Can't remove win32/GaelicumA

Computing.Net > Forums > Security and Virus > Can't remove win32/GaelicumA

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Can't remove win32/GaelicumA

Name: bccamper
Date: September 15, 2006 at 17:37:49 Pacific
OS: Win98SE
CPU/Ram: P-III 350/64
Product: Daiwa/DW-992K

Comment:

I have a machine that I am using AVG with and it is reporting a lot of files with the GaelicumA virus but AVG does not seem to remove it. I have also tried SQUARED-A with no success. I wanted to try Trend Micro's online scan but I am unable to load Java as it fails every time I try to install it.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: September 15, 2006 at 19:14:30 Pacific

Reply:

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.
Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Response Number 2

Name: Johnw
Date: September 15, 2006 at 19:15:18 Pacific

Reply:

Are you trying to install this Java ( I use it )
http://java.com/en/index.jsp
Plenty of other online sites.
Here are a range of free online sites to cleanup your comp. Use at least 2 from each group.
http://kaspersky.com/kos/english/kavwebscan.html
http://www3.ca.com/virusinfo/virusscan.aspx
http://housecall.antivirus.com/
http://www.coledata.com/virusalert.htm
http://www.cybertechhelp.com/html/misc/av.php
http://www.pandasoftware.com/products/spyxposer/com/spyxposer_principal?NRMODE=Published&NRORIGINALURL=%2fproducts%2fspyxposer%2f&NRNODEGUID=%7bAD6F1F54-25E0-4160-81ED-7F8C6F9C77ED%7d&NRCACHEHINT=Guest/
http://www.pandasoftware.es/activescan/activescan-com.asp
http://www.bitdefender.com/
http://www.pcpitstop.com/antivirus/default.asp
http://virusscan.jotti.dhs.org/
http://virusscan.jotti.org/
http://www.virustotal.com/flash/index_en.html
DrWeb CureIT
http://www.klitetools.com/comments.php?id=2088&catid=46&highlight=Dr.Web+CureIT%21
http://www.klitetools.com/comments.php?catid=46&shownews=2088
http://download.drweb.com/win/

Free online trojan scan
http://www.trojanscan.com/
http://www.pcflank.com/
http://www.spywareinfo.com/xscan.php
http://www.windowsecurity.com/trojanscan/

Free online Spyware detector
http://www.pestscan.com/
http://home.ca.com/dr/v2/ec_main.entry25?page=freePestPatrolScan&client=ComputerAssociates&sid=35715&CID=188513
http://www.spywareguide.com/txt_onlinescan.html
http://www.webroot.com/services/spyaudit_03.htm
http://download.zonelabs.com/bin/promotions/spywaredetector/index_za.html
Or,
http://www.spywareinfo.com/xscan.php
Screen for Adware, Spyware, Scumware, Diallers, ’Jackers and other unsolicited commercial software.
This scanner is an ActiveX applet. After a short delay in which your browser downloads the control file, you will receive a "Warning Dialogue" requesting permission for the scanner to run. Click "Yes" and the applet will pop up and scan. You will be alerted if any spyware is found. When a spyware or malware is found, you will be alerted and asked if you want to remove it. If no spyware is found, the scanner will disappear on its own.
If nothing happens, or if you are using a browser other than Internet Explorer, click here and choose either "Open" or "Run this program from its current location". Do not choose "Download". http://www.xblock.com/download/xclean_micro.exe

Response Number 3

Name: bccamper
Date: September 15, 2006 at 19:53:41 Pacific

Reply:

Here is the log from hijackthis;
Logfile of HijackThis v1.99.1
Scan saved at 7:52:33 PM, on 15/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\A2GUARD.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
F1 - win.ini: run=c:\windows\speedy.pif
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Spees1] C:\WINDOWS\Speedy.scr
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://

Response Number 4

Name: jabuck
Date: September 15, 2006 at 20:32:40 Pacific

Reply:

Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually, when it boots follow any prompts.
Or follow these directions to boot into safe mode. How to boot into safe mode
Once in safe mode run Hijack This, close all windows except Hijack This, then place a check to the left of the following items and press "fix checked":
F1 - win.ini: run=c:\windows\speedy.pif
O4 - HKLM\..\Run: [Spees1] C:\WINDOWS\Speedy.scr
Exit Hijack This but remain in safe mode
Navigate to and delete thes files if found:
c:\windows\speedy.pif
C:\WINDOWS\Speedy.scr
Reboot to normal mode.
Go start> settings> control panel> Internet Options > General tab. Delete temporary internet files - choose 'delete all Offline content'. Clear out all Cookies other than those needed for logon.
Empty the C:\Windows\temp folder and C:\temp folder, if you have one. Empty Recycle
Bin ( make sure there is nothing in there you need).
Run this free online scan from Panda
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.

