Help Me Verify That This PC is Clean
Had a pretty nasty spyware infection on a PC the other day. Ran Malware Bytes and thought it was clean but then my ISP blocked my outgoing mail b/c they said there was still a trojan sending out Spam from my domain.
I went back and ran ComboFix and it found more infections and said it cleaned them. However, I'd like other people to look at the ComboFix log below to verify that all infections have been removed.
I'm concerned about the line that says, "c:\windows\system32\gotom
Should I try to manually remove this file?
I went back and ran ComboFix and it found more infections and said it cleaned them. However, I'd like other people to look at the ComboFix log below to verify that all infections have been removed.
I'm concerned about the line that says, "c:\windows\system32\gotom
Should I try to manually remove this file?
ws XP Professional 5.1.2600.3.1252.1.1033.18.502.236 [GMT -4:00]
Running from: c:\z\Toolkit\ComboFix\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\larryw\Local Settings\Application Data\ave.exe
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\26B8M0.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\bNA0m.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\C4GJJ.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\J3Snrdq2T.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\K8aL3.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\Qq86GdGvK.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\v48gTD.jpg
c:\documents and settings\larryw\Local Settings\Temporary Internet Files\xlOxa87o.jpg
c:\windows\system32\lgou.rlo
c:\windows\system32\NTVBSvcW.tlb
c:\windows\system32\gotomon.log . . . . failed to delete
Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.
2010-04-09 16:44 . 2010-04-09 16:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-08 19:04 . 2010-04-08 19:04 503808 ----a-w- c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56696b8a-n\msvcp71.dll
2010-04-08 19:04 . 2010-04-08 19:04 499712 ----a-w- c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56696b8a-n\jmc.dll
2010-04-08 19:04 . 2010-04-08 19:04 348160 ----a-w- c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56696b8a-n\msvcr71.dll
2010-04-08 19:04 . 2010-04-08 19:04 61440 ----a-w- c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59945501-n\decora-sse.dll
2010-04-08 19:04 . 2010-04-08 19:04 12800 ----a-w- c:\documents and settings\larryw\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59945501-n\decora-d3d.dll
2010-03-31 14:22 . 2010-03-31 14:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-03-23 14:44 . 2010-03-23 14:44 -------- d-----w- c:\documents and settings\larryw\Local Settings\Application Data\ICS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 13:47 . 2007-01-31 21:15 -------- d-----w- c:\program files\ReQReader Pro Client
2010-04-08 19:04 . 2007-01-24 14:17 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 19:04 . 2007-01-24 14:17 -------- d-----w- c:\program files\Java
2010-03-09 08:28 . 2009-04-15 16:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 15:56 . 2010-02-24 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 06:24 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:13 . 2010-02-24 17:13 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-24 17:12 . 2010-02-24 17:12 -------- d-----w- c:\documents and settings\larryw\Application Data\Malwarebytes
2010-02-24 17:12 . 2010-02-24 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 18:23 . 2007-02-13 16:29 88 --sha-r- c:\windows\system32\4F6454EC72.sys
2009-05-19 14:45 . 2007-02-13 16:29 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-24 98304]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-24 169984]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-12 185896]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2007-1-24 156784]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\tools\binn\sqlmangr.exe [2002-12-17 74308]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2006-11-30 6366792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-03-05 18:57 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 20:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [3/5/2010 2:57 PM 161144]
R2 MSSQL$RESUMEFILTERPRO;MSSQL$RESUMEFILTERPRO;c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlservr.exe -sRESUMEFILTERPRO --> c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlservr.exe -sRESUMEFILTERPRO [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 2:17 PM 135664]
S3 SQLAgent$RESUMEFILTERPRO;SQLAgent$RESUMEFILTERPRO;c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlagent.EXE -i RESUMEFILTERPRO --> c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlagent.EXE -i RESUMEFILTERPRO [?]
.
Contents of the 'Scheduled Tasks' folder
2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 18:17]
2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 18:17]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} - hxxp://www.reqms.com/updates/reqmspro/client/setup.exe
FF - ProfilePath - c:\documents and settings\larryw\Application Data\Mozilla\Firefox\Profiles\b4ewvrcm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 18:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(704)
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\WDP\ResumeFilterPro\data\MSSQL$RESUMEFILTERPRO\Binn\sqlservr.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_comm_customer.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_system_customer.exe
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_user_customer.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\windows\stsystra.exe
c:\program files\TechSmith\SnagIt 8\TSCHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
.
**************************************************************************
.
Completion time: 2010-04-12 18:14:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 22:14
Pre-Run: 57,767,751,680 bytes free
Post-Run: 58,199,687,168 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 2CCA5BB0E4494F409426CB1BA56D6932
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No prob. Glad that all is good again:)
@Rpg> "4F6454EC72.sys" >part of Divx?
@Rpg> "4F6454EC72.sys" >part of Divx?
ASKER