GAOPD Rootkit gaopdxserv.sys
- By Book Worm
- Published 02/12/2009
OK probably serves me right but one of my pc's got infected with a rootkit (Thanks Trend Micro) and all google ads and search results were getting redirected to mainly adult friend finder although there were a lot more.
Steps I took to remove gaopdxserv.sys ; (all the software I've linked to is free to use, donations are welcomed by most of them, although I must admit to using www.prevx.com scanner it is free to scan and will give you the file names to look out for but it costs money if you want it to remove the stuff for you, but the steps below effectivly do the same if not better.)
Downloaded sysinternals rootkit revealer here
This showed a suspicious gaopdxserv.sys was running but was hidden from the API (basically hiding itself).
Booted the computer from a Windows XP disk -
selecting the recovery console to get to a clean command prompt.
deleted all refs to gaopd*.* in c:\windows c:\windows\system32 c:\windows\system32\drivers and c:\windows\system32\drivers\etc there was 4 or 5 entries in total and not in all of the directories listed (sorry didn't keep a list of them).
Rebooted the computer, and all was well again cleaned the registry manually using regedit to remove all references to gaopd and also recycler which was trying to autorun something on the c drive resulting in not being able to open the c drive in explorer.
Used http://www.malwarebytes.org/ to get rid of the multitude of things that had come in while the root kit was there.
and finally ccleaner to tidy up the registry.
Oh and ditched trend micro and went back to McAfee although that may change as it's a little slow!
Steps I took to remove gaopdxserv.sys ; (all the software I've linked to is free to use, donations are welcomed by most of them, although I must admit to using www.prevx.com scanner it is free to scan and will give you the file names to look out for but it costs money if you want it to remove the stuff for you, but the steps below effectivly do the same if not better.)
Downloaded sysinternals rootkit revealer here
This showed a suspicious gaopdxserv.sys was running but was hidden from the API (basically hiding itself).
Booted the computer from a Windows XP disk -
deleted all refs to gaopd*.* in c:\windows c:\windows\system32 c:\windows\system32\drivers and c:\windows\system32\drivers\etc there was 4 or 5 entries in total and not in all of the directories listed (sorry didn't keep a list of them).
Rebooted the computer, and all was well again cleaned the registry manually using regedit to remove all references to gaopd and also recycler which was trying to autorun something on the c drive resulting in not being able to open the c drive in explorer.
Used http://www.malwarebytes.org/ to get rid of the multitude of things that had come in while the root kit was there.
and finally ccleaner to tidy up the registry.
Oh and ditched trend micro and went back to McAfee although that may change as it's a little slow!
Spread The Word
4 Responses to "GAOPD Rootkit gaopdxserv.sys" 
|
said this on 25 Feb 2009 6:36:53 AM UTC
A HUGE help, thanks! One thing to mention or add here is one of the symtpoms I was getting. A popup window comes up with a title bar, Microsoft Windows. Then, after a yellow exclamation sign, the mispelled phrase: It can happend because this computer is infected by viruses...
|
Author/Admin)|
said this on 06 Mar 2009 4:45:19 PM UTC
any ideas what this little beasty does.. i got caught with and removed it.. but a bit worried about what it was doing.. was it just creating revenue by altering dns links.. or was it capturing data .. thus needing to change password everywhere ?
|
|
said this on 06 Mar 2009 10:46:15 PM UTC
The version I had didn't do anything sinister to gather information, although session information was passed through its server so if the web site used ?user=xx&password=xx in its url then it has been compromised but SSL would not have been (unless you were warned the SSL cert was not for the domain!)
I've also now seen some versions change the Hosts file and DNS entries - in addition to the above it would be worth checking these. |
|
said this on 05 Apr 2009 1:43:31 AM UTC
I have been plagued by this Pr&^K of a thing for a week now.. I seem to have in on a number of machines and used Trend, Malware bytes, RemoveIT Pro and a number of other so called' Anti-Virus' removers and NOTHING even saw it let alone removed it.. I used 'Unhackme'... this worked perfect on some machines and not others, but at least it found it first go!
It was so well lodged in.. Symptoms are : Mainly poor performance.. you can hear the CPU is high for no reason (but nothing appears abnormal in the Task List!) , long boot times and shutdowns, or not, (while the thing goes n hides itself in your restore, recycle, root and anywhere else it can find.. these things are evil and so are the a1&*$#holes that write these things.. I use my PC;s for work and finding contracts, I can't afford to have some nob frang with my machine! Thanks for the post. I would suggest this to be a good starting point. thanks again. Master_number |