Response Number 5

Name: bccamper
Date: September 16, 2006 at 15:39:31 Pacific

Reply:

I ran the hijack in safe mode, fixed the two entries, rebooted to normal mode, deleted cookies, and tempoarary files including offline content. I then deleted everything from the windows temp direcory except for the directories temporary internet files, history and cookies. I then went to pandasoftware to run the scan. I clicked on scan free and and another window comes up asking me for my country, provinve and email and another scan button. I filled out the 3 fields and click the scan button but nothing happens.
I should also mention that even before I did the stuff you asked me to do, I am getting a message when I go to web sites that seem to need to download something. The message is 'To display this page correctly you need to download and install the following component.
loading.....please wait
It never gives me a component name. Instead I get another window that says;
Installation of the coponent failed. Please try again later or choose windows update under the internet explorer tools menu to install this component.
I tried to go to windows update and I get the same two dialogue boxes. I continued and tried to scan for updates but the page never goes above 0%.

csc.exe remove ctfmon.pif microsoft frontpage version3.0	speedy.scr uninstal Macfee virus win32 funlove remover
See More

Response Number 6

Name: bccamper
Date: September 16, 2006 at 15:45:04 Pacific

Reply:

I searched the registry and found another entry to speedy.scr so I deleted it.

Response Number 7

Name: jabuck
Date: September 16, 2006 at 17:45:14 Pacific

Reply:

Sound like your java needs to be updated so that active x will work. This could be an all night download for dial-up. Should an interuption occur just go back and restart the download, it should pick back up at the point of interuption and continue to download.
Go to the following link http://www.java.com/en/download/index.jsp and download Java Runtime Environment Version 5.0 Update 6 then try to run Panda again.

Response Number 8

Name: bccamper
Date: September 16, 2006 at 17:53:27 Pacific

Reply:

I tried installing java before but everytime I try I get the following message;
To restart the Java(TM) installer, please refresh the web page.
Is it time for me to just bite the bullet and format and reinstall?

Response Number 9

Name: jabuck
Date: September 16, 2006 at 18:03:40 Pacific

Reply:

Please try to download it from the link provided. It sounds as though you may have been on old version 1.4 web start page although I can't be sure.
I wouldn't format just yet. Before you try the download post a new Hijack This log please.

Response Number 10

Name: bccamper
Date: September 16, 2006 at 18:10:57 Pacific

Reply:

Hi Jabuck,
I did try to download it from exactly yhr link you gave me. Would it be worth it to try download it on another machine and then copy it to this machine and try install.
Here is the latest hijack log.
Logfile of HijackThis v1.99.1
Scan saved at 6:07:11 PM, on 16/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\A2GUARD.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
F1 - win.ini: run=c:\windows\natal!.pif
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://

Response Number 11

Name: bccamper
Date: September 16, 2006 at 18:30:05 Pacific

Reply:

Jabuck,
I tried a different approach. I went to the java link you gave me and did a manual download. I downloaded and saved the offline install (16MB). When I try to run this it starts to install but gets to a point where it says configuring windows installer. After about 15 seconds the install quits.

Response Number 12

Name: jabuck
Date: September 16, 2006 at 18:47:29 Pacific

Reply:

The virus is mutating as shown on your Hijack this log here:
F1 - win.ini: run=c:\windows\natal!.pif
This program, DR. Web. CureIT (as Johnw mentioned above), should run on 98 so run it.
Doubleclick the drweb-cureit.exe file and Allow to run the express scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives.
A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable.
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log on your desktop.

Response Number 13

Name: bccamper
Date: September 16, 2006 at 20:30:31 Pacific

Reply:

I downloaded and ran CureIT. It did not find any viruses in memory. It is scanning all the drives now but it is taking quite a while. Interesting enough it hasn't found anything yet. Could it be that AVG is wrongly reporting viruses. For the most part the machine is running fine other than AVG keeps reporting files with viruses.

