Win32/Waledec.KA trojan

Discussion in 'NOD32 version 2 Forum' started by jamest, Jul 22, 2009.

Thread Status:
Not open for further replies.
  1. jamest

    jamest Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    4
    Hi there

    I'm a long time user of NOD32 and never been infected before (I think!). I have been infected today and would appreciate any advice on how to ensure my computer is now clean.

    Today at 12:05 I got a NOD32 warning message about the file:

    "http://u8r.in/se/1.exe"

    which was identified as "a variant of the Win32/Waledac.KA trojan"

    I first opted to block this. But the message appeared twice again over the next 25 minutes and on both these occasions I chose the Terminate option.

    After the 3rd warning, I looked in my task manager and saw the process:

    wpv121248215369.exe

    I killed this process. Reading about something called trojan.bredolab I discovered this exe file in the folder windows\temp and deleted from there (the file was created at 12:05).

    I also found the file rncsys32.exe in my programs\startup group, although I am not sure if this has any connection. I deleted that too.

    I have rescanned my computer a couple of times and nothing was found.

    However, as NOD32 did not remove the infection, I am concerned it may reappear.

    How can I be sure this is gone?
    Also if anyone knows how I got this, please let me know?

    Any advice greatly appreciated

    James
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Download an application such as MalwareBytes or SuperAntiSpyware and do a scan.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Maybe nothing was found because v2 detects less threats than v3/v4. Unless you use Windows 9x or have NOD32 for Exchange installed, I'd strongly suggest that you upgrade to v4.
     
  4. jjavierv17

    jjavierv17 Registered Member

    Joined:
    Jul 17, 2009
    Posts:
    7
    Location:
    Monagas, Venezuela
    Hi There! You can also use "Trojan Remover". It's not a freeware but it helps a lot when talking about Trojans. the current version is 6.7.9, I think. Bye ;-)
     
  5. jamest

    jamest Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    4
    Thanks for these suggestions.

    I have installed NOD32 v4 and rescanned but no threats were found.

    Prior to that, I installed SuperAntiSpyware and scanned - no threats.

    I also scanned with MalwareBytes. This found one infected file also created a 12:05:
    c:\documents and settings\****\Application Data\wiaserva.log

    What bothers me is that apart from this file found by Malwarebytes all of the files/process to be removed have been identified by me. This does not give me much confidence I am in the clear.

    Does anyone know what these threats are (rncsys32.exe, wpv[numbers].exe), how they got on my computer, and how I can be sure I'm rid of them?

    I have searched on the eset website and cannot find any information.

    Kind regards

    James
     
Thread Status:
Not open for further replies.