Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan.goldun - Am I Still Infected?

  • Please log in to reply
2 replies to this topic

#1 Edutilos


  • Members
  • 2 posts
  • Local time:10:46 AM

Posted 21 March 2006 - 05:07 PM

So, yeah...This other day, I'm just strolling along, and BAM! Here comes this virus and hits me over the head. It was called Trojan.Goldun. :thumbsup: I run spysweeper full-time, and have my little linksys router firewalling me as well, and that was enough to tell that I was in trouble. I ran all the normals through spysweeper, it found quite a few, goldun included, allegedly removed them all, and there you have it, end of story.
THEN - Spysweeper kept popping up its www shield saying it was blocking access to url " " with no listing as to what url it was blocking, which is odd. Normally I almost never even see a message from SS, but when I do, it at least tells me WHAT its blocking, not this time. So I ran another sweep, just to double-check, and it comes up with troj.backdoor.goldun once again. Now recognizing that I need additional help beyond that of SS, I check google for methods of killing Goldun.
Enter X-Cleaner. <Insert ominous sounding theme music here>
X-Cleaner runs at startup, catches a few trojans that SS did not, such as Zlob, and never says a word about goldun, even though after that, SS no longer detects goldun either! So now I'm thinking that X-Cleaner did the job, but just to be sure, I scan with both SS and X, then reboot in safe mode after turning off system restore, and scan once again with both, and then restart windows to allow SS to scan memory, and then yet again load into windows normally and scan with both again. No evidence at ALL. Everything seems to be fine!

Now to the root of my concern. Ever since this incident, I notice that there is a lot of Internet/computer activity going on on my router lights. I have a server and 2 gaming rigs set up, and the possibly infected rig is constantly flashing on the router as if I'm in the middle of a game of World of Warcraft, even when sitting idle, while the other 2 machines are just doing their normal random hits. I log my url activity through my router, and it shows 20-30 different outgoing ip address hits every couple seconds, most of them smtp, and ALL from my infected rig.
I'm pretty sure there is still something going on, and Goldun has me worried because I do some of my banking online and I know that is one of its target goals. I'm not sure what else to do, this could all be my imagination, I'm sure...but I would really love it if anyone could give me any good methods to be more confident that I am no longer infected or clean any remaining infections.

Now then, I am your clay o wise masters of bleeping computer.com! Mold me into a virus eating machine! Teach me the ways of light so I may fight back against the evils or vir...you get the idea. ;)


BC AdBot (Login to Remove)


#2 Edutilos

  • Topic Starter

  • Members
  • 2 posts
  • Local time:10:46 AM

Posted 21 March 2006 - 05:18 PM

I'm also having some regular blockage with my internet suddenly, where it will say This page cannot be displayed, click here to detect your network settings and blah blah blah...I hate that screen almost as much as the blue one.

This does not go away until I unplug my router for a few seconds. Also a new development upon getting Goldun that did not go away like it shoulda...:thumbsup:

Oh yeah, some background information might help ya'll out a bit...

Windows XP Professional
Latest version of Spysweeper
Athlon 2600+
512 RAM
GForce 6200
Pretty blue lights
Cup of coffee
Partridge in a pear tree

Thats all my stuff!

#3 -David-


  • Members
  • 10,603 posts
  • Gender:Male
  • Location:London
  • Local time:03:46 PM

Posted 22 March 2006 - 10:12 AM

Heya Edutilos

Let's start by running one more scanner to make sure that the goldun infection is all gone. I see that Ewido does a good job of removing the infection in safe mode:

C:\WINDOWS\system32\vxvgfv.sys Infected: Trojan-Spy.Win32.Goldun.hu Cleaned with Backup

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

* Open Ewido anti-malware
Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido
Please reboot back to normal mode and post the log that was created.
We can move on from there.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users