Response Number 14

Name: bccamper
Date: September 16, 2006 at 20:55:16 Pacific

Reply:

CureIT finished with no viruses found.

Response Number 15

Name: jabuck
Date: September 16, 2006 at 21:32:34 Pacific

Reply:

No,it's definitly a worm.
After the Dr.Web CureIT program is through go to start> settings>control panel> folder optioins> Select the View Tab> In the Hidden files section select Show all files> Click OK.
Reboot to safe mode and run hijack this and remove this item:
F1 - win.ini: run=c:\windows\natal!.pif
Exit Hijack This.
Navigate to and delete these files if found:
c:\windows\natal!.pif
c:\windows\natsin.gay
c:\windows\natsout.gay
c:\windows\newton.gay
c:\windows\natlog
c:\windows\natlog2
Next open notepad (Start Menu > Run > Type "notepad" without the quotes and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "4wd!!!"=-
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"ScrSvrOld"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes and the reg entry should be removed.
Post a new Hijack This log please

Response Number 16

Name: bccamper
Date: September 16, 2006 at 21:56:04 Pacific

Reply:

I had already removed the natal!.pif using hijack this when I found it before. I hope this was okay. There are no files in the windows directory that begin with nat* or new*.
Sorry is the last character in the reg entries a dash or an uderscore?

Response Number 17

Name: jabuck
Date: September 16, 2006 at 22:34:39 Pacific

Reply:

A dash. Did you remove the .pif file?

Response Number 18

Name: bccamper
Date: September 16, 2006 at 22:43:22 Pacific

Reply:

Yes I did.
Here is the new hijack log
Logfile of HijackThis v1.99.1
Scan saved at 10:41:12 PM, on 16/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://

Response Number 19

Name: jabuck
Date: September 16, 2006 at 22:54:12 Pacific

Reply:

Well the log looks clean. Could you restart the computer and post a new Hijack This log.
Then try downloading java from this link http://www.java.com/en/download/windows_ie.jsp

Response Number 20

Name: bccamper
Date: September 16, 2006 at 23:07:42 Pacific

Reply:

I tried downloading java again. This is the url I ended up at;
http://www.java.com/en/download/win...
Agin I got the same message about refreshing the web page to restart the java installer.
Here is a new hijack log;
Logfile of HijackThis v1.99.1
Scan saved at 11:07:19 PM, on 16/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://

Response Number 21

Name: Johnw
Date: September 16, 2006 at 23:20:20 Pacific

Reply:

jabuck, I would fix this.
O13 - WWW. Prefix: http://
What do you think?

Response Number 22

Name: jabuck
Date: September 16, 2006 at 23:25:50 Pacific

Reply:

Yes, technically all 013's should be removed.

Response Number 23

Name: bccamper
Date: September 16, 2006 at 23:39:27 Pacific

Reply:

I removed the 013 but I am still unable to install java.
Here is the latest hijack log file.
Logfile of HijackThis v1.99.1
Scan saved at 11:38:54 PM, on 16/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Response Number 24

Name: Johnw
Date: September 16, 2006 at 23:55:59 Pacific

Reply:

Put the exact Java error message into a search engine such as Google.
You may be able to get more info from the Event viewer.
HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308427

Response Number 25

Name: Johnw
Date: September 17, 2006 at 00:05:17 Pacific

Reply:

bccamper said > I tried downloading java again. This is the url I ended up at;
http://www.java.com/en/download/win...
Did you follow the instructions on that page.
If you encounter an error, check the top of the browser (see image above) for a yellow bar that reads "This site might require the following ActiveX control: J2SE Runtime Environment 5.0 Update 6 from 'Sun Microsystems, Inc.'. Click here to install..." Click the yellow bar and choose "Install ActiveX Control..." to allow installation to proceed.

Response Number 26

Name: nick (by nick_1211)
Date: September 17, 2006 at 08:02:20 Pacific

Reply:

JohnW said:
"Put the exact Java error message into a search engine such as Google.
You may be able to get more info from the Event viewer.
HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/defaul...
Johnw, in the HJT log he has Windows 98SE , not Windows XP, if 98SE had a Event viewer, I actually would be amazed.
Im like curious george, but my names nick

Response Number 27

Name: jabuck
Date: September 17, 2006 at 09:04:28 Pacific

Reply:

Repair the internet explorer by following the directions at this link http://support.microsoft.com/kb/194177/
Maybe the defaults for active x need to be reset and this sould do it.
Try running the panda scan in response #4 after doing the above.

