We help IT Professionals succeed at work.
Get Started

Help Me Verify That This PC is Clean

anuneznyc
anuneznyc asked
on
1,161 Views
Last Modified: 2013-11-08
Had a pretty nasty spyware infection on a PC the other day. Ran Malware Bytes and thought it was clean but then my ISP blocked my outgoing mail b/c they said there was still a trojan sending out Spam from my domain.

I went back and ran ComboFix and it found more infections and said it cleaned them. However, I'd like other people to look at the ComboFix log below to verify that all infections have been removed.

I'm concerned about the line that says, "c:\windows\system32\gotomon.log . . . . failed to delete"
Should I try to manually remove this file?
ws XP Professional  5.1.2600.3.1252.1.1033.18.502.236 [GMT -4:00]
Running from: c:\z\Toolkit\ComboFix\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\larryw\Local Settings\Application Data\ave.exe
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\26B8M0.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\bNA0m.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\C4GJJ.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\J3Snrdq2T.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\K8aL3.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\Qq86GdGvK.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\v48gTD.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\xlOxa87o.jpg
c:\windows\system32\lgou.rlo
c:\windows\system32\NTVBSvcW.tlb
c:\windows\system32\gotomon.log . . . . failed to delete

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected 
Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys
.
(((((((((((((((((((((((((   Files Created from 2010-03-12 to 2010-04-12  )))))))))))))))))))))))))))))))
.

2010-04-09 16:44 . 2010-04-09 16:44	--------	d-sh--w-	c:\documents and settings\Administrator\IETldCache
2010-04-08 19:04 . 2010-04-08 19:04	503808	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56696b8a-n\msvcp71.dll
2010-04-08 19:04 . 2010-04-08 19:04	499712	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56696b8a-n\jmc.dll
2010-04-08 19:04 . 2010-04-08 19:04	348160	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56696b8a-n\msvcr71.dll
2010-04-08 19:04 . 2010-04-08 19:04	61440	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59945501-n\decora-sse.dll
2010-04-08 19:04 . 2010-04-08 19:04	12800	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59945501-n\decora-d3d.dll
2010-03-31 14:22 . 2010-03-31 14:22	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-03-23 14:44 . 2010-03-23 14:44	--------	d-----w-	c:\documents and settings\larryw\Local Settings\Application Data\ICS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 13:47 . 2007-01-31 21:15	--------	d-----w-	c:\program files\ReQReader Pro Client
2010-04-08 19:04 . 2007-01-24 14:17	--------	d-----w-	c:\program files\Common Files\Java
2010-04-08 19:04 . 2007-01-24 14:17	--------	d-----w-	c:\program files\Java
2010-03-09 08:28 . 2009-04-15 16:51	411368	----a-w-	c:\windows\system32\deploytk.dll
2010-02-25 15:56 . 2010-02-24 17:12	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-02-25 06:24 . 2006-03-04 03:33	916480	----a-w-	c:\windows\system32\wininet.dll
2010-02-24 17:13 . 2010-02-24 17:13	5115824	----a-w-	c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-24 17:12 . 2010-02-24 17:12	--------	d-----w-	c:\documents and settings\larryw\Application Data\Malwarebytes
2010-02-24 17:12 . 2010-02-24 17:12	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 18:23 . 2007-02-13 16:29	88	--sha-r-	c:\windows\system32\4F6454EC72.sys
2009-05-19 14:45 . 2007-02-13 16:29	2516	--sha-w-	c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-24 98304]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-24 169984]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-12 185896]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2007-1-24 156784]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\tools\binn\sqlmangr.exe [2002-12-17 74308]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2006-11-30 6366792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-03-05 18:57	147832	----a-w-	c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 20:04	10536	----a-w-	c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [3/5/2010 2:57 PM 161144]
R2 MSSQL$RESUMEFILTERPRO;MSSQL$RESUMEFILTERPRO;c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlservr.exe -sRESUMEFILTERPRO --> c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlservr.exe -sRESUMEFILTERPRO [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 2:17 PM 135664]
S3 SQLAgent$RESUMEFILTERPRO;SQLAgent$RESUMEFILTERPRO;c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlagent.EXE -i RESUMEFILTERPRO --> c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlagent.EXE -i RESUMEFILTERPRO [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 18:17]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 18:17]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} - hxxp://www.reqms.com/updates/reqmspro/client/setup.exe
FF - ProfilePath - c:\documents and settings\larryw\Application Data\Mozilla\Firefox\Profiles\b4ewvrcm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 18:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlservr.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_comm_customer.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_system_customer.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_user_customer.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\windows\stsystra.exe
c:\program files\TechSmith\SnagIt 8\TSCHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
.
**************************************************************************
.
Completion time: 2010-04-12  18:14:44 - machine was rebooted
ComboFix-quarantined-files.txt  2010-04-12 22:14

Pre-Run: 57,767,751,680 bytes free
Post-Run: 58,199,687,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2CCA5BB0E4494F409426CB1BA56D6932

Open in new window

Comment
Watch Question
Commented:
This problem has been solved!
Unlock 5 Answers and 7 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE