Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


IE/FF Browser Redirect, Can't open some exe's

  • This topic is locked This topic is locked
3 replies to this topic

#1 Ravien Dave

Ravien Dave

  • Members
  • 3 posts
  • Local time:09:58 AM

Posted 27 May 2009 - 03:34 PM

My computer was functioning fine until yesterday. A couple trojans had popped up on Norton Antivirus scan but the problems were resolved. Yesterday something was downloaded to the computer and things have gone haywire since then.

When the file was downloaded, Norton detected a trojan. I was not not the one at the computer at the time, but I believe it was tidserv or possibly Bloodhound. Norton seemed to block and remove the infected file, but required a restart. Before the computer was restarted, it locked up and had to be powered off. That's when the problems started.

First Norton (Internet Security 2009) stopped showing up when the computer started. It showed ccsvchost.exe running in the task manager but when I double clicked on it, no screen would pop up, no icon showed in the taskbar, nothing. So I uninstalled and re-installed. When I re-installed it functioned but it still was acting strangely...it would lock up, maybe every minute or so and seemed to change some settings randomly on it's own. It also didn't finish full system scans. It scanned 5k files or so and then said it was completed.

So I uninstalled and investigated further. I found that links from google and ask search engines redirected (to unwanted in both firefox and internet explorer. Typing in addresses do not redirect. The bigger problem is that some .exe 's do not launch. Some do without a problem (like firefox and iexplore), but I had to rename the newly installed hijackthis and Anti-Malware as .com 's (same goes for Microsoft malware removal tool, which was from earlier this month). Spybotsd does not launch. It shows up in the task manager, but then it just stays at the same memory usage and doesn't do anything. EDIT: Renaming hijackthis/Anti-Malware simply to different filenames also worked...I'm guessing the malware is preventing those from loading up...

I did several scans. Ad-aware was already installed so I ran that. It couldn't update it's year old definitions, but it found a couple threats. Unfortunately I can't find a log file showing them. Anti-malware found two trojans, log file here Attached File  mbam_log_2009_05_26__22_20_04_.txt   1.24KB   8 downloads. MS MRT found nothing. Kaspersky found 2 trojans that were files previously picked up by Norton, which said it fixed them. I could only take a prnt scrn from the report before internet explorer crashed for some reason. The infected files are in the recycling bin, here's the screenshot Attached File  kapersky_report.JPG   186.14KB   10 downloads. EDIT: If you can't read that, it says I have 2 instances of "Trojan-Downloader.Win32.Agent.bpbg, and 1 instance of Trojan.Win32.Tdss.pxn

Sorry for the wordiness, I'm just not sure what to do, I've already spent a lot of time on it and I would hate to have to reformat. So any help short of that would be greatly appreciated. Thank you very much for taking your time to try to help me.

Here is the the dds file to attach Attached File  Attach.txt.zip   3.89KB   7 downloads, as well as the hijack this log Attached File  hijackthis_5_27_09_16_30.txt   7.94KB   7 downloads, and startup list Attached File  startuplist_5_27_09_16_30.txt   6.59KB   19 downloads, and process list Attached File  processlist_5_27_09_16_30.txt   2.37KB   8 downloads.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Another Account at 15:45:31.38 on Wed 05/27/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.137 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live Safety Center\wlscUploader.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.com.exe
C:\Documents and Settings\Another Account\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...0000e6.0000026f
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188572410451
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188576236861
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anothe~1\applic~1\mozilla\firefox\profiles\rii7gbfn.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\rayv\rayv\plugins\nprayvplugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-11 24652]
R3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2007-8-31 92550]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-26 40160]
S2 EraserSvc10910;Symantec Eraser Service;c:\program files\norton internet security\engine\\ccSvcHst.exe [2009-3-4 115560]
S3 cpuz130;cpuz130;\??\c:\docume~1\anothe~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\anothe~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-1-3 2560]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [2004-4-26 17280]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-4-23 1245064]

