Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Goldun.ik Trojan?


  • Please log in to reply
8 replies to this topic

#1 SirSpewkusGoodGrains

SirSpewkusGoodGrains

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 08 November 2007 - 09:39 PM

Hi everyone, I just downloaded and ran Spyware Doctor and it says that I am infected with the Goldun.ik trojan. I have Ad-Aware and it didn't find it, but I dont want to buy Spyware Doctor so how can i get rid of it? Thanks

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,102 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:08 PM

Posted 08 November 2007 - 10:09 PM

Are you having any symptoms such as your computer emailing out massive amounts of spam? Are you getting a lot of popups?
Use the two programs below to confirm Spyware Doctor's finding. They are free and will remove what they find.

Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

Please let us know the results.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 SirSpewkusGoodGrains

SirSpewkusGoodGrains
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 08 November 2007 - 10:30 PM

I don't know what it email's out but I dont think so, and no I don't have any popups. I tried Bit Defender and it wouldn't load because I have service pack 2, so I installed the active x control and it still wouldn't work. Firefox is my default browser not IE maybe thats why? The other one, Super Antispyware free is still downloading.....I have dial-up. I also have hijackthis and it shows two startup entries for winlogon.exe. Thanks for helping me and I'll post again as soon as I run that program.

SirSpewkusGoodGrainsFreshChiquities

#4 buddy215

buddy215

  • Moderator
  • 13,102 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:08 PM

Posted 09 November 2007 - 05:40 AM

The winlogon.exe file is located in the C:\Windows\System32 folder. In other cases, winlogon.exe is a virus, spyware, trojan or worm!
You should be able to use Internet Explorer Browser to allow ActiveX needed to run the Bit Defender Online Scan. I think that would be the quickest since you have dialup.

If you have a problem with IE and can't get the activeX, you can use Trend Micro's Housecall in Firefox if you have the Java plugin.
http://housecall.trendmicro.com/
Important Notes about HouseCall 6.5
HouseCall 6.5 has two independent Core Engines to choose from:

The ActiveX Core Engine: to use this engine, please adjust here the IE browser’s Security level to Medium at least and be sure that signed ActiveX objects are enabled.

The Java VM Core Engine- to use this engine, please install the Java VM from www.java.com.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:08 PM

Posted 09 November 2007 - 11:38 AM

What is the specific file name associated with Goldun.ik trojan and where is it located?

You may have a Goldun/Haxdoor backdoor trojan infection. It uses an advanced kernel-mode rootkit that injects its hooks to the user-mode from the kernel and allows a remote attacker to gain access to and control a computer. Haxdoor compromises system integrity by making changes to the system that allow it to steal usernames and passwords.

I suggest you post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 SirSpewkusGoodGrains

SirSpewkusGoodGrains
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 10 November 2007 - 12:33 AM

I ran the super anti spyware and it didn't find anything. When I ran the task manager two winlogon.exe's were running so I ended the one and then went and deleted the file then I used regedit to delete the nvchost folder. I dont see it running anymore do you think I got it?

#7 SirSpewkusGoodGrains

SirSpewkusGoodGrains
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 10 November 2007 - 12:35 AM

Do you still want the hijack this log?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:08 PM

Posted 10 November 2007 - 07:37 AM

If you were successfully able to remove the offending file and registry entry and are not having any more problems, then you don't need to post a log.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 SirSpewkusGoodGrains

SirSpewkusGoodGrains
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 12 November 2007 - 02:45 AM

I don't think I got rid of it. I used find in the registry and searched for "nvchost" and it moved to
HKEY_USERS\s-1-5-21-1659004503-167712843-1957994488-1003\Software\Microsoft\SearchAssistant\ACMru\5603

the data was nvchost and A0011095.exe. The A0011095.exe file was found as a keylogger by Spyware Doctor.

Then I ran Registry Repair Pro and it found the file winlogon.exe in the folder C:\WINDOWS\$NtServicePackUninstall$. I tried to delete winlogon.exe by sending it to the recycle bin. Windows Registry Repair Pro wanted to correct it but I didn't let it. Then I ran it again then it said the file winlogon.exe was in C:\WINDOWS\ServicePackFiles\i386\winlogon.exe. So I didn't delete it from the recycle bin I just restored it. I than ran Windows Registry Pro again, and winlogon.exe went back to C:\WINDOWS\$NtServicePackUninstall$. This is what it wanted to do but I didn't let it.

Key: "SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nvchost"
File not found(C:\WINDOWS\winlogon.exe)
Correction : [1]C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
Correction : [2]Remove invalid substring "C:\WINDOWS\winlogon.exe"
Correction : [3]C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
Correction : [4]C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
Correction : [5]C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\winlogon.exe is where the file originally was when I deleted it, and the nvchost folder in the registry. I dont see two winlogon.exe's running in the task manager anymore, could I have broke it? What does this virus do? can you tell me more about it? Thank you guys soo much for helping :thumbsup:


btw, winlogon.exe is 504kb (372kb size on disk) if that helps.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users