Response Number 28

Name: bccamper
Date: September 17, 2006 at 12:07:44 Pacific

Reply:

Hi guys,
I have some things to do today so I won't be able to get back to this until later tonight or tomorrow. I will try fixing the internet explorer and see what happens.

Response Number 29

Name: Johnw
Date: September 17, 2006 at 15:36:44 Pacific

Reply:

bccamper said > I will try fixing the internet explorer and see what happens.
As you are using IE6, to me it appears a simple matter of clicking on the yellow bar & giving your popup blocker permission.

Response Number 30

Name: bccamper
Date: September 18, 2006 at 12:21:14 Pacific

Reply:

I am not at the machine right now but no that isn't that the problem. On the java download page they referred to that as a possibility and I am familiar with the yellow bar that wants to download an active x control. However I have only ever seen that in WinXP.

Response Number 31

Name: bccamper
Date: September 18, 2006 at 15:54:23 Pacific

Reply:

Repair the internet explorer by following the directions at this link http://support.microsoft.com/kb/194...
This article refers to IE 5. I am running ie 6. Is the article still valid to use?

Response Number 32

Name: jabuck
Date: September 18, 2006 at 18:47:44 Pacific

Reply:

The repair works the same way for IE 5.0, 5.5 and 6.0.

Response Number 33

Name: bccamper
Date: September 18, 2006 at 19:04:48 Pacific

Reply:

It tells me that IE cannot be repaired. Please run setup again to reinstall all components. Should I download IE 6 again and reinstall?

Response Number 34

Name: jabuck
Date: September 18, 2006 at 19:28:56 Pacific

Reply:

Yes, I would reinstall IE6.0.
Read the link below in the paragraph headed "INTERNET EXPLORER IE6 SP1" at the following link http://www.annoyances.org/exec/forum/win98/1084434913 compliments of "MAC".
You may want to post on the 98 forum to see if there may be a better updated method but this was the most reliable for me while running ME or 98.

Response Number 35

Name: bccamper
Date: September 18, 2006 at 19:55:15 Pacific

Reply:

Jabuck,
I reinstalled IE 6 and now I am able to run the scan from panda. I'll let you know what happens.

Response Number 36

Name: jabuck
Date: September 18, 2006 at 20:07:20 Pacific

Reply:

Ok, that is good to hear.
I am calling it a night so just post the results and I'll review them in the morning.

Response Number 37

Name: bccamper
Date: September 18, 2006 at 20:36:35 Pacific

Reply:

Here is the panda log;

Incident Status Location
Spyware:spyware/harnig Not disinfected c:\windows\LOAD.exe
Spyware:Cookie/Tribalfusion Not disinfected C:\Windows\TEMP\Cookies\anyuser@tribalfusion[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Windows\TEMP\Cookies\anyuser@ads.pointroll[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Windows\TEMP\Cookies\anyuser@com[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Windows\TEMP\Cookies\steve@tribalfusion[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Windows\TEMP\Cookies\steve@2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Windows\TEMP\Cookies\anyuser@2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Windows\TEMP\Cookies\anyuser@microsofteup.112.2o7[1].txt

Response Number 38

Name: jabuck
Date: September 19, 2006 at 04:11:48 Pacific

Reply:

REboot into safe mode.
Navigater eto and delete this file if found:
c:\windows\LOAD.exe
Set up the computer to view hidden files.

Response Number 39

Name: bccamper
Date: September 19, 2006 at 07:28:09 Pacific

Reply:

morning Jabuck,
I wanted to add that I was also able to get the windows update to come up and install every update that was available other than the language updates. I will remove the load.exe. Any idea why panada did not report the files as having viruses when AVG does. I should add too, the amount of times AVG pops up showing a file having a virus, seems to be decreasing.

Response Number 40

Name: jabuck
Date: September 19, 2006 at 15:15:48 Pacific

Reply:

Load.exe is the virus (Nimda-A Worm most likely). Needs to be removed right away.
Once you remove it run the panda scan again and post the results please.

Response Number 41

Name: bccamper
Date: September 19, 2006 at 16:28:43 Pacific

Reply:

Hi jabuck,
I deleted the load.exe and now I am trying to run the panda scan again. I am getting the following error;
An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try again
Possible causes of this error are:
Not allowing the application's ActiveX control to be downloaded.
Problems with the Internet connection.
The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...
I am going to try and reboot but I doubt that is going to help.
I am including another HJT log for you to view;
Logfile of HijackThis v1.99.1
Scan saved at 4:28:17 PM, on 19/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\KB918547\KB918547.exe
C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/active...