=============== Created Last 30 ================

2009-05-26 22:11 <DIR> --d----- c:\docume~1\anothe~1\applic~1\Malwarebytes
2009-05-26 22:04 <DIR> --d----- c:\program files\Trend Micro
2009-05-26 21:59 <DIR> --d----- c:\windows\pss
2009-05-26 21:53 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 21:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-26 21:53 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-26 21:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 16:16 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-05-26 12:35 921,600 a------- c:\windows\system32\vorbisenc.dll
2009-05-26 12:35 188,416 a------- c:\windows\system32\vorbis.dll
2009-05-26 12:35 237,568 a------- c:\windows\system32\OggDS.dll
2009-05-26 12:35 45,056 a------- c:\windows\system32\ogg.dll
2009-05-25 16:56 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-25 16:51 189,392 a------- c:\windows\system32\PnkBstrB.exe
2009-05-25 16:50 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-05-23 23:36 <DIR> --d----- c:\program files\USArmy
2009-05-23 15:04 <DIR> --d----- C:\ProgramData
2009-05-23 15:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AA2DeployClient
2009-05-20 15:06 0 a---h--- c:\windows\SwSys2.bmp
2009-05-20 15:06 0 a---h--- c:\windows\SwSys1.bmp
2009-05-20 14:44 <DIR> --d----- c:\program files\THQ
2009-05-20 10:22 552 a------- c:\windows\system32\d3d8caps.dat
2009-05-20 10:21 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-05-19 21:24 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-05-19 15:37 <DIR> --d----- c:\docume~1\anothe~1\applic~1\Auslogics
2009-05-19 15:37 <DIR> --d----- c:\program files\Auslogics
2009-05-19 14:43 27,672 a----r-- c:\windows\system32\drivers\Entech.sys
2009-05-19 14:43 <DIR> --d----- c:\windows\system32\Futuremark
2009-05-19 14:42 <DIR> --d----- c:\program files\common files\Futuremark Shared
2009-05-18 14:49 <DIR> --d----- C:\CovertAction
2009-05-17 10:11 <DIR> --d----- C:\whatthey
2009-05-13 10:55 0 a------- c:\windows\FE.INI
2009-05-05 22:45 <DIR> --d----- c:\documents and settings\another account\dwhelper
2009-05-05 20:49 <DIR> --d----- C:\LastSharp038
2009-05-05 14:52 3,500,808 a------- C:\Shockwave_Installer_Slim.exe
2009-05-05 14:28 <DIR> --d----- c:\program files\FLVCodec
2009-05-05 14:26 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-05-05 14:26 7,680 a------- c:\windows\system32\ff_vfw.dll
2009-05-05 14:25 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-05-05 14:25 <DIR> --d----- c:\program files\ffdshow
2009-05-05 14:22 <DIR> --d----- c:\program files\WinPcap
2009-05-05 14:20 <DIR> --d----- c:\program files\RipTiger
2009-05-05 12:35 <DIR> --d----- c:\program files\DownloadToolz
2009-05-05 12:12 <DIR> --d----- c:\docume~1\anothe~1\applic~1\Moyea
2009-05-05 12:04 1,839,694 a------- C:\hulu_d_setup.exe
2009-05-04 17:47 <DIR> --d----- c:\program files\common files\DVDVideoSoft
2009-05-04 17:47 <DIR> --d----- c:\program files\DVDVideoSoft
2009-05-04 17:30 <DIR> --d----- c:\program files\XMedia Recode
2009-05-04 14:44 <DIR> --d----- C:\LastFM
2009-05-04 12:04 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-04 12:04 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-04 12:02 <DIR> --d----- c:\program files\iPod
2009-05-04 12:01 <DIR> --d----- c:\program files\iTunes
2009-05-04 12:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-04 11:57 <DIR> --d----- c:\program files\Bonjour
2009-05-04 11:48 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-04-30 10:01 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-04-30 10:00 3,497,832 a------- c:\windows\system32\d3dx9_34.dll
2009-04-30 10:00 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-04-30 10:00 261,480 a------- c:\windows\system32\xactengine2_7.dll
2009-04-30 10:00 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-04-30 10:00 443,752 a------- c:\windows\system32\d3dx10_33.dll
2009-04-30 09:53 <DIR> --d----- c:\windows\Logs
2009-04-30 09:53 301,384 a------- C:\dxwebsetup.exe
2009-04-30 09:52 897,920 a------- C:\WGAPluginInstall.exe
2009-04-29 20:53 <DIR> --d----- C:\CrimeAndPunishment
2009-04-28 17:01 <DIR> --d----- c:\program files\EA SPORTS
2009-04-28 16:08 <DIR> --d----- c:\windows\RegisteredPackages
2009-04-28 16:01 122,880 ac------ c:\windows\system32\dllcache\dmusic.dll
2009-04-28 16:00 230,400 ac------ c:\windows\system32\dllcache\dplayx.dll
2009-04-28 16:00 28,160 ac------ c:\windows\system32\dllcache\dplaysvr.exe
2009-04-28 16:00 648,704 ac------ c:\windows\system32\dllcache\dinput.dll
2009-04-28 16:00 24,064 ac------ c:\windows\system32\dllcache\ddrawex.dll
2009-04-28 16:00 292,864 ac------ c:\windows\system32\dllcache\ddraw.dll
2009-04-28 16:00 797,184 ac------ c:\windows\system32\dllcache\d3dim700.dll
2009-04-28 15:55 <DIR> --d----- c:\program files\common files\EasyInfo

