Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Service system32\drivers\gxvxcavykdlskmxecxlaewtdoyqeujtqpkrgr.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!


  • This topic is locked This topic is locked
2 replies to this topic

#1 ms211

ms211

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 05 July 2009 - 05:51 PM

I Don't see problems anymore although system restore may not be making restore points. I was finally able to go to windows update to install updates and update spyware software; although I noticed that spy bot only had a shell of a program that would do anything, so I deleted it. I disabled my avast virus scanner to run this dds program. Thank you for helping.


DDS (Ver_09-06-26.01) - NTFSx86
Run by me at 15:27:42.54 on Sun 07/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.991 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090705-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security Toolbar
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: live.com\onecare
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246580416546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\sewl1pbt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1269415&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - P2P_Energy Customized Web Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1269415&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\me\application

data\mozilla\firefox\profiles\sewl1pbt.default\extensions\{2bae58c2-79f9-45d1-a286-81f911301c3a}\components\FFAlert.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-30 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-30 114768]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-2-28 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-30 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-30 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-30 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-30 352920]

=============== Created Last 30 ================

2009-07-02 23:49 --d----- c:\docume~1\me\applic~1\Windows Search
2009-07-02 20:45 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-02 20:45 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-02 17:16 --d----- c:\docume~1\me\applic~1\Windows Desktop Search
2009-07-02 17:15 --d----- c:\windows\system32\GroupPolicy
2009-07-02 17:15 --d----- c:\program files\Windows Desktop Search
2009-07-02 17:14 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-07-02 17:14 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-07-02 17:14 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-07-02 16:59 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-02 16:59 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-02 16:57 -cd-h--- c:\windows\ie8
2009-07-02 15:36 --d----- c:\docume~1\me\applic~1\Malwarebytes
2009-07-02 15:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 15:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-02 15:36 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 15:36 --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-07-01 18:26 2,920 a------- c:\windows\system32\tmp.reg
2009-07-01 16:41 --d----- c:\program files\trend micro
2009-06-30 20:28 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-30 19:25 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-30 19:24 -cd-h--- c:\docume~1\alluse~1.win\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-30 19:24 --d----- c:\program files\Lavasoft
2009-06-30 01:51 --d----- c:\program files\VS Revo Group
2009-06-30 01:37 --d----- c:\docume~1\alluse~1.win\applic~1\Viewpoint
2009-06-30 01:37 --d----- c:\program files\Viewpoint
2009-06-30 01:37 --d----- c:\program files\AOD
2009-06-30 01:37 --d----- c:\program files\AIM
2009-06-29 10:45 0 a------- c:\windows\system32\commonpriv.log.lock
2009-06-29 04:28 74,427,032 a------- c:\program files\avg_avwt_stf_all_85_287a1479.exe
2009-06-29 02:57 --d----- c:\docume~1\me\applic~1\AVGTOOLBAR
2009-06-26 04:06 --d----- c:\docume~1\me\applic~1\cYo
2009-06-26 04:06 --d----- c:\program files\ComicRack
2009-06-23 23:21 --d----- c:\program files\iPod
2009-06-23 23:21 --d----- c:\program files\iTunes
2009-06-18 11:44 870 a------- c:\windows\Mpcwty00.ini
2009-06-17 00:20 --d----- c:\program files\AskBarDis
2009-06-17 00:20 344,064 a------- c:\windows\system32\msvcr70.dll
2009-06-17 00:20 --d----- c:\program files\DVDVideoSoft
2009-06-17 00:20 --d----- c:\program files\common files\DVDVideoSoft

==================== Find3M ====================

2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-04 03:40 5,155,600 a------- c:\program files\emusic_setup_standalone.exe
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:28 15,068 a---h--- c:\windows\system32\mlfcache.dat
2009-04-28 21:46 81,920 -------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-30 13:42 1,734,304 a------- c:\program files\BitTorrent-6.1.2.exe
2009-03-17 03:02 9,634,304 a------- c:\program files\iaplayer_2.71.14.0211-esd.exe
2009-03-13 13:52 24,697,856 a------- c:\program files\cjb1200EN.exe
2009-02-06 14:52 7,521,112 a------- c:\program files\Firefox Setup 3.0.6.exe
2009-02-05 18:29 7,499,766 a------- c:\program files\videora-ipod-404-setup.exe
2009-01-29 05:14 6,529,156 a------- c:\program files\HandBrake-0.9.3-Win_GUI.exe
2009-01-26 02:57 49,022 a------- c:\program files\swu-download.pl.html
2009-01-22 10:00 939,698 a------- c:\program files\7z464.exe
2009-01-22 09:09 1,285,788 a------- c:\program files\InstallRarZilla.exe

============= FINISH: 15:28:13.06 ===============

btw, he also mentioned I should post the topic I was in with him (rigel) when he was helping me.

http://www.bleepingcomputer.com/forums/t/239092/service-system32driversgxvxcavykdlskmxecxlaewtdoyqeujtqpkrgrsys-hidden-system-gxvxcservsys-rootkit/

added last comment

Attached Files


Edited by rigel, 05 July 2009 - 07:05 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 09 July 2009 - 01:00 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 20 July 2009 - 04:02 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users