Tech Support Forum - View Single Post - Anti Virus Hanging, Possible Zlob.DNS Changer and other odd activity

†TYRANICK†™ · 11-13-2008, 05:43 PM

My computer will hang upon log-on, my EKRN.EXE for my ESET SS Business edition will go up as far as 50% CPU usage of my 4 cores and mess everything up, only ending the task will suffice any other activity.

As well as that, microsoft update re-directs to MSN and all the links or Italic like this www.microsoft.com < etc. And of course they lead to an odd blank page of sorts each time on each case.

Scanning with software revealed a Zlob.DNSChanger in the registry but now its not being picked up, but the symptums are still their.

I have Noscript (Firefox), ESET, WOT(Firefox), Spywareguard, Spywareblaster, Spybot, MalwareBytes (Full edition) and do tons of disk cheks and degrafs and full scans regularily, and cant figure out why this has happened...

As far as i can tell it MUST be an infection of some kind...here's all the desired logs etc and yes I have subscribed to this thread

:

-------------------

DDS (Version 1.0) - NTFSx86
Run by Greg at 0:31:33.03 on 14/11/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1306 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
E:\RivaTuner v2.11\RivaTuner.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kontiki\KHost.exe
E:\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
E:\SpywareGuard\sgmain.exe
E:\SpywareGuard\sgbhp.exe
E:\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\taskmgr.exe
E:\ESET\ESET Smart Security\ekrn.exe
E:\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Greg\Desktop\dds.scr
C:\DOCUME~1\Greg\LOCALS~1\Temp\RarSFX0\FI.exe

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - e:\real\realplayer\rpbrowserrecordplugin.dll
BHO: {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\spywareguard\dlprotect.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - e:\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7CC95A61-E194-4D9B-80D5-C6756513564E} - c:\windows\system32\hgGvTnOF.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools] "e:\daemon tools\daemon.exe" -lang 1033
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [RivaTuner] "e:\rivatuner v2.11\RivaTuner.exe" /T
mRun: [Adobe Reader Speed Launcher] "e:\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RivaTunerStartupDaemon] "e:\rivatuner v2.11\RivaTuner.exe" /S
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [VolPanel] "e:\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Malwarebytes' Anti-Malware] "e:\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [egui] "e:\eset\eset smart security\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\greg\startm~1\programs\startup\spywar~1.lnk - e:\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: NoDispScrSavPage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: LMIinit -LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: DrvAlrt - {1f96baa4-a5e4-4a76-85a6-3fd8a732d3db} - c:\windows\resources\DrvAlrt.dll
SEH: {81559C35-8464-49F7-BB0E-07A383BEF910} - e:\spywareguard\spywareguard.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGvTnOF

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys
R2 CTAudSvcService;Creative Audio Service;c:\program files\creative\shared files\CTAudSvc.exe
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys
R2 MBAMService;MBAMService;"e:\malwarebytes' anti-malware\mbamservice.exe"
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;"e:\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe"
R3 ha20x2k;Creative 20X HAL Driver;c:\windows\system32\drivers\ha20x2k.sys
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;"c:\program files\common files\creative labs shared\service\CTAELicensing.exe"
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS
S4 hpt3xx;hpt3xx;
S4 LMIRfsClientNP;LMIRfsClientNP;

=============== Created Last 30 ================

2008-11-14 00:13 250 a------- c:\windows\gmer.ini
2008-11-13 14:42 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 14:42 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-12 21:14 <DIR> --d----- c:\docume~1\greg\applic~1\Malwarebytes
2008-11-12 21:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-12 21:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-12 21:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-11 22:27 <DIR> --d----- c:\program files\common files\Creative Labs Shared
2008-11-11 20:34 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2008-11-05 22:27 32 a------- c:\windows\0
2008-11-05 22:27 0 a------- c:\windows\system32\0
2008-11-04 17:07 <DIR> --d----- c:\docume~1\greg\applic~1\SecondLife
2008-11-03 19:29 <DIR> --d----- c:\docume~1\greg\applic~1\Red Alert 3
2008-11-01 13:54 <DIR> --d----- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2008-11-01 13:54 202,208 a------- c:\windows\system32\nvapps.xml
2008-11-01 13:54 453,152 a------- c:\windows\system32\nvudisp.exe
2008-11-01 13:54 18,477 a------- c:\windows\system32\nvdisp.nvu
2008-11-01 13:54 <DIR> --d----- c:\windows\nview
2008-11-01 13:53 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-11-01 13:53 <DIR> --d----- C:\NVIDIA
2008-11-01 10:40 509,448 a------- c:\windows\system32\XAudio2_2.dll
2008-11-01 10:40 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2008-11-01 10:40 238,088 a------- c:\windows\system32\xactengine3_2.dll
2008-11-01 10:40 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2008-11-01 10:40 467,984 a------- c:\windows\system32\d3dx10_39.dll
2008-11-01 10:40 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2008-10-27 17:37 <DIR> --d----- c:\windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
2008-10-27 09:18 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-10-15 19:10 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-10-15 19:10 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-10-15 19:10 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 19:10 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 19:10 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 19:10 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe

