Tech Support Forum - View Single Post - Anti Virus Hanging, Possible Zlob.DNS Changer and other odd activity

†TYRANICK†™ · 11-14-2008, 04:56 AM

Ah yes sorry about that ><! I wanted to delete the other thread lol but umm yeah thanks for not shouting at me hehe.

Here's the log:

ComboFix 08-11-12.02 - Greg 2008-11-14 11:42:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1432 [GMT 0:00]
Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll
c:\windows\system32\FOnTvGgh.ini
c:\windows\system32\Memman.vxd
c:\windows\system32\MSINET.oca
c:\windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-14 00:13 . 2008-11-14 00:13 250 --a------ c:\windows\gmer.ini
2008-11-13 14:42 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 14:42 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 21:14 . 2008-11-12 21:14 <DIR> d-------- c:\documents and settings\Greg\Application Data\Malwarebytes
2008-11-12 21:14 . 2008-11-12 21:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-12 21:14 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-12 21:14 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-11 22:27 . 2008-11-11 22:27 <DIR> d-------- c:\program files\Common Files\Creative Labs Shared
2008-11-11 20:34 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-05 22:30 . 2008-11-05 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Bluetooth
2008-11-05 22:27 . 2008-11-05 22:29 32 --a------ c:\windows\0
2008-11-05 22:27 . 2008-11-05 22:27 0 --a------ c:\windows\system32\0
2008-11-04 17:07 . 2008-11-04 17:08 <DIR> d-------- c:\documents and settings\Greg\Application Data\SecondLife
2008-11-03 19:29 . 2008-11-04 11:32 <DIR> d-------- c:\documents and settings\Greg\Application Data\Red Alert 3
2008-11-01 13:54 . 2008-11-01 13:54 <DIR> d-------- c:\windows\nview
2008-11-01 13:54 . 2008-11-01 13:54 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2008-11-01 13:54 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-11-01 13:54 . 2008-11-14 11:32 202,208 --a------ c:\windows\system32\nvapps.xml
2008-11-01 13:54 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu
2008-11-01 13:53 . 2008-11-01 13:53 <DIR> d-------- C:\NVIDIA
2008-11-01 13:53 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-01 10:40 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2008-11-01 10:40 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2008-11-01 10:40 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2008-11-01 10:40 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2008-11-01 10:40 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2008-11-01 10:40 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2008-10-27 17:37 . 2008-10-27 17:37 <DIR> d-------- c:\windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
2008-10-27 09:18 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 19:10 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 19:10 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 19:10 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 19:10 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 19:10 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 19:10 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-14 16:11 . 2008-10-14 16:12 <DIR> d-------- c:\documents and settings\Greg\Application Data\Autodesk
2008-10-14 15:42 . 2008-10-14 15:42 <DIR> d-------- c:\program files\Autodesk
2008-10-14 15:41 . 2008-10-20 23:55 <DIR> d-------- c:\program files\Common Files\Autodesk Shared
2008-10-14 15:41 . 2008-10-20 23:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2008-10-14 15:40 . 2008-10-14 15:40 <DIR> d-------- c:\program files\MSBuild
2008-10-14 15:38 . 2008-10-27 09:22 <DIR> d-------- c:\windows\system32\XPSViewer
2008-10-14 15:37 . 2008-10-14 15:37 <DIR> d-------- c:\program files\Reference Assemblies
2008-10-14 15:37 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-10-14 15:03 . 2008-11-04 23:51 26,864 --a------ c:\documents and settings\Greg\Application Data\GDIPFONTCACHEV1.DAT
2008-10-14 10:25 . 2008-10-17 01:46 <DIR> d-------- c:\documents and settings\Greg\Application Data\SPORE
2008-10-14 10:24 . 2008-10-14 10:24 <DIR> d-------- c:\program files\Electronic Arts
2008-10-14 10:24 . 2008-10-14 10:24 7,342 --a------ c:\windows\system32\ealregsnapshot1.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 11:50 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-14 00:01 --------- d-----w c:\program files\LogMeIn
2008-11-13 23:22 --------- d-----w c:\documents and settings\Greg\Application Data\Azureus
2008-11-13 22:27 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-11 22:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 22:27 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-11-02 02:20 --------- d-----w c:\documents and settings\Greg\Application Data\InstallShield Installation Information
