When I do an In-Depth scan, NOD32 found my PC's operating memory infected with a trojan horse, Win32/Spy.Goldun.GU . NOD32 prompted for action but the only option is to "leave", thus I am unable to clean it.

The log shows " a variant of Win32/Spy.Goldun.GU trojan found in operating memory. System memory infection originated from file C:\WINDOWS\system32\uservmem.dll . "

I have also tried using several other AV but didn't manage to clean this virus/trojan. Every time the file uservmem.dll is deleted, it will be back when the PC is rebooted again. And Kaspersky 6 could not even detect this trojan.

I'm all at lost now. Hope NOD32 can help and really appreciate your assistance.

Thanks.

Download and run superantispyware and hijackthis.

If you dont know what to do with hijackthis then read it's faq's

Hello ! Welcome to Wilders !

It would be an easy task :)


Download UnDll - the DLL removal utility (excellent ESET tool created by Paolo Monti)
Extract it and use it . Point to the infected file
C:\WINDOWS\system32\uservmem.dll

and follow the instructions to kill it ;)

Compare your settings to Blackspear's tutorial here (http://www.wilderssecurity.com/showthread.php?t=37509)

From Control Center , make sure NOD32 is updated and perform full scan
from Control Center -> NOD32 -> Run NOD32 -> Scan & Clean

Post back with results ;) :thumb:

UnDLL could not find the file. But if I use another program like IceSword, I can see it. Could it be hidden?

{QUOTE-> UnDLL could not find the file. But if I use another program like IceSword, I can see it. Could it be hidden? <-QUOTE}

You should point it to that file , just type it as I have . Hidden or not , when you type it , it will be undlled :)

If again this doesn't help , post again and I'll provide you instructions for another tool

I just did that, UnDLL gave a message "The selected file does not exist".

This is my HijackThis log.

~Log Removed - Ron~ Please see this post. (http://www.wilderssecurity.com/showthread.php?t=42148)

Download Avanger from http://swandog46.geekstogo.com/avenger.zip
Exctact it into new folder

Download this file then
http://pandaman.my.contact.bg/file.txt


Start Avenger . Choose Load script from file . Choose the file file.txt
Click on the button with the lights and choose restart when prompt

After restart the malware's file should be gone .

Then perform full Scan&Clean with NOD32 as suggested in my first post in this thread . Good luck :thumb:


P.S. You are not allowed to post HJT log files at Wilders forums

Thanks. I'm doing an in-depth scanning now, and the operating memory is OK. Looks like the trojan is killed!

Thanks again.

{QUOTE-> Thanks. I'm doing an in-depth scanning now, and the operating memory is OK. Looks like the trojan is killed!

Thanks again. <-QUOTE}


Did you do the Avenger part ?


I recommend you read my first post and setup NOD per Blackspear's instructions

Yes, I did the Avenger part and the trojan dll file has been deleted.

I'm deep scanning with NOD now with the recommended extra configuration. Things look OK.

Thanks again.

{QUOTE-> Yes, I did the Avenger part and the trojan dll file has been deleted.

I'm deep scanning with NOD now with the recommended extra configuration. Things look OK.

Thanks again. <-QUOTE}

You are welcome ! :thumb:

Hi HiTech_boy!

I have the same problem with Win32/Spy.Goldun.GU!!!

Please send me the script file (http://pandaman.my.contact.bg/file.txt) beacuse i can't reach it!

my e-mail : keresztes.j @ digiplaza.hu

it's very important for me!

Thank You!

{QUOTE-> Download Avanger from http://swandog46.geekstogo.com/avenger.zip
Exctact it into new folder

Download this file then
http://pandaman.my.contact.bg/file.txt


Start Avenger . Choose Load script from file . Choose the file file.txt
Click on the button with the lights and choose restart when prompt

After restart the malware's file should be gone .

Then perform full Scan&Clean with NOD32 as suggested in my first post in this thread . Good luck :thumb:


P.S. You are not allowed to post HJT log files at Wilders forums <-QUOTE}

I wrote the script file, and it is worked correctly, so the problem is not actual.

I Cleaned Win32/Spy.Goldun.GU from my computer.

THX for the description! :)


{QUOTE-> Hi HiTech_boy!

I have the same problem with Win32/Spy.Goldun.GU!!!

Please send me the script file (http://pandaman.my.contact.bg/file.txt) beacuse i can't reach it!

my e-mail : keresztes.j @ digiplaza.hu

it's very important for me!

Thank You! <-QUOTE}

Hi k.janos !

Thanks for letting us know ! :thumb:

By the way , welcome to Wilders ! Don't hesitate to post back again if you have some problems ;)

member bfriendly,

I have split your post concerning Symantec and Trojan.Goldun into a thread of it's own. Please follow the below link for further assistance in an appropriate forum.

Bubba

This thread---> Trojan.Goldun and Symantec (http://www.wilderssecurity.com/showthread.php?t=156740)