gaopdx and gaopdxserv.sys and penis pill extension ads -updated05 Feb
**If you find this information useful, please click on one of the ads. It only takes you a minute and It helps keep this site up.**
I thought it odd that CNN constantly was displaying ads for Penile Enhancement so I started doing some digging. Sure enough my PC was owned by a malware application that was more then difficult to remove. I ran superantispyware, rootkit checker, you name it and I ran it. I ended up having to go through a number of steps to remove it right down to editing the Registry Hive directly from a bootable CD with a linux install and specialized app. I will list the steps here shortly. Contact me if you cant wait
Part 2
Step1 - Download the rootkit checker from Microsoft. it will find both hidden keys and hidden services related to gaopdx. I am telling you now. DO NOT reinstall Windows. It will not work. You might also want to roll back to a different config using the automated tool. Another good idea but the virus writers thought of that too and disabled your ability to do so. WRITE DOWN THE LOCATION IN THE HIVE where the keys are contained.
Step2 - Run a good virus removing program You will need to download both the application and updates on another machine and install it on the infected machine. I like AVAST. It checks the memory and indidivual files for the virus and runs a full scan while booting up. Once it has completed this, boot the computer from a boot disk and create a folder in the windows\system directory with the same exact file name as the virus. This will prevent the file from being created again.
Step3 - you need a registry editor that downloads the hives and makes them available. Now grab that piece of paper with the keys location and use the utility to delete the keys. I wasn’t able to delete the service but i was able to delete all the values from within the service. Complete that, merge the HIVE back witht he registry and reboot. Once windows loads, the service should be disabled so you can now run regedit and remove any remaining elements related to the virus.
Contact me if you need help
Click on of my sponsors
have that virus and it is a HUGE pain..
I have been trying to get rid of it for 2 weeks now.
I figured out that you cannot download any antivirus updates because it wont let you.
(so I have been using other machines that are clean).
I deleted the file but it was put back but hidden this time..
I know when it is gone, I am able to run antivirus update and it will actually update..
As I type this I am running AVG antivirus to get rid of it, it has found it but dont know if it can get rid of it..
What to you mean by “Hive”?
Jon
he Windows registry is comprised of a number of files commonly referred to has “Hives” When you run the rootkit checker, it will list a number of hidden directory entries relating to or containing *gao*. Of of them specifically is a Window service so when you restart the machine the service installs the Virus again.
Use a windows boot disk with registry editing capabilities and delete the keys in the registry that contain anything relating to GAO. I could probably create a bootdisk image and post it on my site. if you wouldn’t mind, leave comments like these on my site as they will help others.
Thanks
–
Robert Thorell
+1 305 600 0114
This is a variant of the TDSS rootkit infector. It can be removed by MBAM MalwareBytes Anti-Malware
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm
For raw beginners and others who are not familiar with the registry editor, please do not edit or make changes on your own.
Free guided help for malware removal may be obtained at several web-based forums.
SpywareHammer
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0
MalwareBytes
http://www.malwarebytes.org/forums/index.php?showforum=7
AumHa Malware Removal forum
http://aumha.net/viewforum.php?f=30
SpywareInfo
http://www.spywareinfoforum.com/index.php?showforum=18
BroadBand/DSL Reports
http://www.broadbandreports.com/forum/cleanup
Tech Support Forums
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/305963-new-instructions-read-before-posting-malware-removal-help.html
Spywarewarrior
http://www.spywarewarrior.com/viewforum.php?f=5
Subratam
http://forums.subratam.org/index.php?showforum=7
Spybot
http://forums.spybot.info/forumdisplay.php?f=22
On Wed, Mar 18, 2009 at 7:01 PM, Jed XXXX wrote:
Hi Rob,
I’m Jed and I think my computer is infected with gaopdx virus. I have been looking all over the internet for solutions and the closest I can find is the article you have written titled “gaopdx and gaopdxserv.sys and penis pill extension ads -updated.” However, I’m having trouble following it. So I was wondering if you could please explain the process to me a little more simpler if you can find the time.
Thanks, Jed.
1a) Sure, the first thing you need to do is download the rootkit program from Microsofts site
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
1b) Run it and you should see references containing GAO in the lines. If you do then you definitely have the virus
2a) You will need to download or install a Virus removal program. Use one of ad links on my website or download Avast. http://www.avast.com/eng/download-avast-home.html
2b) Now, the tricky thing here is that Avast will not be able to update itself since the virus is disabling that ability. You will need to use another computer to download the update and then transfer it to the infected machine. You can use a USB drive to transfer the updates.
2c) Run Avast and make sure you select the option where it reboots the machine and scans the computer on boot. This eliminates the ability for memory resident viruses from interfering.
3) The next steps I performed manually and are potentially dmaging to your computer if you make a mistake. I believe that as of now the Virus removal tools should be able to get rid of the virus. If not please let me know and I can walk you through using a manual registry editor to remove the virus
Hi Rob
Yes I’ve go gaopdx… it’s a prick. Your post has been the most helpful thus far.