2008-11-01 13:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-27 23:20 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-27 23:20 107,832 ----a-w c:\windows\system32\PnkBstrB.exe
2008-10-27 20:01 22,328 ----a-w c:\documents and settings\Greg\Application Data\PnkBstrK.sys
2008-10-27 20:01 2,506,752 ----a-w c:\windows\system32\pbsvc.exe
2008-10-27 18:57 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-27 10:20 --------- d-----w c:\program files\AGEIA Technologies
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 01:20 --------- d-----w c:\documents and settings\Greg\Application Data\uTorrent
2008-10-21 09:23 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-17 20:56 87,352 ----a-w c:\windows\system32\LMIinit.dll
2008-10-17 20:56 83,288 ----a-w c:\windows\system32\LMIRfsClientNP.dll
2008-10-17 20:56 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
2008-10-17 20:56 28,984 ----a-w c:\windows\system32\LMIport.dll
2008-10-17 20:56 23,736 ----a-w c:\windows\system32\lmimirr.dll
2008-10-17 20:56 10,040 ----a-w c:\windows\system32\lmimirr2.dll
2008-10-13 09:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-10-11 22:38 --------- d-----w c:\documents and settings\Greg\Application Data\SPORE Creature Creator
2008-10-09 16:45 --------- dc-h--w c:\documents and settings\All Users\Application Data\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll
2008-10-07 09:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-10-07 09:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 09:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll
2008-10-03 17:43 --------- d-----w c:\program files\iPod
2008-10-03 17:43 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-01 10:22 --------- d-----w c:\documents and settings\Greg\Application Data\Creative
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-24 14:01 --------- d-----w c:\documents and settings\All Users\Application Data\Codemasters
2008-09-24 13:42 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-09-24 13:42 109,080 ----a-w c:\windows\system32\OpenAL32.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-13 08:39 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-21 00:19 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-08-21 00:19 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-06-08 12:57 32,768 ------w c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools"="e:\daemon tools\daemon.exe" [2007-08-16 167368]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2008-06-08 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2008-06-08 1953792]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RivaTuner"="e:\rivatuner v2.11\RivaTuner.exe" [2008-09-16 2715648]
"Adobe Reader Speed Launcher"="e:\adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RivaTunerStartupDaemon"="e:\rivatuner v2.11\RivaTuner.exe" [2008-09-16 2715648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"VolPanel"="e:\creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Malwarebytes' Anti-Malware"="e:\malwarebytes' anti-malware\mbamgui.exe" [2008-10-22 399504]
"egui"="e:\eset\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"CTHelper"="CTHELPER.EXE" [2006-05-24 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-07-11 c:\windows\system32\Ctxfihlp.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Greg\Start Menu\Programs\Startup\
SpywareGuard.lnk - e:\spywareguard\sgmain.exe [2003-08-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 20:56 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Greg^Start Menu^Programs^Startup^Registration Driver Parallel Lines.LNK]
path=c:\documents and settings\Greg\Start Menu\Programs\Startup\Registration Driver Parallel Lines.LNK
backup=c:\windows\pss\Registration Driver Parallel Lines.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 e:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--------- 2008-02-28 14:31 63048 c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-21 00:19 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"g:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"g:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"g:\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"e:\\Azureus\\Azureus.exe"=
"g:\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"g:\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Codemasters\\GRID\\GRID.exe"=
"e:\\uTorrent\\uTorrent.exe"=
"e:\\iTunes\\iTunes.exe"=
"e:\\Autodesk\\Backburner\\monitor.exe"=
"e:\\Autodesk\\Backburner\\manager.exe"=
"e:\\Autodesk\\Backburner\\server.exe"=
"e:\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"e:\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55665:TCP"= 55665:TCP:vuze
"55665:UDP"= 55665:UDP:vuze
"40178:TCP"= 40178:TCP:utorernt
"40178:UDP"= 40178:UDP:utorren

