General discussion

Locked

Anybody heard of "rxvvspt" New Virus or Trojan? Bios Virus Maybe?

By f-3987749 ·
Ran across this yesterday on an XP Home machine.

Original complaint was machine had gotten so slow in the last month it was unusable, also just got a new "previous fan failure! press f1 to continue or f2 to enter setup" during bios boot up. Fan is and was operating.

This is on a Dell Dimension 8200 with a 2.53 P4 & 512mb Ram.

The problem seems to stem from a program folder in windows\system32\prefetch tree that has a hidden program folder named "rxvvsptv" containing 2 20kb executables "wvovwwxu.exe" and "uxwwvovw.exe" and an unnamed .dll .

Both replicate themselves as operating processes using all available cpu and memory on startup.
Was able to trackdown over 6500 occurances of "wvovwwxu.exe-15719cfb.pf" and 5000 occurances of "uxwwvovw.exe" in the registry.

Did a reinstall reappeared after 3 boots, have now done a low level format and clean install, It's back after about 10-12 boot cycles.
I am now doing a low level format after overwriting the drive with 0 data.

Original complaint was machine had gotten so slow in the last month also just got a new "previous fan failure! press f1 to continue or f2 to enter setup" Fan is and was operating.

Any body else hit one like this or is this just a corrupt program?

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Interseting

by gbrownlee In reply to Anybody heard of "rxv ...

I haven't heard of this particular problem, but I recently did some reaearch regarding bios viruses. If this is the case, you can try flashing the bios; may or may not work, or replace the mobo.

Greg

Collapse -

Way more info please

by rojackson In reply to Anybody heard of "rxv ...

It doesn't have to be a "bios" virus could be LSASS could be "many things." First, I don't see any reference to virus scanner...have you run one? I Suggest AVG cuz that's what I use and I've seen them ID stuff very early.

These things can be VERY tricky anymore so you gotta lean on scanners and expert knowledge, not just finding a file in a hidden directory and removing it. They can tie themselves into the windows shell (what OS are you running BTW) and do all sorts of other nastys.

Hijackthis is useful as well to see what's going on where.

The fact that it comes back after x number of boot cycles makes me thing you have an open port somewhere. You also don't tell us if those boot cycles include normal wear and tear or if you're just rebooting the system.

If you're talking about a reboot once a day then the fact that it comes back in 10-12 (or even 3 days) doesn't even mean that it's a bios virus, it just means that it's getting reinfected "some how." Could be on a disk that the user uses, could be on a web site that they go to, could be anything...which is why you need the scanner going.

Next time I woould make sure to get more diagnostics before going through all the effort you have, and I would ALWAYS make sure to get a scanner on and ports tightened etc. after you get a machine clean (an ounce of prevention is really worth a pound of cure).

Collapse -

Some More Info For You

by rojackson In reply to Anybody heard of "rxv ...

This is what I found on a search of your "fan" message. Seems it's a legitimate message and the bios will try to cleanly shudtown the system because it is under the impression that the system will die from overheating.

From http://chris-linfoot.net/plinks/CWLT-5ZAKER;


User had reported sasser like symptoms (diagnosed the problem himself), though the behaviour sounded atypical for sasser to me. So it came as no great surprise when I powered up the machine that the first thing it did on completing its POST was to stop with "Previous fan failure. Press F1 to continue or F2 to enter setup."

"How long has it been saying this?" I ask user. There's no direct answer but his gaze is averted and there is much shuffling in an uncomfortable sort of way. So, safe to assume it has been going on for a while.

Actual symptom was simply that the system would power down unexpectedly, not shut down unexpectedly. BIOS log said all that need to be said. It was killing power to the system as a last resort and as the lesser of two evils, specifically a) unsafe power down with possible negative consequences for unsaved work and integrity of open file systems and b) combustion. The machine in question had come perilously close to catching fire on more than one occasion.

Just to confuse matters further, there was some residue left by sasser too, but this had been rendered harmless by the installed AV software which had simply failed to complete the job of deleting some malware files.

So, deleted the last few sasser files, installed a new fan and that's all she wrote. Something of an anticlimax really.

Collapse -

I saw this

by jgeorges In reply to Anybody heard of "rxv ...

I had no idea what this thing was doing. It spiked the cpu. I deleted the folder and all seemed ok

Back to Malware Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums