Please help! Problem with Trojan.Goldun.

Discussion in 'malware problems & news' started by AWorriedPerson, Nov 16, 2007.

Thread Status:
Not open for further replies.
  1. AWorriedPerson

    AWorriedPerson Registered Member

    Joined:
    Dec 3, 2006
    Posts:
    30
    Hello! I am very sorry for troubling here, but I have a serious problem. :'( My Spyware Doctor found Trojan.Goldun . But it wouldn't remove it, because it is trial version. I searched for solution, but unfortunately didn't find any. I downloaded Top-RegistryEditor5.3TrialVersion.exe (My regedit.exe was deleted because of a trojan.), but I didn't find any registry entries. o_O

    Here is the report.

    Spyware Doctor Activity Report
    Generated on 11/16/2007 8:48:07 PM Spyware Doctor Homepage PC Tools Homepage Technical Support


    Scans (basic information only):

    Scan Results:
    scan start: 11/16/2007 8:54:21 PM
    scan stop: 11/16/2007 8:57:12 PM
    scanned items: 12122
    found items: 47
    found and ignored: 0
    tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



    Infection Name Location Risk
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Alerter##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\AudioSrv##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\BITS##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Browser##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Dhcp##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\dmserver##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Dnscache##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\ERSvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\EventSystem##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\helpsvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\HidServ##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\HTTPFilter##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\LmHosts##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Messenger##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Netman##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Nla##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\NtmsSvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\RasAuto##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\RasMan##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Schedule##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\seclogon##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\SENS##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\srservice##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\stisvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\TapiSrv##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Themes##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\TrkWks##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\upnphost##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\W32Time##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\WebClient##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\winmgmt##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSN##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Wmi##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\wscsvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\wuauserv##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\WZCSVC##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\xmlprov##ImagePath High

    Scan Results:
    scan start: 11/16/2007 8:59:53 PM
    scan stop: 11/16/2007 9:03:45 PM
    scanned items: 18869
    found items: 47
    found and ignored: 0
    tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



    Infection Name Location Risk
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Alerter##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\AudioSrv##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\BITS##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Browser##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Dhcp##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\dmserver##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Dnscache##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\ERSvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\EventSystem##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\helpsvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\HidServ##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\HTTPFilter##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\LmHosts##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Messenger##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Netman##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Nla##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\NtmsSvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\RasAuto##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\RasMan##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Schedule##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\seclogon##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\SENS##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\srservice##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\stisvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\TapiSrv##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Themes##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\TrkWks##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\upnphost##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\W32Time##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\WebClient##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\winmgmt##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSN##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\Wmi##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\wscsvc##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\wuauserv##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\WZCSVC##ImagePath High
    Trojan.Goldun HKLM\SYSTEM\CurrentControlSet\Services\xmlprov##ImagePath High


    Other Sections:








    Copyright © 2003 PC Tools. All rights reserved. Legal Notice



    Here is the link, what the Spyware Doctor gave. http://www.pctools.com/en/mrc/infections/id/Trojan.Goldun/

    And here is the description.

    Trojan.Goldun (Haxdoor.CX [Sunbelt]
    Troj/Haxdoor-AG [Sophos]
    Trojan-Spy.Win32.Goldun.bf [Kaspersky]
    Trojan-Spy.Win32.Goldun.gj
    Trojan-Spy.Win32.Goldun.EP
    Trojan.Haxdoor-Rege.Process)

    Threat Level: High

    Description: Trojan.Goldun is a hidden process that steals personal information such as usernames and passwords for financial accounts. It then sends this data to a remote server located at sturfajtn.com.

    Advice: Toss


    If someone would be so kind and help me please! I don't know what to do know, all of my passwords are in danger.

    P.S. My deepest apologizes, if this topic is in the wrong thread.
     
  2. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    627
    Location:
    Terre Haute, IN
  3. AWorriedPerson

    AWorriedPerson Registered Member

    Joined:
    Dec 3, 2006
    Posts:
    30

    Thank you very much for your help! I tried the link. Unfortunately the web scanner didn't work (Javascript.), but it said to download a-squared Free. I am using it and it haven't found anything. So a false positive maybe?
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    recommend download avast free antivirus even if you have another one because avast will allow a boot scan before windows start up programs can run. uYou may want to temp disable other virus program so theres no conflicts.
     
  5. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Sorry, disagree.
    Not that Avast is bad, but pretty much any AV needs to be uninstalled, not just disabled, before attempting to install another.
    Avast is not high on detection/removal of rootkits, if this is indeed what you have.
    That certainly seems possible, given there are only reg entries in the scan results, no files or .exe's.
    Have a look here
    where there are many links to antirootkit (and other security) applications.
    I have pretty much beginner/intermediate knowledge, which is enough to know that the results can be difficult to interpret and action; some vendors offer help forums for this, Sophos and AVG seem to be the easiest to use.
    Consider downloading this standalone virus scanner, which can be run (it is standalone) without uninstalling your existing AV.
     
  6. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    And having had a think, I remember the application/forum involved that may help. RootkitRevealer and the forum
    These things are complex, read the help files/faq's before posting any topics.
    BTW, A2 free is a good scanner. So too are Superantispyware, AVG Antispyware, (Free demand scanners) and SpywareTerminator (free realtime scanner).
    If none of these detect anything untoward, I would suspect a FP from Spyware Doctor.
     
  7. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    582
    I also had a haxdoor infection in the past. I used the following tools to remove it,

    Haxfix
    Sophos Antirootkit
    SuperAntiSpyware Free

    *Caution, direct downloads

    To undo the restrictions made by the malware use this tool. To enable your Security Center see this thread.

    thanatos
     
    Last edited: Nov 17, 2007
  8. AWorriedPerson

    AWorriedPerson Registered Member

    Joined:
    Dec 3, 2006
    Posts:
    30
    Thank you very much for everyone who helped! :) I scanned with

    Ad-Aware Se Personal
    a-squared Anti-Dialer
    a-squared Free
    SpyBot Search & Destroy
    SUPERAntiSpyware Free Edition
    AVG Anti-Rootkit Free
    AVG Anti-Spyware
    Dr. Web
    Kasersky Internet Security 6.0

    I used HaxFix, RRT, Spyware Terminator. The last one found

    Invalid Starup Item (Invalid Item)
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LDM=Program\

    CoolWebSearch (Remaining Items of Adware)
    C:\Documents and Settings\User\Favorites\o_Oo_Oo_O o_Oo_O - o_Oo_Oo_O.url

    (Here should be question marks.)

    They can't be removed, but it might be another false positive.
    It seems to be a false positive, because after uninstalling my old version of Spyware Doctor and installing a new version, everything is alright.


    Thank you again for your help!
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    They are definetly F/p's reported in the original post.

    Active Goldun does'nt even drop them reg value's in the first placeo_O
     
  10. AWorriedPerson

    AWorriedPerson Registered Member

    Joined:
    Dec 3, 2006
    Posts:
    30

    Really? Thank you very much! :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.