Response Number 42

Name: jabuck
Date: September 19, 2006 at 16:33:29 Pacific

Reply:

Try repairing IE 6.0 again, the virus may have been corrupting it. I don't see anything in the Hijack This log that looks like a problem.

Response Number 43

Name: bccamper
Date: September 19, 2006 at 16:54:30 Pacific

Reply:

Damn I repaired IE, rebooted and Panda still won't run. What now?

Response Number 44

Name: bccamper
Date: September 19, 2006 at 17:20:08 Pacific

Reply:

Jabuck,
Sorry I have to go for a family emergency. I will be back later.

Response Number 45

Name: bccamper
Date: October 3, 2006 at 09:20:16 Pacific

Reply:

Hi Jabuck,
Sorry I ended up with two family members in the hospital, one seriously. I hope to get back to this machien tonight. I hope you are still around to help me.

Response Number 46

Name: bccamper
Date: October 5, 2006 at 21:29:15 Pacific

Reply:

Jabuck,
I finally got back to looking at this machine tonight. I tried to run Panda and was unsuccessful with the same issue as before. I tried downloading and installing Java, again with the same problem as before. So I then tried to reinstall IE 6.0. Now when I restart the computer it gets to a point where it just seems to hang. If I go to to task manager the only process is explorer and it does not say it is not responding. I hope you are still around to try and help me. Sorry I had to abandon this form for a while.

Response Number 47

Name: jabuck
Date: October 6, 2006 at 10:46:38 Pacific

Reply:

What has happened is that when you "updated" after reinstalling IE6.0 a file was overwritten causing the same problem. Are you using the computer now to post the last message?

Response Number 48

Name: bccamper
Date: October 6, 2006 at 19:33:25 Pacific

Reply:

No I am using a different computer.

Response Number 49

Name: bccamper
Date: October 6, 2006 at 20:39:17 Pacific

Reply:

Am I now at the point that I have to bite the bullet and rebuild the machine from scratch?

Response Number 50

Name: bccamper
Date: October 7, 2006 at 11:11:29 Pacific

Reply:

Jabuck,
I did an over the top install of Win98 and I can now get windows started again. So I am now back to the point where I had to leave for the family emergency.

Response Number 51

Name: bccamper
Date: October 7, 2006 at 13:53:10 Pacific

Reply:

Here is a new Hijack log
ogfile of HijackThis v1.99.1
Scan saved at 1:52:22 PM, on 07/10/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\KB918547\KB918547.exe
C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.exe
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: winupdate.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...

Response Number 52

Name: jabuck
Date: October 8, 2006 at 12:19:56 Pacific

Reply:

You still have a worm.
Reboot into safe mode. Run Hijack This and remove this entry:
O4 - Startup: winupdate.exe

Then navigate to and delete this file if found:
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.exe
C:\WINDOWS\System\winupdate.exe
C:\Windows\winupdate.exe
Reboot to normal mode.
let me know what you find.

Response Number 53

Name: bccamper
Date: October 8, 2006 at 16:24:21 Pacific

Reply:

I started the computer in safe mode and ran hijackthis and tried to delete the 04 entry you mentioned. It complained that it was unable to delete it but when I ran the scan again it was gone. I did a search for the winupdate.exe file on all my hard drives and could not find it anywhere. I checked the win.ini as well just to make sure it was okay. I then rebooted to normal mode. I received a message 'Windows cannot find start.exe'. I had the Win98 directory on one of my hard drives so I browsed there and it seem to find it. I tried rebooting the machine and it wouldn't restart or shutdown. I forced it by hitting the reset button. It started up okay this time but when it did it started a bunch of dos windows for a few seconds (about 5 of them). I am now sitting in Windows. Should I post a new hijack log?

Response Number 54

Name: bccamper
Date: October 8, 2006 at 16:26:05 Pacific

Reply:

Now when I try t run anything lie msconfig, wordpad, etc a dos wind appears for a second and then disappears.

Response Number 55

Name: bccamper
Date: October 9, 2006 at 23:36:50 Pacific

Reply:

I got the problem fixed with not being able to start programs. I am still getting a lot of files being reported as containing a virus according to AVG. Here is the latest hijack log I ran.
Logfile of HijackThis v1.99.1
Scan saved at 11:34:01 PM, on 09/10/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\KB918547\KB918547.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...

