05-11 19:30	<DIR>	d--------	C:\WINDOWS\speech
2008-04-30 19:52 . 2008-04-30 19:52	<DIR>	d--------	C:\DVDVideoSoft
2008-04-30 19:48 . 2008-05-11 19:36	<DIR>	d--------	C:\Program Files\Convert
2008-04-30 19:48 . 2008-04-30 19:48	<DIR>	d--------	C:\Program Files\Blaiz Enterprises
2008-04-30 19:45 . 2008-04-30 19:51	<DIR>	d--------	C:\Program Files\DVDVideoSoft
2008-04-30 17:22 . 2008-04-11 11:51	<DIR>	d--------	C:\Documents and Settings\James\.gimp-2.4
2008-04-30 17:21 . 2008-04-30 19:48	<DIR>	d--------	C:\Program Files\GIMP-2.0
2008-04-27 17:19 . 2008-05-11 19:35	<DIR>	d--------	C:\Program Files\ReadPlease 2003
2008-04-27 14:46 . 2005-02-24 14:10	2,084,864	--a------	C:\WINDOWS\system32\AudDesign.dll
2008-04-27 14:46 . 2005-03-11 19:37	1,986,560	--a------	C:\WINDOWS\system32\AudFile.dll
2008-04-27 14:46 . 2005-02-24 14:11	1,212,416	--a------	C:\WINDOWS\system32\AudioInfos.dll
2008-04-27 14:46 . 2005-02-24 14:11	479,232	--a------	C:\WINDOWS\system32\AudioVisu.dll
2008-04-27 14:46 . 2005-02-24 17:21	458,752	--a------	C:\WINDOWS\system32\AudPlayer.dll
2008-04-27 14:46 . 2005-03-10 18:00	454,656	--a------	C:\WINDOWS\system32\AudioRecord.dll
2008-04-27 14:46 . 2005-02-24 14:10	417,792	--a------	C:\WINDOWS\system32\AudDisplay.dll
2008-04-27 14:46 . 2005-02-24 13:51	348,160	--a------	C:\WINDOWS\system32\WMAFile.dll
2008-04-27 14:46 . 2005-01-10 12:54	116,296	--a------	C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-04-27 11:26 . 2008-04-27 18:01	263,168	--a------	C:\WINDOWS\system32\TweakUI.exe
2008-04-27 11:26 . 2002-06-21 15:09	160,217	--a------	C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-26 16:12 . 2008-04-30 19:51	<DIR>	d--------	C:\Documents and Settings\James\Application Data\Nvu
2008-04-25 13:18 . 2008-04-30 19:48	<DIR>	d--------	C:\Program Files\Hide Windows
2008-04-25 13:16 . 2008-05-11 19:36	<DIR>	d--------	C:\Program Files\Nvu
2008-04-25 13:10 . 2008-05-11 19:36	<DIR>	d--------	C:\Program Files\7-Zip
2008-04-25 13:07 . 2008-05-25 07:25	<DIR>	d--------	C:\Program Files\Taskbar Shuffle