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-03-03 39472]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 CTAudSvcService;Creative Audio Service;c:\program files\Creative\Shared Files\CTAudSvc.exe [2008-04-30 417792]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640]
R2 MBAMService;MBAMService;e:\malwarebytes' anti-malware\mbamservice.exe [2008-10-22 170640]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;e:\autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-09 65536]
R3 ha20x2k;Creative 20X HAL Driver;c:\windows\system32\drivers\ha20x2k.sys [2008-07-15 1173016]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-10-22 15504]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-11-11 79360]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 332928]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\DRIVERS\RTL8150.SYS [2006-05-10 22842]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\FalloutLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\CDCheck.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\CDCheck.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autorun.exe
\Shell\setup\command - L:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-10-09 c:\windows\Tasks\Crysis Wars(R) Updates.job
- c:\windows\Installer\Crysis Wars(R) Updates for All Users.lnk [2008-10-09 16:42]

2008-11-14 c:\windows\Tasks\Malwarebytes' Scheduled Update for Greg.job
- e:\malwarebytes' anti-malware\mbam.exe [2008-10-22 16:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7CC95A61-E194-4D9B-80D5-C6756513564E} - c:\windows\system32\hgGvTnOF.dll
HKLM-Run-SoundMAXPnP - c:\program files\Analog Devices\Core\smax4pnp.exe
SSODL-DrvAlrt-{1f96baa4-a5e4-4a76-85a6-3fd8a732d3db} - c:\windows\Resources\DrvAlrt.dll
MSConfigStartUp-lphcjh3j0el0e - c:\windows\system32\lphcjh3j0el0e.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Greg\Application Data\Mozilla\Firefox\Profiles\4741yiyq.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - e:\adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\divx\DivX Web Player\npdivx32.dll
FF -: plugin - e:\itunes\Mozilla Plugins\npitunes.dll
FF -: plugin - e:\mozilla firefox\plugins\np32dsw.dll
FF -: plugin - e:\mozilla firefox\plugins\npnul32.dll
FF -: plugin - e:\mozilla firefox\plugins\nppl3260.dll
FF -: plugin - e:\mozilla firefox\plugins\npqtplugin.dll
FF -: plugin - e:\mozilla firefox\plugins\npqtplugin2.dll
FF -: plugin - e:\mozilla firefox\plugins\npqtplugin3.dll
FF -: plugin - e:\mozilla firefox\plugins\npqtplugin4.dll
FF -: plugin - e:\mozilla firefox\plugins\npqtplugin5.dll
FF -: plugin - e:\mozilla firefox\plugins\npqtplugin6.dll
FF -: plugin - e:\mozilla firefox\plugins\npqtplugin7.dll
FF -: plugin - e:\mozilla firefox\plugins\nprjplug.dll
FF -: plugin - e:\mozilla firefox\plugins\nprpjplug.dll
FF -: plugin - e:\real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - e:\real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - e:\real\RealPlayer\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 11:46:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Kontiki\KService.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\CTxfispi.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\taskmgr.exe
e:\spywareguard\sgbhp.exe
e:\eset\ESET Smart Security\ekrn.exe
.
**************************************************************************
.
Completion time: 2008-11-14 11:52:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-14 11:52:06

Pre-Run: 15,342,346,240 bytes free
Post-Run: 15,358,984,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

314 --- E O F --- 2008-11-13 14:53:58

Well as far as boot up is concerned, again it took absolutely AGES to produce the log once again because of EKRN.EXE (From my AV) constantly causing my machine to hang because it's using up to 25-50% CPU usage each time I do anything...

As for the Zlob...hmm not sure i think that may of gone again for now, but can't figure out how/why it keeps slipping through.

