Help to remove Backdoor,Trojan virus

 I am currently using Windows XP Home Edition as my operating system. My current virus protection is NIS 2009. I need help and advice to remove a virus that NIS 2009 detects and identifies as Backdoor,Trojan. The problem is NIS only detects this virus on computer start-up and intermittently during computer use with the results stating that the removal failed. I click the ok button to rescan but I get the same results, removal failed. When I run a scan the scan results are always stating that I have no viruses and no attention required or it detects tracking cookies that are automatically removed. Yet when NIS 2009 loads during startup there’s always the warning that the Backdoor,Trojan virus was detected. I have followed the Norton forum instructions on ‘How to troubleshoot a suspected Malware infection’ with no luck. I can’t find (or maybe recognize) a threat in any of the suggested locations. My computer’s behavior semms to be only slightly altered meaning that it sometimes (rarely) freezing at the ‘welcome’ screen and sometimes will not completely shutdown freezing at the ‘windows is shutting down’ screen. What can I do to remove this virus?

 I am currently using Windows XP Home Edition as my operating system. My current virus protection is NIS 2009. I need help and advice to remove a virus that NIS 2009 detects and identifies as Backdoor,Trojan. The problem is NIS only detects this virus on computer start-up and intermittently during computer use with the results stating that the removal failed. I click the ok button to rescan but I get the same results, removal failed. When I run a scan the scan results are always stating that I have no viruses and no attention required or it detects tracking cookies that are automatically removed. Yet when NIS 2009 loads during startup there’s always the warning that the Backdoor,Trojan virus was detected. I have followed the Norton forum instructions on ‘How to troubleshoot a suspected Malware infection’ with no luck. I can’t find (or maybe recognize) a threat in any of the suggested locations. My computer’s behavior semms to be only slightly altered meaning that it sometimes (rarely) freezing at the ‘welcome’ screen and sometimes will not completely shutdown freezing at the ‘windows is shutting down’ screen. What can I do to remove this virus?

NIS may be detecting something heuristically that it is unable to remove.

 

See if you are able to download, install and update Malwarebytes.  It it will not, we will go to the next step.

 

 

Please run a SysProt log for us so we can check your system for rootkit activity. You will need to disable Norton auto-protect while you run the scan.

Choose report or log, check all the boxes and scan.

You will be able to post the log here using the "add attachments" link just below the orange post button.

http://homepages.slingshot.co.nz/~crutches/SysProt

Hi Jake, I had to leave my computer for a bit. Thanks so much for your suggestion (I had tried that once before) but unfortunately for me it did not work. I ran a full scan in safe mode and once I rebooted from the safe mode the same threat detection popped up 'Norton Internet Security has detected a threat that requires your attention' It had the same threat 'Backdoor,Trojan' with the same results 'Removal Failed'  I think I am going to follow your second suggestion and ask support for a bootable antivirus. So thank you and here's kudos to you for your response and suggestion to my plight.

 

Thanks!

Hi, At your suggestion I have downloaded, installed and updated Malwarebytes twice now but I can't get it to launch. I am a novice computer user and I am not sure how to create a SysProt log for you. Does NIS 2009 have a provision in it that will allow me to create such a log?

 

Thanks in advance.

Are you managing okay, now, redxcap?

Sorry Delephinium, I had to stop for dinner. Boy, are you guys smart!  But with your help I can say I’m not as dumb as even I thought. Here’s the SysProt log you requested. I hope you can help me with this thing.

Something has just come up and I will have to get back to you i just a bit. But let me say before I sign out that I can't expressed the feeling of confidence thanks that this will be resolved now that I have you helping me with it.

Once again my wholeheated thanks.

 

RedXCap

Hi

 

 

If you have Spybot S&D installed remove it 

 

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

 

1. Download Avenger to your desktop,

 

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

 

3. In the "Input script here:" copy and paste the script between the lines

 


Drivers to disable:

gxvxcserv.sys

 

Drivers to delete:

gxvxcserv.sys 

 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf  

C:\WINDOWS\system32\drivers\gxvxcmrdyprqpkllrqakyfvkioevlhvivtvse.sys

C:\WINDOWS\system32\drivers\gxvxcctawwlqmmnnljmgxqkelklxveoiracck.sys

C:\WINDOWS\system32\gxvxcjwqwouepxijlkoikronoyindwjobcodv.dll

C:\WINDOWS\System32\gxvxccounter

 

Folders to delete:

C:\resycled

D:\resycled

E:\resycled

F:\resycled

G:\resycled

H:\resycled

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc

HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gxvxcserv.sys   

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\gxvxcserv.sys 


 

Here is a screenshot (script updated since shot)

 

Avenger.jpg

 

Make sure the "Automatically disable any rootkits found" is NOT selected

 

4. Click "Execute"

 

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

 

5. Restart the PC again, then see if you can install  Update and run Malwarebytes  http://www.filehippo.com/download_malwarebytes_anti_malware/

 

Quads 

Hi Quads, Thanks for responding. I have never had SpyBot S&D on this computer. I will try all you suggest. But I do have a couple of questions.  

1. Should I download both the unzipped version and Creators website to the desktop?

2. What exactly do you mean by copy and paste the script between the lines in the "Input script here" area?

 

I'm a little slow by today's standards of instant communication. But also, you guys are just too smart fo ran old guy like me.

 

By the way, my OS is XP Home Edition.