Response Number 56

Name: jabuck
Date: October 11, 2006 at 20:28:01 Pacific

Reply:

Try one of the online scans.

Response Number 57

Name: bccamper
Date: October 11, 2006 at 21:27:09 Pacific

Reply:

I tried running panda and it never completes. It sits at 3 items remaining to be loaded. I will try it again and see if it ever completly loads.

Response Number 58

Name: bccamper
Date: October 11, 2006 at 22:05:43 Pacific

Reply:

The scan seems to be running now. I will let you know the results when it finishes.

Response Number 59

Name: bccamper
Date: October 11, 2006 at 23:31:44 Pacific

Reply:

Jabuck,
The scan finished. it found 7 viruses and disenfected all of them. It also found 2 spyware that it didn't fisenfect. I rebooted the machine and and I was still getting AVG reporting viruses in files so I reran Panda. This it still reports the 2 spyware but does not report and viruses.

Response Number 60

Name: jabuck
Date: October 12, 2006 at 20:31:48 Pacific

Reply:

Post the scan result from both the panda scan and the avg sacn please.

Response Number 61

Name: bccamper
Date: October 12, 2006 at 23:33:12 Pacific

Reply:

Panda log:

Incident Status Location
Spyware:Cookie/Tribalfusion Not disinfected C:\Windows\TEMP\Cookies\anyuser@tribalfusion[2].txt
AVG log
"Partition table (MBR)","Change","Changed"
"Boot sector of disk C:","- OK -","Quick checked"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load","","Scanned"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit","","Scanned"
"System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","","Scanned"
"System registry exefile\shell\open\command","","Scanned"
"System registry scrfile\shell\open\command","","Scanned"
"System registry scrfile\shell\config\command","","Scanned"
"System registry batfile\shell\open\command","","Scanned"
"System registry cmdfile\shell\open\command","","Scanned"
"System registry comfile\shell\open\command","","Scanned"
"System registry piffile\shell\open\command","","Scanned"
"System registry giffile\shell\open\command","","Scanned"
"System registry htmlfile\shell\open\command","","Scanned"
"System registry htafile\shell\open\command","","Scanned"
"System registry jpegfile\shell\open\command","","Scanned"
"System registry txtfile\shell\open\command","","Scanned"
"System registry regfile\shell\open\command","","Scanned"
"System registry cplfile\shell\cplopen\command","","Scanned"
"System registry Word.Document.8\shell\open\command","","Scanned"
"System registry WordPad.Document.1\shell\open\command","","Scanned"
"System registry inffile\shell\open\command","","Scanned"
"System registry vbsfile\shell\open\command","","Scanned"
"System registry vbefile\shell\open\command","","Scanned"
"C:\PROGRA~1\ACCESS~1\WORDPAD.exe","- OK -","Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\avgamsvr.exe","- OK -","Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\avgcc.exe","- OK -","Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\avgemc.exe","- OK -","Quick checked"
"C:\PROGRA~1\INTERN~1\IEXPLORE.exe","- OK -","Quick checked"
"C:\WINDOWS\REGEDIT.exe","- OK -","Quick checked"
"C:\WINDOWS\RUNDLL32.exe","- OK -","Quick checked"
"C:\WINDOWS\SCANREGW.exe","- OK -","Quick checked"
"C:\WINDOWS\STARTER.exe","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\KB891711\KB891711.exe","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\KB918547\KB918547.exe","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\MSTASK.exe","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\SHELL32.DLL","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\SYSTRAY.exe","- OK -","Quick checked"
"C:\WINDOWS\TASKMON.exe","- OK -","Quick checked"
"C:\WINDOWS\WSCRIPT.exe","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\kernel32.dll","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\wsock32.dll","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\user32.dll","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\shell32.dll","- OK -","Quick checked"
"C:\WINDOWS\hosts","- OK -","Quick checked"
"C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Plus!\Microsoft Internet\INETWIZ.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\EUROTOOL\EUROCONV.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Common Files\Microsoft Shared\Wordart\WRDART32.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Grisoft\AVG Free\avginet.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Grisoft\AVG Free\avgscan.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Grisoft\AVG Free\avgupdln.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Grisoft\AVG Free\avgvv.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Grisoft\AVG Free\avgw.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Grisoft\AVG Free\setup.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\SYMANTEC\LiveUpdate\Uninst.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Norton Web Services\pcsetup.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Norton Web Services\LUPCPro.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Norton Web Services\UpdateMe.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Internet Explorer\DW15.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Internet Explorer\ie6setup.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Internet Explorer\Setup\SETUP.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Internet Explorer\Setup\IEBATCH.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Internet Explorer\W2K\expinst.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Outlook Express\wabmig.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Outlook Express\wab.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Windows Media Player\mplayer2.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Windows Media Player\logagent.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Windows Media Player\wmplayer.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Windows Media Player\migrate.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Windows Media Player\dw15.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Windows Media Player\setup_wm.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Windows Media Player\Roxio\wmburn.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Microsoft FrontPage\version3.0\bin\FP98SADM.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Microsoft FrontPage\version3.0\bin\FP98SWIN.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Microsoft FrontPage\version3.0\bin\FPSRVADM.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Microsoft FrontPage\version3.0\bin\FPSRVWIN.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\InstallShield Installation Information\{B5C268C0-A9A2-11D4-B8ED-0001031A61FE}\Setup.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\InstallShield Installation Information\{2E7229AE-BBDC-4B75-BA40-C05BA9A5E647}\Setup.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\ahead\InCD\InCD.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\ACG\PCLAW32\UNINSTAL.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Spybot - Search & Destroy\unins000.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Spybot - Search & Destroy\blindman.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\Spybot - Search & Destroy\Update.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Program Files\a-squared Anti-Malware\a2cmd.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\MSOffice\Office\FINDFAST.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\EXTRAC32.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\CLSPACK.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\ieuninst.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SETDEBUG.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\JVIEW.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\WJVIEW.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\REGTLIB.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\oeuninst.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\QFECheck.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\ENSMIX32.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\uneng.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\uninst.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\scrsvr.exe","Virus identified Win32/Funlove","Infected"
