Help please.

system · May 8, 2009, 6:54pm

i have avast! pro and avast! found a suspicious file its in C:\WINDOWS\System32\driver\gxvx <------ it has a very long name and i remember it was a .sys file i don’t know what to do i ignored it but avast! detected it again the next day. Also it seems that windows defragmenter could not start.
and when i search on google i clicked on some results and it was loading loading loading the page always blank. and the only way to go to this site is by copying the link to the url box.some links opened the page normally when i clicked on them.

system · May 8, 2009, 7:08pm

Hi there, I think what you have is a serious rootkit. ( not that theres a non serious one ;D )
Are you sure it began with gxvx ? Or could it have begun with one of these

TDSS
Seneka
GAOPDX
UAC
ovfst

DavidR · May 8, 2009, 7:38pm

Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

system · May 8, 2009, 7:41pm

In case, as you said in your first post,you are having difficulties accesssing the web, have a look at the link. ( thats a contradiction ) Basically if your sys file begins with the names I mentioned, download Rootrepeal, and follow the instructions from the link. The download ( i believe contains a zip file and/or a rar file ) If you need a program to open rar files, I have posted another link.
If you use the program, copy/paste the log here,

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Rar extractor http://download.cnet.com/Free-RAR-Extract-Frog/3000-2250_4-10804840.html

The link for rootrepeal download is in the 1st link or here http://rootrepeal.googlepages.com/

system · May 8, 2009, 7:55pm

C:\WINDOWS\system32\Drivers\gxvxcgntunmwoiturbqraoendwjcxedvjxsp.sys
And C:\WINDOWS\system32\drivers\gxvxcgntunmwoiturbqraoendwjcxedvjxsp.sys

uh could someone explain why my standard shield has not scan any of my folder/files?
Scanned count:0
and uh 1rst one Type: Rootkit:hidden file
2nd one Type :hidden services

Available actions delete now and ignore

system · May 8, 2009, 8:24pm

Well you seem to have a possible new variant, I would try rootrepeal, or as another person alleges Unhackme, I have no knowledge to the latter.
Obviously all rootkit scanners have their risks, but it looks like you have a serious problem

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t218947.html

system · May 8, 2009, 8:30pm

Rootrepeal found it do i just delete it

Then do you know why avast! standard shield has not scan anything yet?

system · May 8, 2009, 8:36pm

Post the rootrepeal log, like i asked earlier

system · May 8, 2009, 8:37pm

The signature is composed of banner ads which lead to sites promoting the reading of ads with the prospect of supposedly being paid to do so.

Isn’t this against forum policy?

system · May 8, 2009, 8:41pm

I never noticed them Charley, wierd coming on a forum for the first time with ads on your sig :

system · May 8, 2009, 8:54pm

Drivers

Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS

Name: ACPI.sys
Image Path: ACPI.sys

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS

Name: aswFsBlk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS

Name: aswRdr.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS

Name: atapi.sys
Image Path: atapi.sys

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Name: disk.sys
Image Path: disk.sys

Name: dmio.sys
Image Path: dmio.sys

Name: dmload.sys
Image Path: dmload.sys

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys

Name: fetnd5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fetnd5.sys

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys

Name: fltMgr.sys
Image Path: fltMgr.sys

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Name: ftdisk.sys
Image Path: ftdisk.sys

Name: giveio.sys
Image Path: giveio.sys

--------> Name: gxvxcgntumnmwoiturbqraoendwjcxedvjxsp.sys <--------
--------> Image Path: C:\WINDOWS\system32\drivers \gxvxcgntumnmwoiturbqraoendwjcxedvjxsp.sys <------------

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Name: InCDFs.sys
Image Path: C:\WINDOWS\system32\drivers\InCDFs.sys

Name: InCDPass.sys
Image Path: C:\WINDOWS\system32\drivers\InCDPass.sys

Name: InCDrec.SYS
Image Path: C:\WINDOWS\System32\Drivers\InCDrec.SYS

Name: InCDRm.sys
Image Path: C:\WINDOWS\system32\drivers\InCDRm.sys

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Name: irda.sys
Image Path: C:\WINDOWS\system32\DRIVERS\irda.sys

