Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GXVXCSERV.SYS - ComboFix Finds but can't remove it


  • Please log in to reply
5 replies to this topic

#1 windbreaker

windbreaker

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 12 April 2009 - 08:27 PM

I have a computer that has a rootkit.

The only way I started on this investigation was because Malwarebytes would not launch unless renamed.

Gmer did not find it because it is unable to enumerate hidden services at all. The services tab is blank. And yes I renamed gmer and did all the usual stealth routines.

RootkitRevealer found it

HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys 4/12/2009 5:44 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys 4/12/2009 5:44 PM 0 bytes Hidden from Windows API.



I also ran ComboFix on it - it found it but did not remove it

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys]
"imagepath"="\systemroot\system32\drivers\gxvxcrumlmkoltmxfqkenqrovnxubbpikihnd.sys"


I am unable to remove this rootkit!

Nothing shows in Autoruns, ProcessExplorer, Gmer, McAfee, SuperAntispyware

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:43 PM

Posted 12 April 2009 - 09:22 PM

http://www.prevx.com/filenames/66334951451...XCSERV.SYS.html

Judging by the dates I would assume you have a multiple rootkit/backdoor trojan.

Your best option is to reload your computer

If you want to continue to fight it then rootrepeal and file scan wipe followed by a reboot and scan with MBAM might get the first layer disabled

These infections are best handled by our HJT forum with their special tools and training.

I would be more helpful but we'd probably be wasting both our time.
Chewy

No. Try not. Do... or do not. There is no try.

#3 BobLurnerburn

BobLurnerburn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 21 April 2009 - 12:47 AM

I have a computer that has a rootkit.

The only way I started on this investigation was because Malwarebytes would not launch unless renamed.

Gmer did not find it because it is unable to enumerate hidden services at all. The services tab is blank. And yes I renamed gmer and did all the usual stealth routines.

RootkitRevealer found it

HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys 4/12/2009 5:44 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys 4/12/2009 5:44 PM 0 bytes Hidden from Windows API.



I also ran ComboFix on it - it found it but did not remove it

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys]
"imagepath"="\systemroot\system32\drivers\gxvxcrumlmkoltmxfqkenqrovnxubbpikihnd.sys"


I am unable to remove this rootkit!

Nothing shows in Autoruns, ProcessExplorer, Gmer, McAfee, SuperAntispyware



Hi -

I'm completely new to this forum.

Anyway, I had the same gxvxcserv.sys on my laptop a few days ago. It installed itself along with several other "trojan" components.

You may find "autorun.inf" as a hidden file on every hard drive root directory - delete these. You may find a file called "QuickyPlaeyr.exe" also - delete it those too.

The root kit components can be displayed using rootkitrevealer as you already know. I was able to remove the rootkit on my laptop using the "UnHackMe" tool from Greatis software.

Once the rootkit is removed you will no doubt find many other hidden files and components. Visit your drivers directory and delete the gxvxcserv.sys file and also the associated dll it injects.

In my case the infection totally disabled my Norton and screwed with my TCP nameserver settings.

If you are not "technical" it may be safer to reinstall Windows. I'm a software engineer and it took me two days to clean up the mess.

Also, nearly all of the components were either hidden by the rootkit or just "hidden" windows files. Keep this in mind when you are looking for the culprits.

Good luck!

Bob

BTW: Since the creators of this thing are also likely to see this post I have only one thing to say to you: GET A LIFE!

Edited by BobLurnerburn, 21 April 2009 - 01:00 AM.


#4 BobLurnerburn

BobLurnerburn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 21 April 2009 - 01:05 AM

Three more things to delete:

HKLM\SOFTWARE\gxvxc 4/18/2009 7:12 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys 4/19/2009 1:04 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys 4/19/2009 1:04 PM 0 bytes Hidden from Windows API.

You'll see these in the registry once the rootkit is disabled.

I then found a directory full of trojan components in my "C:\Program Files" directory. Apparently the rootkit can also cloak TCP connections from the system so it is safest to work while disconnected from the Internet.

Again ... good luck. I was able to get my laptop back only after tons of cleaning.

Bob

#5 BobLurnerburn

BobLurnerburn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 21 April 2009 - 01:14 AM

Also, from my notes here are some other things that I found (using HiJackThis):

Removed by moderator

The first one messes with your Internet, the second I'm not sure what they used for.

And through sleuthing I found a component called: ARPPRODUCTICON.exe --- may also be hidden, not sure I didn't note that down.

Bob

==>> Bob,
The use of HJT and other advanced tools is prohibited in this forum. Please refrain from asking for use of this tool when providing assistance. Please refer to the bottom of this topic.

Thanks,
rigel
BleepingComputer Forums Moderator

Edited by rigel, 27 April 2009 - 11:28 AM.


#6 rpswift

rpswift

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 27 April 2009 - 09:19 AM

Don't forget to scrub any removable/writable media that may have been infected - the autorun.inf infection likely will be lurking there, too. Flush all caches and restore points.

I was disinfecting a coworker's computer, and since the infection was not allowing me to access security/AV sites, I planned to work from a USB drive. Brought the bugger back to my primary computer... Anyway, the instructions posted here worked great:

http://www.myantispyware.com/2009/04/22/how-to-remove-gxvxcservsys-trojan-redirect-virus/

I used an older USB drive that has a physical switch to prevent write access. I was a little disappointed that my AV program (Symantec, Corporate Edition, current updates with high heuristics) did not catch this.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users