==================== Find3M ====================

2009-05-07 00:16 24,699,336 a------- c:\windows\system32\MRT.bat.exe
2009-04-12 16:02 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2008-09-03 20:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 15:46:34.82 ===============

Edited by Ravien Dave, 28 May 2009 - 09:19 AM.

BC AdBot (Login to Remove)



#2 Ravien Dave

Ravien Dave
  • Topic Starter

  • Members
  • 3 posts
  • Local time:09:58 AM

Posted 28 May 2009 - 02:33 PM

Okay, made some headway. I ran GMER and it found gxvscserv.sys and all sorts of seemingly related dlls and registry entries. Google tells me that this is part of the Tidserv trojan, which would make sense. It also found something called spnt.sys but I'm not sure that that's anything, because it's not in the registry or multiple places. So what I need help with is making sure that I totally get rid of this thing, without screwing up my computer. The gmer log is attached below.
Attached File  gmer_5_28_09_1500.log   45.71KB   6 downloads

As you will see, this gxvxc stuff is all over the place, including in one of the svchost.exe processes (which seemed suspicious from the start), and also in firefox when it was opened up. So the question is, how do I make sure it goes away and never comes back? I don't want to delete things and then still have this Tidserv trojan lurking. Thanks for any help.



While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 01 June 2009 - 10:00 AM.

#3 Ravien Dave

Ravien Dave
  • Topic Starter

  • Members
  • 3 posts
  • Local time:09:58 AM

Posted 06 June 2009 - 10:40 AM

The problem has been resolved. Basically, using avast and the avenger tool fixed the issue. A few registry entries were left over that GMER didn't catch, but didn't seem active. http://www.myantispyware.com/2009/04/22/ho...redirect-virus/ explains the avenger thing. Here's some more info http://remove-malware.net/how-to-remove-gxvxcservsys-trojan/ .

So a big relief for me and hopefully no future headaches come up. To the fine volunteer helpers, you do not need to respond to my message unless there is something to add to the solution for the benefit of whoever has this problem in the future.

Edited by Orange Blossom, 06 June 2009 - 11:45 PM.
Remove unnecessary quote. ~ OB

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,713 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:58 AM

Posted 06 June 2009 - 11:46 PM

Thank you for letting us know. This topic shall now be closed. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users