gipqhrl.sys What is this?

Viruses and worms
1

My computer has one file gipqhrl.sys in C:\windows\system32\drivers and AVAST report that this file can be a virus because it is a hidden process. When I activate internet connection Avast say that the computer has a virus in memory. After that it scan on boot startup but it does not found anything. I tried to copy, delete, rename that file unsuccessful and also I used programs like delete on boot but also unsuccessful. I tried to find any information on google about this file gipqhrl.sys but again unsuccessful. The file has 682Kb and computer running WinXP-SP2. Any suggestion?

2

Please locate the file in the System32/drivers folder, and upload it to VirusTotal-online multi AV scanning site, wait for it to be processed and scanned, then post the URL of the results page when complete.

Be suspicious. The lack of Google hits for that file suggests it is extremely rare, therefore likely to be a new process, or a not-often-installed one.

Right-click the file, and select properties. Sometimes that can give insight as to the vendor etc. (It might possibly be a legitimate file, but I doubt it.)

Try downloading MBAM, install it, update it, and run a quick scan. Once the scan is complete have it “remove selected” (which will quarantine selected.) (Anything it finds; select it for removal.)
If MBAM prompts for a reboot to finish removal, please do so promptly.

Welcome to the forum.
These are general malware analysis removal tips, I am a little experienced at helping remove this sort of thing, but without in-depth knowledge. The steps I have suggested will do no harm.

3

I have a similar file located in the same folder. Mine is called xnqbzxdx.sys and is 697.856 byte. One strange thing is that my file is changing every minute like if you edit a file you can see when it was last edited. It follows the clock on my computer.

4

Hi Baltic and vlada.jerkovicm

Your bug is a rootkit, and it is situated here:.

C:\WINDOWS\System32\Drivers\xnqbzxdx.SYS,Hidden driver file

The filename changes when you remove it to something else that is random, with a SYS extension. I did notice that the first character is always an the same, so “g” or “x”. The filename above is the current filename since you haven’t deleted it using anti-rootkit.
Re: http://vil.nai.com/vil/content/v_241386.htm

The problem here could be the following. Uninstall Alcohol and the detected rootkit will vanish. Live and learn. This was confirmed, after a reboot, the rootkit will be gone…
If you have an sptd.sys driver (driver of CD/DVD emulator; installed with Alcohol 120%, Daemon Tools and some others), then your randomly named hidden driver (“aa9ak670.sys”) is not a malicious and it is not a rootkit (just using rootkit technologies) – it’s a part of sptd.sys. This behavior (hide a dropped driver and kill the body of the driver) was made by authors of SPTD to prevent CD-copy protectors, who trying to detect and doesn’t allow to work a CD-emulator software.

If you will have Alcohol120 running so you can relax a little with that knowledge. Still curious why Gmer will come up with this SSDT entry

SSDT - spxs.sys - ZwEnumerateKey [0xB9EC6CA2]
SSDT - spxs.sys - ZwEnumerateValueKey [0XB9EC7030]

Each time you will run Gmer anti-rootkit, for instance the “spxs.sys” will be a different file name. (ie, spis.sys, spys.sys, spie.sys, etc…) We now know this is also related to Alcohol120? I you disable the virtual drives you still willl get the apparent rootkit activity and the randomly named sp**.sys file.
It’s a cake and eat it too problem, just like rootkits the design is to fool windows:
the rootkit like activity is by sptd.sys - Using alcohol120 and Daemontools will eventually corrupt your drivers!

If not a rootkit then here is an explanation for the randomly named system file:
http://www.greatis.com/security/A%23%23%23%23%23%23%23.sys%20is%20a%20rootkit.htm

polonus (malware fighter)

5

OK. I had deamon tools and magicISO installed. Uninstalled both programs but the strange sys file remains ?

6

Hi Baltic,

Can you search for sptd.sys, and update it to virustotal.com for evaluation, also the mysterious random file,
give us the results please?

polonus

7

Found the sptd.sys but got access denied when trying to copy, upload etc. Had to disable it using Autoruns for windows (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx).

Uploaded the file to the website you told me to, got this back: http://www.virustotal.com/analisis/f77186dd0df8aff1607a21c59f8d2e7e8f71c2edd2ad2d3f2f810980b8be46fc-1260725171

The other file however I cannot copy and/or upload etc. Don’t know how to disable it? Doesn’t show in Autoruns?

8

It seems my problem has been solved.
Looked in the avast.ini and found this at the end:

[AntiRootkit]
Exceptions=C:\Windows\System32\Drivers\xnqbzxdx.sys

Removed the exception, did a boot scan and now Avast was able to move that file to the chest.

;D

9

Thanks for the update.

So given your above post, it would seem that you answered Ignore and checked the Do not tell me about this file in the future.

That is possibly the only way it would get into the exclusions for the antirootkit module of the avast4.ini, unless of course you edited the avast4.ini and added it ?