==================== Find3M ====================

2008-11-14 00:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kontiki
2008-11-14 00:01 <DIR> --d----- c:\program files\LogMeIn
2008-11-13 23:22 <DIR> --d----- c:\docume~1\greg\applic~1\Azureus
2008-11-11 22:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative
2008-11-02 02:20 <DIR> --d----- c:\docume~1\greg\applic~1\InstallShield Installation Information
2008-11-01 13:54 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-10-27 23:20 107,832 a------- c:\windows\system32\PnkBstrB.exe
2008-10-27 20:01 2,506,752 a------- c:\windows\system32\pbsvc.exe
2008-10-27 18:57 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-10-23 01:20 <DIR> --d----- c:\docume~1\greg\applic~1\uTorrent
2008-10-20 23:55 <DIR> --d----- c:\program files\common files\Autodesk Shared
2008-10-20 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Autodesk
2008-10-17 20:56 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-17 20:56 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-17 20:56 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-17 20:56 23,736 a------- c:\windows\system32\lmimirr.dll
2008-10-17 20:56 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-17 01:46 <DIR> --d----- c:\docume~1\greg\applic~1\SPORE
2008-10-14 16:12 <DIR> --d----- c:\docume~1\greg\applic~1\Autodesk
2008-10-14 15:42 <DIR> --d----- c:\program files\Autodesk
2008-10-14 10:24 7,342 a------- c:\windows\system32\ealregsnapshot1.reg
2008-10-13 09:56 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-10-11 22:38 <DIR> --d----- c:\docume~1\greg\applic~1\SPORE Creature Creator
2008-10-09 16:45 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2008-10-07 09:13 288,024 a------- c:\windows\system32\PhysXCplUI.exe

2008-10-07 09:13 23,320 a------- c:\windows\system32\PhysXDevice.dll
2008-10-07 09:13 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2008-10-03 17:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-03 17:43 <DIR> --d----- c:\program files\iPod
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-24 14:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Codemasters
2008-09-24 13:42 444,952 a------- c:\windows\system32\wrap_oal.dll
2008-09-24 13:42 109,080 a------- c:\windows\system32\OpenAL32.dll
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-13 08:39 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-09-10 01:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-09-01 14:06 21,504 a------- c:\windows\jestertb.dll
2008-08-31 21:33 <DIR> --d----- c:\docume~1\greg\applic~1\Download Manager
2008-08-29 09:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 a------- c:\windows\system32\dnssd.dll
2008-08-27 12:05 <DIR> --d----- c:\docume~1\greg\applic~1\SystemRequirementsLab
2008-08-26 07:24 826,368 a------- c:\windows\system32\wininet.dll
2008-08-25 09:41 <DIR> --ds---- c:\docume~1\greg\applic~1\My Videos
2008-08-21 00:19 499,712 a------- c:\windows\system32\msvcp71.dll
2008-08-21 00:19 348,160 a------- c:\windows\system32\msvcr71.dll
2008-08-19 16:08 <DIR> --d----- c:\docume~1\greg\applic~1\Xfire
2008-08-17 20:15 <DIR> --d----- c:\docume~1\greg\applic~1\Sahmon Games
2008-08-14 14:30 <DIR> --d----- c:\docume~1\greg\applic~1\Alawar
2008-08-01 21:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative Labs
2008-07-27 15:32 <DIR> --d----- c:\docume~1\greg\applic~1\Windows Search
2008-07-23 16:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Slam Games
2008-07-17 18:40 <DIR> --d----- c:\docume~1\greg\applic~1\Move Networks
2008-07-13 23:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sky
2008-07-13 10:16 <DIR> --d----- c:\docume~1\greg\applic~1\ESET
2008-07-08 18:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-07-08 18:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-06-25 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Age of Empires 3
2008-06-22 18:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2008-06-12 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hot Lava Games
2008-06-12 11:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Funcom
2008-06-10 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2008-06-10 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2008-06-08 13:42 <DIR> --d----- c:\docume~1\greg\applic~1\AVGTOOLBAR
2008-06-08 13:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LogMeIn

============= FINISH: 0:31:44.98 ===============