Help Me Verify That This PC is Clean

Had a pretty nasty spyware infection on a PC the other day. Ran Malware Bytes and thought it was clean but then my ISP blocked my outgoing mail b/c they said there was still a trojan sending out Spam from my domain.

I went back and ran ComboFix and it found more infections and said it cleaned them. However, I'd like other people to look at the ComboFix log below to verify that all infections have been removed.

I'm concerned about the line that says, "c:\windows\system32\gotomon.log . . . . failed to delete"
Should I try to manually remove this file?
ws XP Professional  5.1.2600.3.1252.1.1033.18.502.236 [GMT -4:00]
Running from: c:\z\Toolkit\ComboFix\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\larryw\Local Settings\Application Data\ave.exe
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\26B8M0.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\bNA0m.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\C4GJJ.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\J3Snrdq2T.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\K8aL3.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\Qq86GdGvK.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\v48gTD.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\xlOxa87o.jpg
c:\windows\system32\lgou.rlo
c:\windows\system32\NTVBSvcW.tlb
c:\windows\system32\gotomon.log . . . . failed to delete

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected 
Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys
.
(((((((((((((((((((((((((   Files Created from 2010-03-12 to 2010-04-12  )))))))))))))))))))))))))))))))
.

2010-04-09 16:44 . 2010-04-09 16:44	--------	d-sh--w-	c:\documents and settings\Administrator\IETldCache
2010-04-08 19:04 . 2010-04-08 19:04	503808	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56696b8a-n\msvcp71.dll
2010-04-08 19:04 . 2010-04-08 19:04	499712	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56696b8a-n\jmc.dll
2010-04-08 19:04 . 2010-04-08 19:04	348160	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56696b8a-n\msvcr71.dll
2010-04-08 19:04 . 2010-04-08 19:04	61440	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59945501-n\decora-sse.dll
2010-04-08 19:04 . 2010-04-08 19:04	12800	----a-w-	c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59945501-n\decora-d3d.dll
2010-03-31 14:22 . 2010-03-31 14:22	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-03-23 14:44 . 2010-03-23 14:44	--------	d-----w-	c:\documents and settings\larryw\Local Settings\Application Data\ICS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 13:47 . 2007-01-31 21:15	--------	d-----w-	c:\program files\ReQReader Pro Client
2010-04-08 19:04 . 2007-01-24 14:17	--------	d-----w-	c:\program files\Common Files\Java
2010-04-08 19:04 . 2007-01-24 14:17	--------	d-----w-	c:\program files\Java
2010-03-09 08:28 . 2009-04-15 16:51	411368	----a-w-	c:\windows\system32\deploytk.dll
2010-02-25 15:56 . 2010-02-24 17:12	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-02-25 06:24 . 2006-03-04 03:33	916480	----a-w-	c:\windows\system32\wininet.dll
2010-02-24 17:13 . 2010-02-24 17:13	5115824	----a-w-	c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-24 17:12 . 2010-02-24 17:12	--------	d-----w-	c:\documents and settings\larryw\Application Data\Malwarebytes
2010-02-24 17:12 . 2010-02-24 17:12	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 18:23 . 2007-02-13 16:29	88	--sha-r-	c:\windows\system32\4F6454EC72.sys
2009-05-19 14:45 . 2007-02-13 16:29	2516	--sha-w-	c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-24 98304]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-24 169984]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-12 185896]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2007-1-24 156784]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\tools\binn\sqlmangr.exe [2002-12-17 74308]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2006-11-30 6366792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-03-05 18:57	147832	----a-w-	c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 20:04	10536	----a-w-	c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [3/5/2010 2:57 PM 161144]
R2 MSSQL$RESUMEFILTERPRO;MSSQL$RESUMEFILTERPRO;c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlservr.exe -sRESUMEFILTERPRO --> c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlservr.exe -sRESUMEFILTERPRO [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 2:17 PM 135664]
S3 SQLAgent$RESUMEFILTERPRO;SQLAgent$RESUMEFILTERPRO;c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlagent.EXE -i RESUMEFILTERPRO --> c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlagent.EXE -i RESUMEFILTERPRO [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 18:17]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 18:17]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} - hxxp://www.reqms.com/updates/reqmspro/client/setup.exe
FF - ProfilePath - c:\documents and settings\larryw\Application Data\Mozilla\Firefox\Profiles\b4ewvrcm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 18:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlservr.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_comm_customer.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_system_customer.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_user_customer.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\windows\stsystra.exe
c:\program files\TechSmith\SnagIt 8\TSCHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
.
**************************************************************************
.
Completion time: 2010-04-12  18:14:44 - machine was rebooted
ComboFix-quarantined-files.txt  2010-04-12 22:14

