Trojan.goldun

Discussion in 'malware problems & news' started by oldman367, Dec 4, 2006.

Thread Status:
Not open for further replies.
  1. oldman367

    oldman367 Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    2
    Today one of my users came in and was notified by our Antivirus that trojan.goldun has infected the computer. Upon researching it on Google, I came across a fix in this forum that seemed to work. One of the links is not working and i was wondering how to get rid of this virus. According to Symantec I should have had a file "wmedia16.exe" in the registry and "uservmem.dll" in the windows/system32 folder. I can not find anything anywhere. Any help would be appreciated.
     
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    This is not good considering this type of infection contains a 'Rootkit'.
     
  3. ASpace

    ASpace Guest


    Hello . What is your antivirus ? Is it NOD ?

    Are we talking about this thread and this link not working ?

    If NOD32 is not your current antivirus , I would suggest you download a trial copy of ESET NOD32 2.7 , fully uninstall your current AV , install the 30 day trial version of NOD32 , update it and push full Scan&Clean and leave it do its job , of course . If the Normal mode doesn't work , you can perform full scan in Safe Mode

    The "broken" link with the file file.txt has been removed by me because it is no longer needed by the OP of that thread (user : mark.elevel) . If the suggestion about installing NOD32 and give it a try doesn't work , I can provide you with that file again

    Regards!
     
  4. oldman367

    oldman367 Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    2
    The antivirus is Symantec 10.0 and it is mangaged by the network. The thread i was refering to was from Jan. I believe. The post had to do with downloading avenger.zip and then using your Panda script.
     
  5. ASpace

    ASpace Guest

    The thread we are talking about is about Spy.Goldun.GU version . Nowhere do you mention about that version of that malware . What I suggest the OP there was to download a particular application called The Avenger and to use it in order to delete an infected file uservmem.dll which NOD32 wasn't able to remove . This script has nothing to do with Panda / Panda Software and this file's aim was to point The Avenger to delete that particular infected DLL file on boot. I can easily give you that file but it is no point because because such file may not exist in your computer or it may not be infected .

    This is the Official ESET NOD32 Anti-Virus system forum. I would suggest you read my previous advice and install a trial version of NOD32 , make sure your system is clean :)
     
  6. ASpace

    ASpace Guest

    The file file.txt is now back . You can download it and use it along with The Avenger . I also strongly suggest you perform post 3 :thumb:

    Good luck !
     
  7. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    oldman367

    There is something very important here that needs mentioning whenever dealing with 'Rootkit' infections. If the infected computer is used for anything important such as 'Online Banking/Purchases' etc, the recommendation is a 'Complete Format and Re-Install Job'. Period.

    It is very difficult to determine if the rootkit has been completely removed and too much is at stake not just privacy wise but 'Financially Wise'.
     
  8. podunk

    podunk Registered Member

    Joined:
    Dec 13, 2006
    Posts:
    1
    Location:
    california
    this is good advice. we recently had an issue with one of the Goldun variants (there are around 25 variations if I remember correctly). Almost all of the newer variants have a rootkit involved (whereas the older ones did not--and were easier to remove) so if you're being paid to clean up this client--& there is a rootkit involved, I would reformat--(less time and 100% guarantee of removal).

    As to how the system was infected, many of the recent strains of Goldun have been using a phishing email "from" either egold or paypal--whereby the victim clicks on a link in the email and goes to a malicious site which downloads the trojan. Then after the rootkit is dropped, many of the Goldun variants then delete the original trojanfiles to hide infection.
     
Thread Status:
Not open for further replies.