So webpages = Ok for now. Boot = still hang due to to AV

11-14-2008, 04:56 AM	#6 (permalink)
†TYRANICK†™ Registered User Join Date: Jan 2007 Posts: 196 OS: Windows XP SP3 My System	Re: Anti Virus Hanging, Possible Zlob.DNS Changer and other odd activity Ah yes sorry about that ><! I wanted to delete the other thread lol but umm yeah thanks for not shouting at me hehe. Here's the log: ComboFix 08-11-12.02 - Greg 2008-11-14 11:42:59.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1432 [GMT 0:00] Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\jestertb.dll c:\windows\system32\FOnTvGgh.ini c:\windows\system32\Memman.vxd c:\windows\system32\MSINET.oca c:\windows\system32\skinboxer43.dll . ((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 ))))))))))))))))))))))))))))))) . 2008-11-14 00:13 . 2008-11-14 00:13 250 --a------ c:\windows\gmer.ini 2008-11-13 14:42 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-13 14:42 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-12 21:14 . 2008-11-12 21:14 <DIR> d-------- c:\documents and settings\Greg\Application Data\Malwarebytes 2008-11-12 21:14 . 2008-11-12 21:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-12 21:14 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-12 21:14 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-11 22:27 . 2008-11-11 22:27 <DIR> d-------- c:\program files\Common Files\Creative Labs Shared 2008-11-11 20:34 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys 2008-11-05 22:30 . 2008-11-05 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Bluetooth 2008-11-05 22:27 . 2008-11-05 22:29 32 --a------ c:\windows\0 2008-11-05 22:27 . 2008-11-05 22:27 0 --a------ c:\windows\system32\0 2008-11-04 17:07 . 2008-11-04 17:08 <DIR> d-------- c:\documents and settings\Greg\Application Data\SecondLife 2008-11-03 19:29 . 2008-11-04 11:32 <DIR> d-------- c:\documents and settings\Greg\Application Data\Red Alert 3 2008-11-01 13:54 . 2008-11-01 13:54 <DIR> d-------- c:\windows\nview 2008-11-01 13:54 . 2008-11-01 13:54 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP 2008-11-01 13:54 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe 2008-11-01 13:54 . 2008-11-14 11:32 202,208 --a------ c:\windows\system32\nvapps.xml 2008-11-01 13:54 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu 2008-11-01 13:53 . 2008-11-01 13:53 <DIR> d-------- C:\NVIDIA 2008-11-01 13:53 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE 2008-11-01 10:40 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll 2008-11-01 10:40 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll 2008-11-01 10:40 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll 2008-11-01 10:40 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll 2008-11-01 10:40 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll 2008-11-01 10:40 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll 2008-10-27 17:37 . 2008-10-27 17:37 <DIR> d-------- c:\windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP 2008-10-27 09:18 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-15 19:10 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-15 19:10 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-15 19:10 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-15 19:10 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-15 19:10 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-15 19:10 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-10-14 16:11 . 2008-10-14 16:12 <DIR> d-------- c:\documents and settings\Greg\Application Data\Autodesk 2008-10-14 15:42 . 2008-10-14 15:42 <DIR> d-------- c:\program files\Autodesk 2008-10-14 15:41 . 2008-10-20 23:55 <DIR> d-------- c:\program files\Common Files\Autodesk Shared 2008-10-14 15:41 . 2008-10-20 23:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk 2008-10-14 15:40 . 2008-10-14 15:40 <DIR> d-------- c:\program files\MSBuild 2008-10-14 15:38 . 2008-10-27 09:22 <DIR> d-------- c:\windows\system32\XPSViewer 2008-10-14 15:37 . 2008-10-14 15:37 <DIR> d-------- c:\program files\Reference Assemblies 2008-10-14 15:37 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll 2008-10-14 15:03 . 2008-11-04 23:51 26,864 --a------ c:\documents and settings\Greg\Application Data\GDIPFONTCACHEV1.DAT 2008-10-14 10:25 . 2008-10-17 01:46 <DIR> d-------- c:\documents and settings\Greg\Application Data\SPORE 2008-10-14 10:24 . 2008-10-14 10:24 <DIR> d-------- c:\program files\Electronic Arts 2008-10-14 10:24 . 2008-10-14 10:24 7,342 --a------ c:\windows\system32\ealregsnapshot1.reg . