I lost this thread, somehow. I think, I didn't get any email notification.
DANKK, if you're still there, please, update me on your computer status.
I want you to run one more program (if it'll run)...
Download SDFix (
http://downloads.andymanchesta.com/removaltools/sdfix.exe) and save it to your Desktop.
* Run the SDFix.exe by double clicking on it.
* Allow it to install into the default location which is c:\SDFix
* Now please reboot your computer into Safe Mode:
# After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
# Instead of Windows loading as normal, the Advanced Options Menu should appear;
# Select the first option, to run Windows in Safe Mode, then press Enter.
* When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Attach the Report.txt file to your next message.
SDFix: Version 1.186
Run by DAN on Thu 05/29/2008 at 06:40 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\000060.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\hosts - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\system32\drivers\hosts - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-29 21:48:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUIL
anguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUIL
anguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUIL
anguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
\Minimal\vmdesched.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
\Network\vmdesched.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriv
er]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\driver
s\vmdesched.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILangu
ages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILangu
ages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILangu
ages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Min
imal\vmdesched.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Net
work\vmdesched.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\driver
s\vmdesched.sys"
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\clbImageData]
"affid"="7"
"subid"="run04"
"control"=hex:1a,00,15,13,07,11,18,1f,14,0a,49,09,4b,1a,09,50
,11,e5,f5
"prov"="10010"
"googleadserver"="pagead2.googlesyndication.com"
"flagged"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Shell
Extensions\Approved\{443EA021-5049-9583-E2C5-EC68521FB889}]
"famgilbokocb"=hex:68,61,6f,62,6b,61,69,6d,68,61,64,62,6f,6c,
62,6b,00,02
"famgilbokopa"=hex:68,61,6f,62,6b,61,69,6d,68,61,64,62,6f,6c,
62,6b,00,02
"faaghhcjldie"=hex:61,61,00,00
scanning hidden files ...
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes
executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes
executable
C:\WINDOWS\system32\drivers\vmdesched.sys 6656 bytes
executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\cdosys.dll 31560 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes
C:\WINDOWS\system32\dllcache\clb.dll 10752 bytes executable
C:\WINDOWS\system32\dllcache\clbcatex.dll 110080 bytes
executable
C:\WINDOWS\system32\dllcache\clbcatq.dll 498688 bytes
executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes
executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes
executable
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 13
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shareda
ccess\parameters\firewallpolicy\standardprofile\authorizedapp
lications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmg
r.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online
9.0\\waol.exe"="C:\\Program Files\\America Online
9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program
Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program
Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:Disabled:pcAnywhe
re Host Service"
"C:\\Program
Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program
Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Disabled:pcAnywher
e Remote Service"
"C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program
Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network
Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\APC\\PowerChute Business
Edition\\server\\pbeserver.exe"="C:\\Program
Files\\APC\\PowerChute Business
Edition\\server\\pbeserver.exe:*:Disabled:PowerChute Business
Edition Server"
"C:\\Program Files\\Common
Files\\AOL\\1170644168\\ee\\aolsoftware.exe"="C:\\Program
Files\\Common
Files\\AOL\\1170644168\\ee\\aolsoftware.exe:*:Enabled:AOL
Shared Components"
"C:\\Program Files\\Common
Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common
Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Google\\Google
Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google
Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program
Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program
Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:Disabled:pcAnywher
e Main Program"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program
Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program
Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program
Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program
Files\\Skype\\Phone\\Skype.exe:*:Disabled:Skype"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program
Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shareda
ccess\parameters\firewallpolicy\domainprofile\authorizedappli
cations\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmg
r.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online
9.0\\waol.exe"="C:\\Program Files\\America Online
9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"%windir%\\Network
Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program
Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program
Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program
Files\America Online 9.0\RBM.exe"
Tue 20 May 2008 377 A..H. --- "C:\Program
Files\InterActual\InterActual Player\iti705.tmp"
Tue 20 May 2008 114 A..H. --- "C:\Program
Files\InterActual\InterActual Player\itiAF.tmp"
Wed 19 Apr 2006 95,892 A..H. --- "C:\Program
Files\Walgreens\Walgreens PhotoShow 4\data\Walgreens
PhotoShow Express.exe"
Thu 8 May 2008 0 A..H. ---
"C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8
c0d990dc65796\BIT5.tmp"
Wed 25 May 2005 8 A..H. --- "C:\Documents and
Settings\All Users\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 25 May 2005 8 A..H. --- "C:\Documents and
Settings\All Users\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Fri 10 Jun 2005 8 A..H. --- "C:\Documents and
Settings\All Users\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Fri 10 Jun 2005 8 A..H. --- "C:\Documents and
Settings\All Users\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Finished!