 

Thanks wholeheartedly,

 

RedXCap

1. No just the first unzipped version should be accessible

 

2.   You copy the script that is between the lines  and paste it into the Avenger box

 

Quads 

Thanks Quads. I've ran the Avenger and got the results in NotePad. I did have some issues on the computer restart when asked by Avenger. I clicked on the Yes button but during the shutdown/restart my computer froze up on the 'windows is shutting down' screen so I had to do a manual shutdown and restart. I hope that did not cause the issues I had during the actual restart. The issues were that the computer kept restarting over and over again. The computer would restart and go to the blue chkdsk screen but before it could complete the chkdsk the computer would restart again. On one restart (it was about seven total restarts) I pressed the F8 key for the help screen. Once there I selected Safe Mode restart and it did but the restarts continued. On the next restart I again went to the help screen but this time I selected to start when the computer was starting better ( I forget what is actually says) but I had no luck there either, the restarts continued. Finally I went to the help screen and this time I desperately chose the repair selection and the computer made a near normal start up after it made whatever repairs there were. Anyway, the startups and restarts seems to be back to normal.

I am now going to try and download, install and update Malwarebytes from the link you have supplied for me.

Wish me luck. Will let you know what results I get.

 

Thanks again,

 

RedXCap

 

Did you have any other Realtime product other than Norton??

 

The Avenger.txt will show what it found and didn't find.   If You can install and Full Scan with Malwarebytes then the rootkit is broken, as Malwarebytes is in the "disallowed" list.

 

 

Quads 

Hi Quads/Delphinium, First let me thank both of you for the help you've given me. Secondly, sorry this is the earliest I've gotten back to you but I've had a very long (and let me emphasize 'long') day on the job. Everything you guys helped me with seem to work.

To answer your question of do I have any other realtime products on my computer?  I have only NIS 2009 and now MBAM. I was so impressed with MBAM that I bought the full subscription version. I was also very impressed with the Avenger product. Now that I have the Avenger download on my PC how often (if ever again) should I use this product?

 

Thanks,

 

RedXCap

Hi

 

Can you Please post /attach the Avenger and MBAM logs??

 

Secondly,   Avenger is not like Norton or Malwarebytes etc.  It's a more advanced use tool and thus dangerous to use.

 

Quads 

Hi Quads, I have one remaining issue, My NIS 2009 Auto-Protect finally detected and removed the Backdoor,Trojan virus, the issue I had from the beginning. My issue is, though NIS shows the virus detected and removed in the Quarantine of the History panel it still shows as an Unresolved Secuity Risk as well. I still get the warning upon start up that NIS has the detected a secrity risk, the Backdoor.Trojan. The status is still 'Remove Failed.  What's happening here?

 

Thanks,

 

RedXCap

as you have had other programs remove the infection(s) Norton has the threat in the "unresolved" list (security History) So when you restart the PC Norton notifes you that you have a threat, even though you have used another program to remove it.  The entry has to be removed from the Unresoved list, in the Security History. Norton still can think the threat is still there as you have not had Norton remove it, (empting the the unresoved list).

 

I found that out buy testing with a CD/DVD that had Malware on it, Norton detected it, I asked it to do nothing, so was placed in the unresolved list.  After a restart Norton notified me that I had a threat on the F:\ drive (DVD) even though the CD / DVD is no longer in the drive so nothing to detect. Empty drive,  had to remove from the Norton history for it to no longer Notify me.

 

Workaround

 


THE FIX:
It is not necesary to erase the complete Qbackup folder, neither you need to boot in safe mode also.QBackup folder (Quarantine Backup) is used by Norton AntiVirus component to store backup recoveries of repaired and removed threats when you fix/remove threats during the scan. It may also contain information about threats detected and retains the remediated data in your computer itself. It will be automatically recreated by Norton program when you run scan next time.
So to FIX this problem. Just open NIS2009 history,  GO to "unresolved security risk" Press "Remove*" the item failed to remove, wait for the "failed to remove" status, this will update the "*.qbi" file which have the history of the unresolved items. Then go to NIS2009 settings, go to "miscellaneous setting" and disable the Norton Product Tamper Protection under Miscellanious Settings. Then open your windows explorer and go to
  "C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup"
and erase your most recently (updated, newly)  "*.QBI" file. The asteric it a long number as "{DDAB4332-ED04-4898-9C20-D231FDC4B0C5}.qbi" it will be a small file 1-10 KB. Only deleted this file. Close Windows explorer, go to NIS2009 reactived the  Norton Product Tamper Protection under Miscellanious Settings and you can enter to the HISTORY and you will find it is empty (clear).
Hope this will help to not erase the hole (complete) "Qbackup folder".
BEST REGARDS (SALU2 PARA LA RAZA)
TUFE (aka JC.WILCOX or SABROSO)

 

 

 

Quads 

 

Redxcap:

 

I have a concern in that Malwarebytes purchased version has real time scanning capability.  You do not want two real time scanners running at the same time as the resulting conflicts will leave you more vulnerable than just having the on-demand free version.  Are you able to disable real time scanning in MBAM?

Quads, These are the Avenger and the most recent MBAM scan logs.

Hi Del,  I don't know but I will check. If I can't locate a way to disable the realtime scanning capabilities of MBAM I will contact their support. Will let you know.

 

Thanks for the heads up concern.

 

RedXCap