Win32/Waledec.KA trojan

[jamest]

Hi there

I'm a long time user of NOD32 and never been infected before (I think!). I have been infected today and would appreciate any advice on how to ensure my computer is now clean.

Today at 12:05 I got a NOD32 warning message about the file:

"http://u8r.in/se/1.exe"

which was identified as "a variant of the Win32/Waledac.KA trojan"

I first opted to block this. But the message appeared twice again over the next 25 minutes and on both these occasions I chose the Terminate option.

After the 3rd warning, I looked in my task manager and saw the process:

wpv121248215369.exe

I killed this process. Reading about something called trojan.bredolab I discovered this exe file in the folder windows\temp and deleted from there (the file was created at 12:05).

I also found the file rncsys32.exe in my programs\startup group, although I am not sure if this has any connection. I deleted that too.

I have rescanned my computer a couple of times and nothing was found.

However, as NOD32 did not remove the infection, I am concerned it may reappear.

How can I be sure this is gone?
Also if anyone knows how I got this, please let me know?

Any advice greatly appreciated

James

[funkydude]

Download an application such as MalwareBytes or SuperAntiSpyware and do a scan.

[Marcos]

Quote:

Originally Posted by jamest

I have rescanned my computer a couple of times and nothing was found.

Maybe nothing was found because v2 detects less threats than v3/v4. Unless you use Windows 9x or have NOD32 for Exchange installed, I'd strongly suggest that you upgrade to v4.

[jjavierv17]

Hi There! You can also use "Trojan Remover". It's not a freeware but it helps a lot when talking about Trojans. the current version is 6.7.9, I think. Bye ;-)

[jamest]

Quote:

Originally Posted by Marcos

Maybe nothing was found because v2 detects less threats than v3/v4. Unless you use Windows 9x or have NOD32 for Exchange installed, I'd strongly suggest that you upgrade to v4.

Thanks for these suggestions.

I have installed NOD32 v4 and rescanned but no threats were found.

Prior to that, I installed SuperAntiSpyware and scanned - no threats.

I also scanned with MalwareBytes. This found one infected file also created a 12:05:
c:\documents and settings\****\Application Data\wiaserva.log

What bothers me is that apart from this file found by Malwarebytes all of the files/process to be removed have been identified by me. This does not give me much confidence I am in the clear.

Does anyone know what these threats are (rncsys32.exe, wpv[numbers].exe), how they got on my computer, and how I can be sure I'm rid of them?

I have searched on the eset website and cannot find any information.

Kind regards

James