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-14 11:50 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki 2008-11-14 00:01 --------- d-----w c:\program files\LogMeIn 2008-11-13 23:22 --------- d-----w c:\documents and settings\Greg\Application Data\Azureus 2008-11-13 22:27 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-11 22:27 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-11 22:27 --------- d-----w c:\documents and settings\All Users\Application Data\Creative 2008-11-02 02:20 --------- d-----w c:\documents and settings\Greg\Application Data\InstallShield Installation Information 2008-11-01 13:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-10-27 23:20 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-10-27 23:20 107,832 ----a-w c:\windows\system32\PnkBstrB.exe 2008-10-27 20:01 22,328 ----a-w c:\documents and settings\Greg\Application Data\PnkBstrK.sys 2008-10-27 20:01 2,506,752 ----a-w c:\windows\system32\pbsvc.exe 2008-10-27 18:57 66,872 ----a-w c:\windows\system32\PnkBstrA.exe 2008-10-27 10:20 --------- d-----w c:\program files\AGEIA Technologies 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-23 01:20 --------- d-----w c:\documents and settings\Greg\Application Data\uTorrent 2008-10-21 09:23 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-17 20:56 87,352 ----a-w c:\windows\system32\LMIinit.dll 2008-10-17 20:56 83,288 ----a-w c:\windows\system32\LMIRfsClientNP.dll 2008-10-17 20:56 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys 2008-10-17 20:56 28,984 ----a-w c:\windows\system32\LMIport.dll 2008-10-17 20:56 23,736 ----a-w c:\windows\system32\lmimirr.dll 2008-10-17 20:56 10,040 ----a-w c:\windows\system32\lmimirr2.dll 2008-10-13 09:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-10-11 22:38 --------- d-----w c:\documents and settings\Greg\Application Data\SPORE Creature Creator 2008-10-09 16:45 --------- dc-h--w c:\documents and settings\All Users\Application Data\{0151C9FC-719D-4459-B1E2-4685CC6E62A8} 2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll 2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll 2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll 2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll 2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll 2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll 2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll 2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll 2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll 2008-10-07 09:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe 2008-10-07 09:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe 2008-10-07 09:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll 2008-10-03 17:43 --------- d-----w c:\program files\iPod 2008-10-03 17:43 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-01 10:22 --------- d-----w c:\documents and settings\Greg\Application Data\Creative 2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-24 14:01 --------- d-----w c:\documents and settings\All Users\Application Data\Codemasters 2008-09-24 13:42 444,952 ----a-w c:\windows\system32\wrap_oal.dll 2008-09-24 13:42 109,080 ----a-w c:\windows\system32\OpenAL32.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-13 08:39 107,888 ----a-w c:\windows\system32\CmdLineExt.dll 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2008-08-21 00:19 499,712 ----a-w c:\windows\system32\msvcp71.dll 2008-08-21 00:19 348,160 ----a-w c:\windows\system32\msvcr71.dll 2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe 2008-06-08 12:57 32,768 ------w c:\windows\inf\UpdateUSB.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "DAEMON Tools"="e:\daemon tools\daemon.exe" [2007-08-16 167368] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512] "kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2008-06-08 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2008-06-08 1953792] "NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "RivaTuner"="e:\rivatuner v2.11\RivaTuner.exe" [2008-09-16 2715648] "Adobe Reader Speed Launcher"="e:\adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "RivaTunerStartupDaemon"="e:\rivatuner v2.11\RivaTuner.exe" [2008-09-16 2715648] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] "VolPanel"="e:\creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016] "Malwarebytes' Anti-Malware"="e:\malwarebytes' anti-malware\mbamgui.exe" [2008-10-22 399504] "egui"="e:\eset\ESET Smart Security\egui.exe" [2008-06-10 1447168] "CTHelper"="CTHELPER.EXE" [2006-05-24 c:\windows\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [2008-07-11 c:\windows\system32\Ctxfihlp.exe] "nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Greg\Start Menu\Programs\Startup\ SpywareGuard.lnk - e:\spywareguard\sgmain.exe [2003-08-29 360448] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-10-17 20:56 87352 c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^Greg^Start Menu^Programs^Startup^Registration Driver Parallel Lines.LNK] path=c:\documents and settings\Greg\Start Menu\Programs\Startup\Registration Driver Parallel Lines.LNK backup=c:\windows\pss\Registration Driver Parallel Lines.LNKStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-10-01 17:57 289576 e:\itunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI] --------- 2008-02-28 14:31 63048 c:\program files\LogMeIn\x86\LogMeInSystray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-08-21 00:19 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "g:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"= "g:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "g:\\Microsoft Games\\Age of Empires III\\age3x.exe"= "e:\\Azureus\\Azureus.exe"= "g:\\Microsoft Games\\Age of Empires III\\age3y.exe"= "g:\\Unreal Tournament 3\\Binaries\\UT3.