The Avast virus checker on boot was great. It found it.
But I’m still trying to eliminate from my registry.
I’ve been learning on the go about Registries, Hives and Branches.
I need to get Boot CD and follow your latter instructions more carefully. Which I intend to do.
But here’s what I dont understand.
When I use RootkitRevealer it says gaopdx is hidden from the API.
So I thought to use RegistryBooster to do a backup.
Then using little old notepad I opened the backup file - and there was no gaopdx. “You bewdy” I said (I’m an Aussie). Hoping that if the registry entries were hidden, they wouldn’t be backed up. If they were there I would have cut and cut and cut those buggers out.
So then I restored my gaopdx-free backup, and ran RootkitRevealer again.
And hey-presto…… They’re still there. Why’s that?
There is one consolation. I clicked on an ad, bought some pills and now my old-fella is 3″ longer.
Another Comment and an interesting way to approach the issue.
____________________________________
Hi Rob,
I found your article only after I finished removing the Trojan today. In my case, even though Kaspersky detected the Trojan (last Friday) it could not Disinfect it, and on the subsequent Delete attempt the Trojan proved stronger than Kaspersky and prevented Kaspersky from loading altogether. The A2Free scanner from EmsiSoft could run but couldn’t update as all connections to anti-malware sites were redirected to adult sites. As you mentioned System Restore was not working.
I found another article saying the Trojan creates an autorun file in the rootfolder of the boot drive so I used a Linux Live CD to delete that file. This didn’t clean the system, but I was able to run the RootKitRevealer from Microsoft and the Registry Monitor as well. Registry Monitor showed that the gaopdx keys were continuously opened and closed and showed the .sys and .dll files and their locations. Jumping back into Linux I could rename those files which enabled Kaspersky again and removed the hidden status of the registry keys.
After that I could let Kaspersky delete the files, use RegEdit to delete the HKLM\SOFTWARE key and do a System Restore to clean up the mess. So other than the excursions into Linux to delete the hidden system files the cleaning took place in Windows.
Just to let you know in case you’re interested.
Best regards,
George
Oregon, USA
Boot Disk
http://www.robthorell.com/networking/registry-bootdisk-for-removal-of-gaopdx-registry-entries.html
Hello, I’ve been reading all of this, and none of the solutions work for me. The virus that keeps coming up is gaopdxcounter, and a few others that start with gao. But the problem I have is that it will not allow me to do ANY updates on any security software I presently use, Avira, Spybot, Malwarebytes; nor will it allow me to download any files or even be able to go to any of the 20 or so security websites I have tried, it either re-directs me or if I can get to a download button, it won’t let me download anything. So, I can’t update a thing, or install and try another program. I have tried all of this in safe mode and turned off system restore (btw, could not restore to any previous day either. Any ideas? Thank you.
Gunth, therein lies the problem. The virus disables auto-removal tools from working therefore you must download the virus updates and files I suggested either on a different computer. The rootkit revealer is available on Microsoft’s site and I have made the bootdisk available at the link above. The trick is to edit the registry manually using the bootdisk and remove the hidden keys referring to gao*. It’s more of a power user maneuver but doable if you take your time.
Thanks for the quick reply. Unfortunately, I am on the West Coast, my customer is on the East Coast, and I was hoping to be able to do this remotely. I figured that I would need the physical computer because most everything I’ve tried just won’t sneak past this thing.
I was able to download a few packages using xB Browser, by XeroBank over Tor, and was able to get some software to install, but once installed, they still would not update.
Thanks very much.
Any chance your customer has access to an IP KVM. If they are in Florida they could bring it into the datacenter in Miami I work from. Even after updating the virus software I’ve only been successful at manually removing the keys before the OS loads. This was a nasty little virus that took me a few days to work through
No chance for that, I just moved to Southern Cal from Upstate NY where otherwise the typical options for computer help is pretty much limited to the Geek Squad, so my old customers (extremely intimidated by technology) are bumming that I’m gone. I have set most of them up for remote maint., but things like this are obviously a problem. I am pretty dang good at taking care of problems without having to do complete re-installs, but sometimes, like this one, I need the physical machine as this post outlines.
I noticed that this virus was first detected by Avira, on her system, back in Nov 08′, I was notified about a month ago, worked and researched it for about a week, then sat on it hoping that a solution might appear without requiring that I need the computer in my posssession.
Thanks again.
You have to remove this using three programs,
they are as follows:
Install “Autorun Eater”: this stops the block from accessing
c: (this virus jumps onto flash drives too so be careful)
-look for this using google
Use Malwarebytes to remove a portion of it, this is done
by changing MBAM.exe on your “c” drive to another name
and then run it.
Install “Combofix” - find this by searching on google.
This removes the rootkit.
Use Malwarebytes again just to be safe.
Sincerely,
-Anonymous