Name: irenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\irenum.sys

Name: irsir.sys
Image Path: C:\WINDOWS\system32\DRIVERS\irsir.sys

Name: isapnp.sys
Image Path: isapnp.sys

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Name: KSecDD.sys
Image Path: KSecDD.sys

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Name: MountMgr.sys
Image Path: MountMgr.sys

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Name: Mup.sys
Image Path: Mup.sys

Name: NDIS.sys
Image Path: NDIS.sys

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Name: Ntfs.sys
Image Path: Ntfs.sys

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys

Name: PartMgr.sys
Image Path: PartMgr.sys

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Name: pci.sys
Image Path: pci.sys

Name: pciide.sys
Image Path: pciide.sys

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Name: PCTCore.sys
Image Path: PCTCore.sys

Name: PnpManager
Image Path: \Driver\PnpManager

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Name: rasirda.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasirda.sys

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys

Name: RAW
Image Path: \FileSystem\RAW

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Name: RootRepeal.sys
Image Path: C:\WINDOWS\system32\drivers\RootRepeal.sys

Name: rspndr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rspndr.sys

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys

Name: speedfan.sys
Image Path: speedfan.sys

Name: sr.sys
Image Path: sr.sys

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7783000 Size: 40704 File Visible: -
Status: -

Name: uagp35.sys
Image Path: uagp35.sys

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Name: USR1807A.sys
Image Path: C:\WINDOWS\system32\DRIVERS\USR1807A.sys

Name: USRoslbA.sys
Image Path: C:\WINDOWS\system32\DRIVERS\USRoslbA.sys

Name: USRpdA.sys
Image Path: C:\WINDOWS\system32\DRIVERS\USRpdA.sys

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys

Name: viaide.sys
Image Path: viaide.sys

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Name: VolSnap.sys
Image Path: VolSnap.sys

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Name: Win32k
Image Path: \Driver\Win32k

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Name: WMIxWDM
Image Path: \Driver\WMIxWDM

system · May 8, 2009, 9:14pm

Ad banners have been removed by the poster.

So, lesson learned.

system · May 8, 2009, 9:21pm

Well if you run another scan, highlight C:\WINDOWS\system32\drivers \gxvxcgntumnmwoiturbqraoendwjcxedvjxsp.sys right click, and select wipe file option only then immediately rebootthe computer.

system · May 8, 2009, 9:25pm

can you help me on this one is file

ROOTREPEAL (c) AD, 2007-2008

Scan Time: 2009/05/08 17:25
Program Version: Version 1.1.2.0
Windows Version: Windows XP SP2

Hidden/Locked Files

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\gxvxcaiejargykecfrvterndesvigwydjfujd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gxvxccounter
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\etilqs_S5zlh66sjWBZ4YNIk73n
Status: Allocation size mismatch (API: 65536, Raw: 32768)

system · May 8, 2009, 9:28pm

Only wipe the file i highlighted.

Its important when you have run rootrepeal to run another program like Malwarebytes Antimalware
http://filehippo.com/download_malwarebytes_anti_malware/

Reading another link what you have may be related to this

http://www.myantispyware.com/2009/04/22/how-to-remove-gxvxcservsys-trojan-redirect-virus/

If this is the case and there is a autorun.inf file involved you will need to run Flash_Disinfector or Autorun Eater http://download.cnet.com/Autorun-Eater/3000-2239_4-10752777.html

system · May 8, 2009, 9:51pm

Thx i really appreciate your help ;D

system · May 8, 2009, 9:52pm

Thx i really appreciate your help ;D

Help please.

Drivers

ROOTREPEAL (c) AD, 2007-2008

Scan Time: 2009/05/08 17:25 Program Version: Version 1.1.2.0 Windows Version: Windows XP SP2

Hidden/Locked Files

Announcements

Scan Time: 2009/05/08 17:25
Program Version: Version 1.1.2.0
Windows Version: Windows XP SP2