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 09:03	---------	d-----w	C:\Documents and Settings\James\Application Data\Any Video Converter
2008-05-11 09:35	---------	d-----w	C:\Program Files\Windows Media Connect 2
2008-05-11 09:35	---------	d-----w	C:\Program Files\VIDEOzilla
2008-05-11 09:35	---------	d-----w	C:\Program Files\VectorWorks 12.5.1
2008-05-11 09:35	---------	d-----w	C:\Program Files\Turret Wars
2008-05-11 09:35	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-05-11 05:00	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-10 09:54	196,608	----a-w	C:\WINDOWS\system32\TubeFinder.exe
2008-04-30 10:36	---------	d-----w	C:\Program Files\Macromedia
2008-04-30 10:35	---------	d-----w	C:\Program Files\Common Files\Macromedia
2008-04-27 08:00	94,208	-c--a-w	C:\WINDOWS\system32\igfxext.exe
2008-04-27 07:59	9,728	-c--a-w	C:\WINDOWS\system32\cisvc.exe
2008-04-27 07:58	772,096	-c--a-w	C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
2008-04-27 07:58	747,520	----a-w	C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2008-04-27 07:58	741,376	-c--a-w	C:\WINDOWS\iun6002.exe
2008-04-27 07:58	72,704	----a-w	C:\WINDOWS\notepad.exe
2008-04-27 07:58	38,912	-c--a-w	C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\notiflag.exe
2008-04-27 07:58	310,272	----a-w	C:\WINDOWS\IsUninst.exe
2008-04-27 07:58	22,528	-c--a-w	C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\hscupd.exe
2008-04-27 07:58	162,304	-c--a-w	C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
2008-04-27 07:58	154,624	-c--a-w	C:\WINDOWS\PCHEALTH\UploadLB\Binaries\uploadm.exe
2008-04-27 07:58	150,016	-c--a-w	C:\WINDOWS\regedit.exe
2008-04-27 07:58	103,424	-c--a-w	C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpHost.exe
2008-04-27 07:57	9,728	----a-w	C:\WINDOWS\delttsul.exe
2008-04-27 07:57	380,928	-c--a-w	C:\WINDOWS\Help\Tours\mmTour\tour.exe
2008-04-27 07:57	14,336	----a-w	C:\WINDOWS\hh.exe
2008-04-14 00:47	---------	d-----w	C:\Program Files\Infogrames
2008-04-13 01:26	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-04-13 00:57	---------	d-----w	C:\Program Files\Common Files\AVSMedia
2008-04-13 00:47	---------	d-----w	C:\Documents and Settings\James\Application Data\AVS4YOU
2008-04-13 00:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-13 00:32	---------	d-----w	C:\Program Files\Ashampoo
2008-04-13 00:32	---------	d-----w	C:\Documents and Settings\James\Application Data\Ashampoo
2008-04-11 05:26	---------	d-----w	C:\Program Files\Google
2008-03-30 08:46	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 03:11	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Pinnacle VideoSpin
2008-03-30 03:03	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 02:55	---------	d-----w	C:\Documents and Settings\All Users\Application Data\VideoSpin
2008-03-30 02:50	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-03-19 09:47	1,845,248	----a-w	C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06	826,368	----a-w	C:\WINDOWS\system32\wininet.dll
2008-02-25 09:28	499,712	----a-w	C:\WINDOWS\system32\msvcp71.dll
2008-02-25 09:28	348,160	----a-w	C:\WINDOWS\system32\msvcr71.dll
2007-10-20 23:40	47,360	-c--a-w	C:\Documents and Settings\James\Application Data\pcouffin.sys
2007-05-19 07:26	16	-csha-w	C:\WINDOWS\emjlhgdm.dat
.

------- Sigcheck -------

2008-04-27 17:55  2060544  86f88c7e4f9baeaeee6f6ce0c0ca962d	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2008-04-27 17:56  2063104  21ed0d422ad9c6e476afec47dd9e8b87	C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-04-27 17:56  1873408  3d8cb7ea3ee8c1f33f9d858256f75246	C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2008-04-27 17:56  2018816  f610be5d7da1ce9dfda6b9a708c700ab	C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2008-04-27 17:57  2018816  e49eeb20d18d7ed4402eaac167b82c58	C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-27 17:57  2061312  aa4dea75ac68120641664c6205bfd561	C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2008-04-27 17:59  2060544  f8408d01888b6b670983a2a0059a4ae2	C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-27 18:01  2019328  07364e9c91bd375af1486d8b53baff54	C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-27 18:00  2061312  aa4dea75ac68120641664c6205bfd561	C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2008-04-27 17:47 1961984]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-05-25 07:28 167936]
"Taskbar Shuffle"="C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe" [2008-05-25 07:29 822272]
"Hide Windows 2.0"="C:\Program Files\Hide Windows\Hide Windows 2.0.exe" [2008-05-25 07:28 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 10:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 10:11 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-11 10:45 774144]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-04-27 18:01 155648]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [2008-04-27 17:53 30720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-25 19:28 185896]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-25 07:29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-04-27 17:50 33280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-27 18:01 57856 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 37888]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 733184]
Favourites -- 4 and 5 Star Rated.lnk - C:\Documents and Settings\James\My Documents\My Music\My Playlists\My Favourites.wpl [2007-11-01 18:55:18 118907]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2007-11-08 16:40:11 58880]
Windows Media Player.lnk - C:\Program Files\Windows Media Player\wmplayer.exe [2005-01-28 13:44:28 67584]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 ScFBPNT2;CanoScan FBP2 Port Driver;C:\WINDOWS\system32\drivers\ScFBPNT2.SYS [1999-05-21 01:00]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 08:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c086a790-ecdd-11dc-9eb9-000cf17faae0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6571ac8-6cf4-11dc-90a9-000cf17faae0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 21:45:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 08:59:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
Completion time: 2008-05-25  9:02:33
ComboFix-quarantined-files.txt  2008-05-24 23:01:31

