Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.Tidserv.G and Gaopdxserv: Can't connect to internet (hardwire or wifi)


  • Please log in to reply
7 replies to this topic

#1 KentJr

KentJr

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 04 April 2009 - 03:41 PM

Hello, and thank you for your time. This is very kind of you and your group. My wife's computer's problems began when we downloaded Mu Torrent and downloaded CloneDVD2 and some 700MB WMV file that carried the signature of aXXo. It would not play, rather, when we tried using Windows Media Player, version 11.0.5721.5230, it connected to the internet and asked us to download " media usage rights." That is when PlayMYDVD downloaded to the computer. The first problem we recognized was that clicking on links no longer worked whether on Google or Yahoo via Firefox or Explorer. Instead, the links redirected to some fake ad-like websites. However, if we cut and pasted the links they would usually work. Also, even without a browser running, pop-up ads would come and visit us.

I noticed that when i cleared my cookies, the problem was fixed -- for a minute -- and it would start right back up again.

Our symantec virus software didn't see anything. We weren't aware of other programs and did not have any. Not knowing about your group or your suggestions, I followed some threads about how to fix it. The first thing I did was try and download Spybot. Strangely, I could not even connect to the websites that offered spybot downloads. Luckily (or not), Adaware website was accessible and I downloaded it. They found some things but the problem wasn't gone. I then downloaded spybot, malwarebytes, and GMER. Spybot wouldn't load, nor would malwarebytes. Gmer found some Rootkits (C:\WINDOWS\system32\drivers\gaopdxqevpeycgyrjklypuoapxexyyridwkmxe.sys and C:\WINDOWS\system32\gaopdxxmmexmtyxjqtthveqxhsdulkiqlrmmaf.dll. It also found a module that could not be deleted, rather it had to be "dumped" into some kind of .bin file.

This didn't fix the problem, but it let me navigate to and run Malwarebyte. No luck. I then found a thread recommending combofix. It found all sorts of things and after it fixed them, the internet links worked. But after I reset the computer, I can't connect to the web anymore.

Then i found your site (I hope not too late). I wish i had read it first...

Thanks for your help.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 AM

Posted 04 April 2009 - 08:03 PM

Hello.

This is a nasty infection.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 KentJr

KentJr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 05 April 2009 - 09:34 AM

Extremeboy,

Thanks for your quick response. 2 questions. What information informed you that we had a backdoor trojan? Since my wife's computer had all sorts of passwords and bank account info on it, is there a way to tell if anyone has viewed it? Meanwhile, I am trying to find my installers for the software that we'd like to reload so we can prepare for the reformatting process.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 AM

Posted 05 April 2009 - 10:58 AM

Hello.

What information informed you that we had a backdoor trojan?

Actually a few things.

1)

Gmer found some Rootkits

Rootkit has backdoor functions.
2)

C:\WINDOWS\system32\drivers\gaopdxqevpeycgyrjklypuoapxexyyridwkmxe.sys

3)

C:\WINDOWS\system32\gaopdxxmmexmtyxjqtthveqxhsdulkiqlrmmaf.dll


Since my wife's computer had all sorts of passwords and bank account info on it, is there a way to tell if anyone has viewed it?

Not exactly but the best would be to change it so they can't view any information anymore. If anything seems to have changed and YOU did not do it personally then you should contact your bank or any other financial companies ASAP.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 KentJr

KentJr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 05 April 2009 - 10:12 PM

You are great, Extremeboy. Thanks for the prompt responses. Is there a way to clean my wife's machine and get back on the internet without formatting? Or is this backdoor going to let anyone past - despite a good firewall and whatever other stuff you recommend? If i have to format the drive, I will...but I am just hoping there is another way.

Do you think Dial-a-fix would help?

Thanks again.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 AM

Posted 06 April 2009 - 03:11 PM

Hello.

Is there a way to clean my wife's machine and get back on the internet without formatting?

Well yes, but your computer was compromised so I'm not sure if it's trustworthy for you anymore especially if you do any banking or financial dealings.

Or is this backdoor going to let anyone past - despite a good firewall and whatever other stuff you recommend?

Backdoors basically allows the remote person to have "root" access to your computer. As long as the rootkit is active and your are connected to the internet, then you are at "risk" and potentially the person can do almost anything from stealing passwords or/and executing files. we can still remove the infection but then you will need to decide for yourself do you feel comfortable with an infection like this? Getting a good firewall and other protection can help but right now it's a bit too late since your computer is compromised already.

Installing one if you don't have one already however, is still a wise idea. Changing passwords etc... is also a good idea.

If i have to format the drive, I will...but I am just hoping there is another way.

As explained above.

Do you think Dial-a-fix would help?

No. Dial-a-fix is not a malware related removal tool. It's more a tool that helps fix common windows problem so it will not help you by running Dial-A-Fix.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 KentJr

KentJr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 07 April 2009 - 12:01 AM

Ok. I took your advice. I wiped my computer using the "restore to factory settings" format thing powered by Symantec. So I am now on the web w/ her computer. Passwords are changed, and we're watching our accounts.

Now that i have wiped it clean...i have symantec norton antivirus. what spyware preventer should I download? CNET rated HiJackThis the highest. Do you agree? Would you be able to check the latest HJT log on my new clean system for me? Thanks again!

Kent

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 AM

Posted 07 April 2009 - 04:35 PM

Hello.

Hijackthis logs are not allowed to be posted or analyzed in this forum. It belongs in the HJT-Malware Removal forum. If you want to post a log you can over here. However, please note there are many logs we have and we TRY to respond on a first come first serve base. There will be some delays before you get a respond from one of the HJT members.

Note on Hijackthis.

HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.

If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting an expert on using this program.

Here are some anti-spyware programs. (I personally like Malwarebytes Anti-Malware and Superanti-spyware. Spyware Terminator is another good anti-spyware program that also has free real-time protection.)
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users