"C:\Windows\puta!!.com","Virus identified Win32/Dupator","Infected"
"C:\Windows\marco!.scr","Virus identified Win32/Dupator","Infected"
"C:\Windows\Brasil.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\DDEsvr.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\INF\unregmp2.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\INF\INFBACK\UNREGMP2.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\LOADWC.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\MSHTA.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\50comupd.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\AWADPR32.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\NWLSCON.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\NWLSPROC.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\MAPISP32.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\MAPISRVR.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\DIALMON.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\VVEXE32.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\hhupd.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\ATIKEY32.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\ATIPR.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\ATI64HLP.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\QFEUPD.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\CNFNOT32.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\MDISP32.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\40comupd.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\msiexec.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\JDBGMGR.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\IE4UINIT.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\CKCNV.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\USERSTUB.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\PSTORES.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\npnsdad.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\DSSSIG.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\LOGAGENT.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\S3UNINST.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\MMC.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\updcrl.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\mobsync.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\unam4ie.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\WUCRTUPD.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\dxdllreg.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\dpnsvr.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\dpvsetup.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\oldole\rpcss.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\oldole\INSTALL.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\MACROMED\FLASH\UninstFl.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\MACROMED\FLASH\genuinst.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\SYSTEM\URTTemp\regtlib.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\VCM\GRPCONV.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\VCM\MSTASK.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\VCM\MSTINIT.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\VCM\SAGE.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\VCM\CSCRIPT.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\VCM\DXDIAG.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\VCM\MSCONFIG.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\VCM\WSCRIPT.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Msagent\AGENTSVR.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\OPTIONS\CABS\hh.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Windows Update Setup Files\ie6setup.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\csc.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\cvtres.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\jsc.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\vbc.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\IEExec.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\RegAsm.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\ilasm.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\CasPol.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\ngen.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\ConfigWizards.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\RegSvcs.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\MigPol.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\Windows\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe","Virus identified Win32/Gaelicum.A","Infected"
"C:\SBPCI\SBSETUP.exe","Virus identified Win32/Gaelicum.A","Infected"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load","","Scanned"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit","","Scanned"
"System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","","Scanned"
"System registry exefile\shell\open\command","","Scanned"
"System registry scrfile\shell\open\command","","Scanned"
"System registry scrfile\shell\config\command","","Scanned"
"System registry batfile\shell\open\command","","Scanned"
"System registry cmdfile\shell\open\command","","Scanned"
"System registry comfile\shell\open\command","","Scanned"
"System registry piffile\shell\open\command","","Scanned"
"System registry giffile\shell\open\command","","Scanned"
"System registry htmlfile\shell\open\command","","Scanned"
"System registry htafile\shell\open\command","","Scanned"
"System registry jpegfile\shell\open\command","","Scanned"
"System registry txtfile\shell\open\command","","Scanned"
"System registry regfile\shell\open\command","","Scanned"
"System registry cplfile\shell\cplopen\command","","Scanned"
"System registry Word.Document.8\shell\open\command","","Scanned"
"System registry WordPad.Document.1\shell\open\command","","Scanned"
"System registry inffile\shell\open\command","","Scanned"
"System registry vbsfile\shell\open\command","","Scanned"
"System registry vbefile\shell\open\command","","Scanned"
"C:\PROGRA~1\ACCESS~1\WORDPAD.exe","- OK -","Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\avgamsvr.exe","- OK -","Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\avgcc.exe","- OK -","Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\avgemc.exe","- OK -","Quick checked"
"C:\PROGRA~1\INTERN~1\IEXPLORE.exe","- OK -","Quick checked"
"C:\WINDOWS\REGEDIT.exe","- OK -","Quick checked"
"C:\WINDOWS\RUNDLL32.exe","- OK -","Quick checked"
"C:\WINDOWS\SCANREGW.exe","- OK -","Quick checked"
"C:\WINDOWS\STARTER.exe","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\KB891711\KB891711.exe","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\KB918547\KB918547.exe","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\MSTASK.exe","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\SHELL32.DLL","- OK -","Quick checked"
"C:\WINDOWS\SYSTEM\SYSTRAY.exe","- OK -","Quick checked"
"C:\WINDOWS\TASKMON.exe","- OK -","Quick checked"
"C:\WINDOWS\WSCRIPT.exe","- OK -","Quick checked"
"C:\SETUP.exe","","Deleted"
"C:\Windows\speedy.scr","","Deleted"
"C:\Windows\instit.bat","","Deleted"
"C:\Windows\speedy.bat","","Deleted"
"C:\Windows\natal!.pif","","Deleted"
"C:\Windows\speedy.pif","","Deleted"
"C:\Windows\natal.scr","","Deleted"

