gxvxcserv.sys trojan is a fresh version of W32.Tidserv trojan also known as Trojan-Downloader.Win32.Agent.brpo, that may represent security risk for the infected computer. The trojan uses rootkit-specific techniques designed to hide the software presence in the system.
Once infected it blocks user access to security websites, search results in Google, Yahoo, MSN and other redirect you to other non related sites. Also gxvxcserv.sys trojan changes the DNS server options to one of the following fixed IPs: 85.255.112.156, 85.255.112.129, 85.255.112.70,85.255.112.127.
gxvxcserv.sys trojan spreads by copying itself to all removable drives as %DriveLetter%\resycled\
Symptoms in a HijackThis Log
O17 – HKLM\System\CCS\Services\Tcpip\..\{35E4C158-9B68-4DAC-961F-DC4362807ABE}: NameServer = 85.255.112.156,85.255.112.129
O17 – HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.156,85.255.112.129
O17 – HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.156,85.255.112.129
O17 – HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.156,85.255.112.129
Use the following instructions to remove gxvxcserv.sys trojan
Step 1. Remove infected autorun.inf file
Download Flash Disinfector by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it. The utility sk you to insert your flash drive and/or other removable drives including your mobile phone.
Flash Disinfector prompt
Please do so and click YES to clean up those drives as well. Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Step 2. Delete gxvxcserv.sys trojan hidden driver.
Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
gxvxcserv.sys
You will see window similar to the one below.
Avenger
Click on ‘Execute’. You will be asked Are you sure you want to execute the current script?. Click Yes.
You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
Your PC will now be rebooted.
Step 3. Remove gxvxcserv.sys trojan files and any associated malware
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select “Perform Quick Scan”, then click Scan. The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Thanks a lot for this article! I was going crazy with this stupid infection until I discovered your website. The instructions are really easy, the antimalware software you are proposing to download are amazing and I got rid of the infection in 20 minutes! Again thank you!
Thanks for this! was finding it difficult to remove this as I had tried many different programs to try and remove this infection.
After MalwareBytes AntiMalware was installed it still could not update and I had to download a manual update, but later figured out that the DNS settings where still pointing to those 2 pesky servers @85.255.112.156,85.255.112.129.
Still running a full scan as a precaution, but looks good so far 😀
Thanx a lot for this extremely useful information it seems to have cleared it up, as i have not encountered any bsod my internet is stable and my C drive open up properly, just trying to figure out how to completely delete the recycler that it added into my C dir. Thanx again guys!
a couple of days after I did this my computer went crazy again… I dont know what to do…
Marina, ask help at our forum.
I had a really tough time getting rid of this virus and nothing seemed to be helping. With hidden files viewable, I still couldn’t find the files or keys I needed to get rid of.
So, what I did was fix the nameservers under TCP/IP in my internet connections properties. That helped me access the Internet again on that computer.
Then, I renamed my Malware Malbytes program file to something different (and it was able to run.) MB didn’t catch everything but it was a start.
I then installed Avast (free download) and it found everything I couldn’t find but knew was there, to include the hidden .sys files, the registry keys and some extra stuff I was unaware of.
If you try everything suggested on this page and have no luck, try what I tried. I hope it helps you — I spent 5 hours trying to remove this virus and the steps I’ve outlined here are what ended up helping me get rid of this nasty virus.
An addition to my comment above, I had to run Malwarebytes in safe mode to get rid of the last bits of this virus. The Mcafee freeware, Rootkit Detective, helped me determine whether the virus was gone (and when it was still there, where it was located.) Virus is completely gone now, absolutely no recurrences since using the Malwarebytes in safe mode.
Wonderfull programms thank you very much to share this information.
And it really worked.
The horse left my PC
Thank you once again.
I got the same issue but I was finally able to solve the case.