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "g:\\Codemasters\\GRID\\GRID.exe"= "e:\\uTorrent\\uTorrent.exe"= "e:\\iTunes\\iTunes.exe"= "e:\\Autodesk\\Backburner\\monitor.exe"= "e:\\Autodesk\\Backburner\\manager.exe"= "e:\\Autodesk\\Backburner\\server.exe"= "e:\\Autodesk\\3ds Max 2009\\3dsmax.exe"= "e:\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "55665:TCP"= 55665:TCP:vuze "55665:UDP"= 55665:UDP:vuze "40178:TCP"= 40178:TCP:utorernt "40178:UDP"= 40178:UDP:utorren R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-03-03 39472] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] R2 CTAudSvcService;Creative Audio Service;c:\program files\Creative\Shared Files\CTAudSvc.exe [2008-04-30 417792] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640] R2 MBAMService;MBAMService;e:\malwarebytes' anti-malware\mbamservice.exe [2008-10-22 170640] R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;e:\autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-09 65536] R3 ha20x2k;Creative 20X HAL Driver;c:\windows\system32\drivers\ha20x2k.sys [2008-07-15 1173016] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-10-22 15504] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-11-11 79360] S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 332928] S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\DRIVERS\RTL8150.SYS [2006-05-10 22842] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] \Shell\AutoRun\command - I:\FalloutLauncher.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\CDCheck.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K] \Shell\AutoRun\command - K:\CDCheck.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L] \Shell\AutoRun\command - L:\autorun.exe \Shell\setup\command - L:\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-10-09 c:\windows\Tasks\Crysis Wars(R) Updates.job - c:\windows\Installer\Crysis Wars(R) Updates for All Users.lnk [2008-10-09 16:42] 2008-11-14 c:\windows\Tasks\Malwarebytes' Scheduled Update for Greg.job - e:\malwarebytes' anti-malware\mbam.exe [2008-10-22 16:10] . - - - - ORPHANS REMOVED - - - - BHO-{7CC95A61-E194-4D9B-80D5-C6756513564E} - c:\windows\system32\hgGvTnOF.dll HKLM-Run-SoundMAXPnP - c:\program files\Analog Devices\Core\smax4pnp.exe SSODL-DrvAlrt-{1f96baa4-a5e4-4a76-85a6-3fd8a732d3db} - c:\windows\Resources\DrvAlrt.dll MSConfigStartUp-lphcjh3j0el0e - c:\windows\system32\lphcjh3j0el0e.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Greg\Application Data\Mozilla\Firefox\Profiles\4741yiyq.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/ FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll FF -: plugin - e:\adobe\Reader 8.0\Reader\browser\nppdf32.dll FF -: plugin - e:\divx\DivX Web Player\npdivx32.dll FF -: plugin - e:\itunes\Mozilla Plugins\npitunes.dll FF -: plugin - e:\mozilla firefox\plugins\np32dsw.dll FF -: plugin - e:\mozilla firefox\plugins\npnul32.dll FF -: plugin - e:\mozilla firefox\plugins\nppl3260.dll FF -: plugin - e:\mozilla firefox\plugins\npqtplugin.dll FF -: plugin - e:\mozilla firefox\plugins\npqtplugin2.dll FF -: plugin - e:\mozilla firefox\plugins\npqtplugin3.dll FF -: plugin - e:\mozilla firefox\plugins\npqtplugin4.dll FF -: plugin - e:\mozilla firefox\plugins\npqtplugin5.dll FF -: plugin - e:\mozilla firefox\plugins\npqtplugin6.dll FF -: plugin - e:\mozilla firefox\plugins\npqtplugin7.dll FF -: plugin - e:\mozilla firefox\plugins\nprjplug.dll FF -: plugin - e:\mozilla firefox\plugins\nprpjplug.dll FF -: plugin - e:\real\RealPlayer\Netscape6\nppl3260.dll FF -: plugin - e:\real\RealPlayer\Netscape6\nprjplug.dll FF -: plugin - e:\real\RealPlayer\Netscape6\nprpjplug.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-14 11:46:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Kontiki\KService.exe c:\program files\LogMeIn\x86\ramaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\CTxfispi.exe c:\windows\system32\rundll32.exe c:\windows\system32\taskmgr.exe e:\spywareguard\sgbhp.exe e:\eset\ESET Smart Security\ekrn.exe . ************************************************************************ . Completion time: 2008-11-14 11:52:09 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-14 11:52:06 Pre-Run: 15,342,346,240 bytes free Post-Run: 15,358,984,192 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 314 --- E O F --- 2008-11-13 14:53:58 Well as far as boot up is concerned, again it took absolutely AGES to produce the log once again because of EKRN.EXE (From my AV) constantly causing my machine to hang because it's using up to 25-50% CPU usage each time I do anything... As for the Zlob...hmm not sure i think that may of gone again for now, but can't figure out how/why it keeps slipping through. So webpages = Ok for now. Boot = still hang due to to AV