Pre-Run: 57,767,751,680 bytes free
Post-Run: 58,199,687,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2CCA5BB0E4494F409426CB1BA56D6932

Open in new window

anuneznycAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

optomaCommented:
Upload these to virustotal and post back results if getting hits
>Show hidden files first
http://www.bleepingcomputer.com/tutorials/tutorial62.html

c:\windows\system32\4F6454EC72.sysc:\windows\system32\gotomon.log
http://www.virustotal.com


Also run a scan with Hitmanpro
http://www.surfright.nl/en/hitmanpro
0
johnb6767Commented:
Did you intentionally set your Security Center to disable Notifications?

"DisableNotifications"= 1 (0x1)

Verify these files are legitimate.....

c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_comm_customer.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_system_customer.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_user_customer.exe

ave.exe is a nasty infection that creates .exe files based on the location they get dropped to, and you need to make sure that they are signed by the mfgr, Citrix in this case, and that they have a date modified of around the time that the app was installed......

And clean your Temp files as well...

Also, you need to check in teh registry under "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet", and verify that the filenames match the key they are under, and not a path to Ave.exe, or another nasty file.... Thats how you reinfect yourself, by launching IE, and it really launches the infected file, instead of iexplore.exe.....

Export it and attach here if needed....
0
c_a_n_o_nCommented:
If your system is/was infected with a pest, malware, trojan, or virus your system will behave unexpectedly.  The best method to attempt resolution is to completely rule out the operating system by bypassing it.  To do so, you will need a rescue CD.  There are several that are out there, you might be able to create one, there are instructions and sites that can assist with that.  But the easiest way is to use a product that is FREE, and I have used successfully for several of my clients and on many workstations.

BitDefender (FREE Downloadable Rescue CD).  Available Here.
http://download.bitdefender.com/rescue_cd/

Instructions on the product.
http://www.bitdefender.com/KB417-en--Using-the-BitDefender-Rescue-CD.html

Hope this helps.

PS.  This may sound like a "canned" response, it just might be.  However, it is the easiest and most effective method to resolve a situation like this.
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

rpggamergirlCommented:
A log is bad if it belongs to a keylogger .... but that gotomon.log is likely belonging to your program "Citrix"

If you really want to delete it then run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\gotomon.log
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

c:\windows\system32\4F6454EC72.sys <--optoma this one is definitely legit.

0
sb7785Commented:
In addition to the other great suggestions posted; if they all fail, try creating a bootable antivirus CD. If that doesn't fix it, then you've got some serious problems. It's always good to keep on hand at anytime:
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Q_25347695.html 
http://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html 
What I like is that there are just some pesky items that can't be removed while in Windows. I run from a bootable source first, then go into Windows and see what's left over and then deal with it after. The bootable CD sometimes will take care of 80-100% of the infected items; making it that much easier. Best of luck to you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
anuneznycAuthor Commented:
Thanks to everyone who helped out!
0
optomaCommented:
No prob. Glad that all is good again:)

@Rpg> "4F6454EC72.sys" >part of Divx?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.