Unable to Clean Win32/Spy.Goldun.GU

Discussion in 'NOD32 version 2 Forum' started by mark.eleven, Oct 27, 2006.

Thread Status:
Not open for further replies.
  1. mark.eleven

    mark.eleven Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    81
    Location:
    Island of Sodor
    When I do an In-Depth scan, NOD32 found my PC's operating memory infected with a trojan horse, Win32/Spy.Goldun.GU . NOD32 prompted for action but the only option is to "leave", thus I am unable to clean it.

    The log shows " a variant of Win32/Spy.Goldun.GU trojan found in operating memory. System memory infection originated from file C:\WINDOWS\system32\uservmem.dll . "

    I have also tried using several other AV but didn't manage to clean this virus/trojan. Every time the file uservmem.dll is deleted, it will be back when the PC is rebooted again. And Kaspersky 6 could not even detect this trojan.

    I'm all at lost now. Hope NOD32 can help and really appreciate your assistance.

    Thanks.
     
  2. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Download and run superantispyware and hijackthis.

    If you dont know what to do with hijackthis then read it's faq's
     
  3. ASpace

    ASpace Guest

    Hello ! Welcome to Wilders !

    It would be an easy task :)


    Download UnDll - the DLL removal utility (excellent ESET tool created by Paolo Monti)
    Extract it and use it . Point to the infected file
    C:\WINDOWS\system32\uservmem.dll

    and follow the instructions to kill it ;)

    Compare your settings to Blackspear's tutorial here

    From Control Center , make sure NOD32 is updated and perform full scan
    from Control Center -> NOD32 -> Run NOD32 -> Scan & Clean

    Post back with results ;) :thumb:
     
  4. mark.eleven

    mark.eleven Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    81
    Location:
    Island of Sodor
    UnDLL could not find the file. But if I use another program like IceSword, I can see it. Could it be hidden?
     
  5. ASpace

    ASpace Guest

    You should point it to that file , just type it as I have . Hidden or not , when you type it , it will be undlled :)

    If again this doesn't help , post again and I'll provide you instructions for another tool
     
  6. mark.eleven

    mark.eleven Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    81
    Location:
    Island of Sodor
    I just did that, UnDLL gave a message "The selected file does not exist".
     
  7. mark.eleven

    mark.eleven Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    81
    Location:
    Island of Sodor
    This is my HijackThis log.

    ~Log Removed - Ron~ Please see this post.
     
    Last edited by a moderator: Oct 27, 2006
  8. ASpace

    ASpace Guest

    Download Avanger from http://swandog46.geekstogo.com/avenger.zip
    Exctact it into new folder

    Download this file then
    http://pandaman.my.contact.bg/file.txt


    Start Avenger . Choose Load script from file . Choose the file file.txt
    Click on the button with the lights and choose restart when prompt

    After restart the malware's file should be gone .

    Then perform full Scan&Clean with NOD32 as suggested in my first post in this thread . Good luck :thumb:


    P.S. You are not allowed to post HJT log files at Wilders forums
     
  9. mark.eleven

    mark.eleven Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    81
    Location:
    Island of Sodor
    Thanks. I'm doing an in-depth scanning now, and the operating memory is OK. Looks like the trojan is killed!

    Thanks again.
     
  10. ASpace

    ASpace Guest


    Did you do the Avenger part ?


    I recommend you read my first post and setup NOD per Blackspear's instructions
     
  11. mark.eleven

    mark.eleven Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    81
    Location:
    Island of Sodor
    Yes, I did the Avenger part and the trojan dll file has been deleted.

    I'm deep scanning with NOD now with the recommended extra configuration. Things look OK.

    Thanks again.
     
  12. ASpace

    ASpace Guest

    You are welcome ! :thumb:
     
  13. k.janos

    k.janos Registered Member

    Joined:
    Nov 24, 2006
    Posts:
    2
    Location:
    hungary
    Hi HiTech_boy!

    I have the same problem with Win32/Spy.Goldun.GU!!!

    Please send me the script file (http://pandaman.my.contact.bg/file.txt) beacuse i can't reach it!

    my e-mail : keresztes.j @ digiplaza.hu

    it's very important for me!

    Thank You!

     
    Last edited by a moderator: Nov 24, 2006
  14. k.janos

    k.janos Registered Member

    Joined:
    Nov 24, 2006
    Posts:
    2
    Location:
    hungary
    I wrote the script file, and it is worked correctly, so the problem is not actual.

    I Cleaned Win32/Spy.Goldun.GU from my computer.

    THX for the description! :)


     
    Last edited by a moderator: Nov 24, 2006
  15. ASpace

    ASpace Guest

    Hi k.janos !

    Thanks for letting us know ! :thumb:

    By the way , welcome to Wilders ! Don't hesitate to post back again if you have some problems ;)
     
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    member bfriendly,

    I have split your post concerning Symantec and Trojan.Goldun into a thread of it's own. Please follow the below link for further assistance in an appropriate forum.

    Bubba

    This thread---> Trojan.Goldun and Symantec
     
Thread Status:
Not open for further replies.