I am using Vista home basic, I downloaded an “exe” file from the website serials-keys.com/
the link :-http://serials-keys.com/serial_All_serials_keys_text_speech_pro_ultimate_2.2.html
just after running the “exe” it asked to restart the system, once I asked the system to restart, the system was not able to booth properly. so the steps that i took were
1) start the system with “safe mode with networking”, it showed me the same message as you all had received
2) Installed a trojan remover software, you can download from http://www.simplysup.com/tremover/download.html
its the best.
3) scanned my system, which showed me some virus “gxvxcserv.sys”, i asked to remove from the registry.
4) Just before i restart the system, I went for folder options, and checked the option “show hidden files and folders” & deleted the hidden files that i found in the “Startup” (found in Windows–> Start Menu–> Programs or click on Start–> All Programs and you find the folder)
5) now restart the system, you might need to check for trojan virus, just scan with “Trojan remover”
this trojan remover software has saved my ass for 3 times within the span of 30 days trial.
you need to analyze what sort of problem you are facing, is it hardware or virus, go search on google if you get some text message for error, next if it is a virus than, need to know what kind of virus & how does it works, that helps to know how to fix it & even helps to take precautions so that it does not enter through the windows loop holes
Many virus place them self in the areas with those files which are accessed by windows when it starts. like the StartUp files or your Windows registry etc.
My friend had trojan viruses that attacked the rigestry and wont allow any antivirus software to be installed, but this Trojan remover was successfully installed and removed all viruses.
So even if you have the finest and sharpest (best & updated Antivirus) if you don’t have the skills (the way to tackle) you would always face problems.
Best of luck. If this works, kindly spread this to all other websites and do buy the Trojan remover software.
Worked like a charm..Credit goes to Avenger at the end…No other search result from google helped as much. Thanks once again. 🙂
This solution solved my problem with Firefox, but I still have the problem in IE.
johnes, looks like your computer also infected with other malware. Ask help at our Spyware removal forum.
I tried to watch a television show that I had missed online and ended up getting four viruses. I thought my avira took care of the problem as it originally is the one that detected it, but apparently not. Within fifteen minutes, I noticed any searches I did were redirecting me to various ads and search engines. I tried to find answers on how to get rid of it myself but everytime I clicked on anything it would redirect me or tell me the page does not exist. I found your site and the only way to retrieve your info was to click on cache. It brought me to your page where I followed the three steps and voila. No problems. I even ran it twice to make sure. My computer is once again faster and I can search with no problems. Thank you so much for being a service to us all. 🙂 Now the only problem I’m facing is trying to determine the characters below! lol
Apparently I didn’t have this particular redirect trojan since the Avenger log file shows the
gxvxcserv.sys does not exist on my computer. I still get the redirect though, so it must be a variant of the gxvxcserv.sys program. Any ideas of where to look next appreciated.
Benzman, probably your PC is infected with a new version of the TDSS trojan. Try the instruction.
i dont know how to unzip the file, pleease help.
udy, click right button to zip file, and select Extract all.
when i tryed to extract all, n saved to my desktop it still hasnt worked, b/c we i put in the script it says its unable to perform n says the file wasnt savd successfully
it say error 5 and error 6, about not being able to open file n not being able to read avenger.txt
udy,
gxvxcserv.sys trojan is a variant of TDSS trojan. Also you can use the instructions to remove this malware.
Worked on my Vista Ultimate, removed using your instructions, my AVG anti virus couldn’t locate this virus, Spyware doctor couoldnt remove it also…. BRAVO! give me your number i will take you to fancy restaurant…..
SusoebsuiHello. I have fought the redirect for about two weeks and had ran every malware, virus software and with no help. I found if I loaded internet explorer from the icon under All program files the problem did not exist, but loading internet explore but the icon in the system tray, then the problem was there. So I deleated the icon in the systems tray, then drug another one in from All programs the problem does not exits.
I hope this will help those who are suffering the virus and it will do the same for you.
Good Luck to All
Don