Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got rid of DNS changer on Vista but not on XP


  • Please log in to reply
6 replies to this topic

#1 davidmgray

davidmgray

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 07 February 2009 - 01:05 PM

Hi all,

About two weeks ago I got some malware on my home network which infected both Vista and XP Pro.

I'm a subscriber to Norton Internet security but that didnt have clue about it. After downloading every bit
of Malware removal I could find, the program Malware Bytes found a single rougue resistry key and deleted
it.

Registry Keys Infected:
HKEY_CLASSES_ROOT\aquaplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.



This was on Vista and that PC seems ok now (fingers & toes crossed)


My laptop runs XP Pro and I cant for the life of me get rid of the blasted infection on that machine. I manually deleted the
key (above) from the registry and even hard coded two DNS from OpenDNS settings on the network connection, nothing works.... Argh!!!!

Malware bytes can't update its definitions and therefore only reports a few low risk tracking cookies.
Spybot wont run at all.
Ad-Aware wont update
Super anit spyware wont update

There are others I have tried but all pretty much the same.

I've downloaded HJT but can't see anything obvious in the log, shall I post that on here?

Hope someone can help..

Thanks in advance

Dave

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:11 AM

Posted 07 February 2009 - 01:42 PM

Have you reset your router with a strong password?

Vista is more immune to driver/rootkit based infections than xp, you may have to delve a little deeper on the xp computer

post the latest MBAM log for the xp computer

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

updates can be downloaded and installed manually
Chewy

No. Try not. Do... or do not. There is no try.

#3 davidmgray

davidmgray
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 07 February 2009 - 02:10 PM

Hi,
I've not touched the router as yet but I was considering a full factory reset.
The password was stringish I thought but next time it will be bullet proof.

I will post the log shortly.

Thanks
Dave

#4 davidmgray

davidmgray
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 08 February 2009 - 06:04 AM

Have you reset your router with a strong password?

Vista is more immune to driver/rootkit based infections than xp, you may have to delve a little deeper on the xp computer

post the latest MBAM log for the xp computer

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

updates can be downloaded and installed manually


Hi,
I left Malware Bytes running overnight and it found four infected files. This is the extract from the log which details the
files...


Files Infected:
C:\WINDOWS\system32\gaopdxxbnmpxxn.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-241187.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-241671.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxosvdltfq.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Ok so I've removed all these and rebooted. I can now download Spybot S&D which is an improvement from earlier
but the computer is still in a bad way. Everything is running incredibly slowly, Firefox takes approx 5 minutes to open.

Norton IS 2009 still does not find anything wrong.
Ad-aware finds a few tracking cookies and Spybot is still running.

What's the solution? Do I keep running various removal programs until it eventually gets cleaned?

Oh one more thing, Spyware Doctor found a load of errors but does not fix them as it was only the free scan.
After this I'm going to invest in a couple more programs to defend against this happening again, but which ones?
I think MB has to be a definate favourite.

Thanks
Dave


Spyware Doctor logfile


Infection - C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MPK\
07/02/2009 23:13:42:156
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gaopdxvx, gaopdxrun
07/02/2009 23:13:42:156
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gaopdxvx, gaopdxaff
07/02/2009 23:13:42:156
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gaopdxvx, gaopdxff
07/02/2009 23:13:42:156
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gaopdxvx, gaopdxpos
07/02/2009 23:13:42:156
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gaopdxvx
07/02/2009 23:13:48:234
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\GAOPDXSERV.SYS
07/02/2009 23:13:48:234
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\GAOPDXSERV.SYS
07/02/2009 23:13:48:234
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\GAOPDXSERV.SYS
07/02/2009 23:13:49:859
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_CLASSES_ROOT\gaopdxvx, gaopdxrun
07/02/2009 23:13:49:859
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_CLASSES_ROOT\gaopdxvx, gaopdxaff
07/02/2009 23:13:49:859
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_CLASSES_ROOT\gaopdxvx, gaopdxff
07/02/2009 23:13:49:859
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_CLASSES_ROOT\gaopdxvx, gaopdxpos
07/02/2009 23:13:49:859
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_CLASSES_ROOT\gaopdxvx
07/02/2009 23:15:52:109
Infection was detected on this computer
Threat Name - Trojan.Generic
Type - Registry Value
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-4054792171-1207732412-3270523532-1243\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
07/02/2009 23:17:39:875
Infection was detected on this computer
Threat Name - Trojan.Generic
Type - File
Risk Level - Medium
Infection - C:\autorun.inf

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:11 AM

Posted 08 February 2009 - 08:29 AM

http://www.bleepingcomputer.com/forums/ind...t&p=1120792

Download ATFCleaner, update MBAM

they are up to 1738

physically disconnect from the internet and any other computer

Make sure teatimer is not loading at bootup

Temporarily disable norton's

Run ATFCleaner and MBAM and I need to see the full log

TDSS is a very nasty infection
Chewy

No. Try not. Do... or do not. There is no try.

#6 davidmgray

davidmgray
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 10 February 2009 - 01:45 PM

http://www.bleepingcomputer.com/forums/ind...t&p=1120792

Download ATFCleaner, update MBAM

they are up to 1738

physically disconnect from the internet and any other computer

Make sure teatimer is not loading at bootup

Temporarily disable norton's

Run ATFCleaner and MBAM and I need to see the full log

TDSS is a very nasty infection


Do you want to see the full log from Malware bytes?

Dave

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:11 AM

Posted 10 February 2009 - 04:28 PM

Yes, the whole log gives us your OS and a few clues

Edited by DaChew, 10 February 2009 - 04:29 PM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users