Response Number 62

Name: jabuck
Date: October 13, 2006 at 19:22:23 Pacific

Reply:

Reboot your computer into safe mode.
Make sure you can view hidden files.
Navigate to and delete these files if found:
C:\Windows\scrsvr.exe
C:\Windows\puta!!.com
C:\Windows\marco!.scr
C:\Windows\Brasil.exe
Then run the scan again and post the results.

Response Number 63

Name: bccamper
Date: October 13, 2006 at 20:09:38 Pacific

Reply:

Jabuck after cleaning up the files do I rerun the scan in safe mode or do I reboot again and then rerun the scan.
Also because I am running Win98 could I delete the files my booting to DOS mode?

Response Number 64

Name: bccamper
Date: October 14, 2006 at 11:51:58 Pacific

Reply:

Jabuck,
The latest scan showed a bunch of files wityh the same virus so I did a google search for the virus and found a page where someguy had the same problem. he said it was the worst virus he had ever seen. Anyway his solution was to dowload vcleaner from Grisoft. I downloaded and ran this and it cleaned up all the files. I just completed a complete AVG scan and it reported no viruses. Thanks for all the time and help you put into this helping me resolve the problem.

Response Number 65

Name: jabuck
Date: October 14, 2006 at 21:15:33 Pacific

Reply:

Good to hear, I'll put that in my malware removal tool folder for removing viruses on 98.

Sponsored Link

Ads by Google

winantivirus popups

registry repair message

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Can't remove win32/GaelicumA

Adware can't removed objects

Summary

www.computing.net/answers/security/adware-cant-removed-objects/11986.html

IRC in C:\winnt\inf can't remove

Summary

www.computing.net/answers/security/irc-in-cwinntinf-cant-remove/5428.html

viruses found but can't remove them

Summary

www.computing.net/answers/security/viruses-found-but-cant-remove-them/2495.html

From the Geek Dictionary
Haker - A talented amateur user of computers or a hacker can be a computer and netw...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
vcdcutter key for windows vista

network connection problem

Why Additional Domain Controller

Should I reconfigure my servers?

How to convert PPT to video wiht good quality

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE