Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with Trojan.DNSChanger removel


  • This topic is locked This topic is locked
2 replies to this topic

#1 Barry Tuber

Barry Tuber

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 06 February 2009 - 12:11 PM

I am remotely troubleshooting problems on a client's laptop. Symptoms are odd DNS redirection errors (browse to Windows Update sends you to Google, AVG anti-virus update downloads won't work, etc.). Machine is a Toshiba laptop running XP, connected to internet with Verizon broadband.

I ran Malwarebytes and it found and said it removed Trojan.DNSChanger (I'll attach the logs). Afterwards the DNS redirection problems continue though, and am not sure what to do next. (HijackThis log does not show anything obvious, AVG scan came up negative, additional mbam scans (including full scan) show nothing. Have also cleared System Restore area, flushed DNS cache, rebooted, etc.

One issue is that because of the DNS redirection, mbam can't update itself, so we are stuck at the database version 1654 from 1/14 and can't get current. Is there any way to manually get the update (I can download files from my machine and upload them to the problem machine if I knew where to get it).

I am attaching attach.txt and DDS.txt and hope to hear back with some suggestions. By the way, the C:\Documents and Settings\Bill Russell\Desktop\Let Barry connect.exe and
C:\DOCUME~1\BILLRU~1\LOCALS~1\Temp\7zS6.tmp\winvnc.exe entries are legit; they are the UltraVNC singleclick that I am using to have him connect me to the machine. Also, I think the g2mdlhlpx.exe is ligit; he does have Citrix GotoMeeting installed.

Thanks for any help!

Barry

Attached Files



BC AdBot (Login to Remove)

 


#2 Barry Tuber

Barry Tuber
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 06 February 2009 - 02:23 PM

Never mind. I ran RootkitRevealer and it found gaopdxserv.sys. Googled that and was able to eliminate it using GMER and a combination of AVG and MWAB. I think we are clean now.

By the way, does anyone who has run into gaopdxserv.sys before have any idea how my client might have picked it up?

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:01:54 PM

Posted 17 February 2009 - 12:36 PM

No real way to know how they got it.

Thanks for informing us you all are fixed.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users