Pre-Run: 6,692,642,816 bytes free
Post-Run: 6,734,999,552 bytes free

166	--- E O F ---	2008-04-27 06:29:54


----------



## pomes

*Win32/Gaelicum.A*

I have discovered that it has infected .exe files. I am unable to run many of my programs from the .exe files and my stored setup .exe files are corrupted, with the error message: "The setup files are corrupted. Please obtain a new copy of the setup files". I have researched this online and it says that error message happens when the file isn't completely downloaded. I know this isn't right, as the same copy worked fine minutes earlier on my other machine.

I have tried many virus scanners to remove the infection, such as Spybot Search and Destroy, SUPERAntiSpyware & Ad-Aware. SUPERAntiSpyware found one or two infected files on two different occasions: one belonging to realplayer, but I can't remember which program the other belonged to. I did a scan with AVG 8.01 and it found around 2000 infected files. It called the infection Win32/Gaelicum.A. When I tried to open Task Manager, AVG popped up and said that taskmgr.exe was infected. So I moved the file to the vault, hoping to fix the problem. The same happened when I right-clicked the desktop and clicked Properties to try and change my wallpaper. Again, I moved rundll.exe (or something similar) to the vault. I now know from research online that this was a bad idea and wish to undo this. After the scan, AVG said that to complete the scan it must reboot the computer, with optioins "Yes" and "No". I clicked yes and the system restarted. When it booted up, I heard the bootup sound, and then the screen changed from the usual popup bootup window to "Logging You Off". This now happens whenever I try to bootup my computer, even when I start in safe mode. Please help!


----------



## Punk

Ok it has been a long time since your post, I'm sorry I didn't reply sooner.

Please a new combofix log, download a new version of combofix by following the instructions I gave you earlier in this thread.


----------



## pomes

*Unable to bootup*

I'm sorry, but I am unable to boot up my computer, even in safe mode. Is there any chance of fixing this?


----------



## Punk

You can't turn it on?

If not I don't know how we can fix this. I'll ask other experts to have a look at your infection.


----------



## pomes

*Bootup*



pomes said:


> After the scan, AVG said that to complete the scan it must reboot the computer, with optioins "Yes" and "No". I clicked yes and the system restarted. When it booted up, I heard the bootup sound, and then the screen changed from the usual popup bootup window to "Logging You Off". This now happens whenever I try to bootup my computer, even when I start in safe mode.



Thank you for your help and quick reply. I will take it to my local PC shop and ask them to have a look at it if we are unable to fix it


----------



## cohen

you can't turn it on??? Does it power up?? It should be able to do a restore before the combo fix log......


----------



## ceewi1

I'm afraid I have some bad news.

As you already know, Win32/Gaelicum.A is a nasty file infector which infects all of your executable files. It is also network aware and can spread to other machines on the network.  For that reason, I suggest you run a scan of any other machines you have on the same network as the infected one.

With a file infector such as this the only way I would trust the system is to do a full format/reinstall of your operating system and all your programs.  There is really no other way to be confident of your system being stable, as even if your files are disinfected they may be damaged beyond repair by the disinfection process.

You can see a guide on how to reinstall Windows XP at http://www.theeldergeek.com/xp_home_install_-_graphic.htm.  Make sure you select the option to format the drive when prompted.  *Please note that this will destroy all data on the drive.*  If there is anything important on the drive that has not been backed up we can do so *BEFORE* the system is reformatted if you have an external drive that we can back up to, but since your system will not boot it will take time and effort.  Also, you will not be able to back up any executable files as they will be infected as well.  Please let me know if you'd like to attempt to do so.


----------



## cohen

ceewi1 said:


> I'm afraid I have some bad news.
> 
> As you already know, Win32/Gaelicum.A is a nasty file infector which infects all of your executable files. It is also network aware and can spread to other machines on the network.  For that reason, I suggest you run a scan of any other machines you have on the same network as the infected one.
> 
> With a file infector such as this the only way I would trust the system is to do a full format/reinstall of your operating system and all your programs.  There is really no other way to be confident of your system being stable, as even if your files are disinfected they may be damaged beyond repair by the disinfection process.
> 
> You can see a guide on how to reinstall Windows XP at http://www.theeldergeek.com/xp_home_install_-_graphic.htm.  Make sure you select the option to format the drive when prompted.  *Please note that this will destroy all data on the drive.*  If there is anything important on the drive that has not been backed up we can do so *BEFORE* the system is reformatted if you have an external drive that we can back up to, but since your system will not boot it will take time and effort.  Also, you will not be able to back up any executable files as they will be infected as well.  Please let me know if you'd like to attempt to do so.



 WOW!!! That must be bad!


----------



## pomes

*My bootup*

The computer does power on, but when it shows my wallpaper and "Loading Your Personal Settings", it changes to "Logging Off". It then returns to "Loading Your Personal Settings", then back to "Logging Off".


----------



## pomes

*Backup*



ceewi1 said:


> I'm afraid I have some bad news.
> If there is anything important on the drive that has not been backed up we can do so *BEFORE* the system is reformatted if you have an external drive that we can back up to, but since your system will not boot it will take time and effort.



How do you think I should go about backing up my files? All my important files are inside My Documents and I think it is about 10GB


----------



## cohen

pomes said:


> How do you think I should go about backing up my files? All my important files are inside My Documents and I think it is about 10GB



Have you got another drive your able to install the OS on?


----------



## ceewi1

See the guide at http://www.nu2.nu/pebuilder/#start to create a BartPE CD using your good PC.  Set your infected PC to boot from CD (see http://www.windowsreinstall.com/articles/bios/).

Insert the BartPE CD you created and boot from it.  This should take you into a Windows like environment which you can use to copy your My Documents folder (which should be located at C:\Documents and Settings\<User Name>\My Documents) to a portable drive or separate drive/partition if your computer has one.

If you don't have a portable drive and want to burn to CD or DVD instead you will need to install a plugin as at http://www.nu2.nu/pebuilder/pluginhelp/deepburner.htm

If this is confusing, the steps to follow are:
1.  Download and install the PE Builder from http://www.nu2.nu/pebuilder/#download
2.  *Only if you need CD/DVD Burning*: Follow the instructions at http://www.nu2.nu/pebuilder/pluginhelp/deepburner.htm to add the DeepBurner plugin.
3.  Run the PE Builder.  If you need the DeepBurner plugin, click the Plugins button and add it.  Click *Build*
4.  Boot your from the PE CD created and use it to backup your files.


----------



## pomes

*Another drive*



cohen said:


> Have you got another drive your able to install the OS on?



Well, I don't have a blank hard drive. Are you also thinking that I could hook up that one as the master drive and install windows on it and then put my original drive as the slave and copy my files over?

Thank you very much!


----------



## pomes

*Bart PE Builder*



ceewi1 said:


> See the guide at http://www.nu2.nu/pebuilder/#start to create a BartPE CD using your good PC.  Set your infected PC to boot from CD (see http://www.windowsreinstall.com/articles/bios/).



I did this and unfortunately no success. I got an error message:
File \i386\system32\ntkrnlmp.exe could not be loaded. The error code is 4096.
Setup cannot continue. Press any key to continue.

Thank you for your help but unfortunately it hasn't worked. Do you have any other ideas?


----------



## ceewi1

Yes, there are certainly other options.

Take a look at http://lifehacker.com/software/disk-recovery/geek-to-live--rescue-files-with-a-boot-cd-192982.php - it has a guide on recovering your data with a Knoppix LiveCD (which is a free, albeit reasonably large, download).


----------



## cohen

i also say use recover my files as well.

I can give you a link, if you want it.


----------



## ceewi1

Recover My Files is designed to retrieve deleted files from a working operating system.  We are trying to retrieve existing files from a trashed operating system


----------



## cohen

ceewi1 said:


> Recover My Files is designed to retrieve deleted files from a working operating system.  We are trying to retrieve existing files from a trashed operating system



well i have used it before, reformatted the hard drive and got "most" of my files back.


----------



## pomes

*Fix*

I fixed the problem by booting up using my Windows XP Professional disc and installing Windows to a different location than "C:/WINDOWS". When I booted up, I was able to choose which operating system to boot with. I was able to create a new account and access my files from the infected operating system. I backed these up to DVDs using a new installation of Nero and they are all fine. Now All that remains is to format the drive and reinstall Windows XP Home.


----------



## cohen

Well at least you have the files, good luck.

If you have anymore problems in the future, pls return the this forum and start a new thread.

Cheers for now.


----------

