TrojanSpy.Goldun --- Format=Cure?

1

1234

Hello,

I have XP SP2 on an HP machine. I've been wanting to wipe it clean and
restore to original configuration, just haven't gotten to it. Yesterday
Ad-Aware found a list of items associated with WIN32.TrojanSpy.Goldun
(Folder, Regkeys, RegValues, File C:\info.exe).

My first instinct had me gathering removal information. My next thought
was -- maybe this was a perfect time to format and restore.

My question is this: Will Formatting and perfoming a Restore or Recovery to
factory settings wipe the Trojan as well? If not, what else would be
needed? Seems like a waste of time to attack and remove the intruder if it
will die in the formatting process anyway.

I've been using a different machine to change any passwords used on the
infected one so none of them will be vulnerable. Is there anything else I
should be thinking of?

Thanks for any thoughts. I'm out of my area here.
Ellen
 
D

David H. Lipman

From: "1234" <1234@calm.com>

| Hello,
|
| I have XP SP2 on an HP machine. I've been wanting to wipe it clean and
| restore to original configuration, just haven't gotten to it. Yesterday
| Ad-Aware found a list of items associated with WIN32.TrojanSpy.Goldun
| (Folder, Regkeys, RegValues, File C:\info.exe).
|
| My first instinct had me gathering removal information. My next thought
| was -- maybe this was a perfect time to format and restore.
|
| My question is this: Will Formatting and perfoming a Restore or Recovery to
| factory settings wipe the Trojan as well? If not, what else would be
| needed? Seems like a waste of time to attack and remove the intruder if it
| will die in the formatting process anyway.
|
| I've been using a different machine to change any passwords used on the
| infected one so none of them will be vulnerable. Is there anything else I
| should be thinking of?
|
| Thanks for any thoughts. I'm out of my area here.
| Ellen
|

If you were prepared to wip the PC, go for it.
Wiping the PC (format & restore) will definitely remove this Trojan.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
1

1234

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eKj6x9YVIHA.3400@TK2MSFTNGP03.phx.gbl...
> From: "1234" <1234@calm.com>
>
> | Hello,
> |
> | I have XP SP2 on an HP machine. I've been wanting to wipe it clean and
> | restore to original configuration, just haven't gotten to it. Yesterday
> | Ad-Aware found a list of items associated with WIN32.TrojanSpy.Goldun
> | (Folder, Regkeys, RegValues, File C:\info.exe).
> |
> | My first instinct had me gathering removal information. My next thought
> | was -- maybe this was a perfect time to format and restore.
> |
> | My question is this: Will Formatting and perfoming a Restore or
> Recovery to
> | factory settings wipe the Trojan as well? If not, what else would be
> | needed? Seems like a waste of time to attack and remove the intruder if
> it
> | will die in the formatting process anyway.
> |
> | I've been using a different machine to change any passwords used on the
> | infected one so none of them will be vulnerable. Is there anything else
> I
> | should be thinking of?
> |
> | Thanks for any thoughts. I'm out of my area here.
> | Ellen
> |
>
> If you were prepared to wip the PC, go for it.
> Wiping the PC (format & restore) will definitely remove this Trojan.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

That is good news!

A couple of the registry lines contains ACRORD32INFO.EXE. Does the ACRORD
say that it came with Adobe Reader, or that it's just imposed itself on that
Adobe entry? Others "flashcft" but I could not find the term anywhere in
English.

Lavasoft's Ad-Aware detected this Trojan. Is Ad-Aware a thorough remover?

Thanks very much for your help.
Ellen
 
K

Kayman

On Sun, 13 Jan 2008 00:13:45 -0800, 1234 wrote:

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:eKj6x9YVIHA.3400@TK2MSFTNGP03.phx.gbl...
>> From: "1234" <1234@calm.com>
>>
>>| Hello,
>>|
>>| I have XP SP2 on an HP machine. I've been wanting to wipe it clean and
>>| restore to original configuration, just haven't gotten to it. Yesterday
>>| Ad-Aware found a list of items associated with WIN32.TrojanSpy.Goldun
>>| (Folder, Regkeys, RegValues, File C:\info.exe).
>>|
>>| My first instinct had me gathering removal information. My next thought
>>| was -- maybe this was a perfect time to format and restore.
>>|
>>| My question is this: Will Formatting and perfoming a Restore or
>> Recovery to
>>| factory settings wipe the Trojan as well? If not, what else would be
>>| needed? Seems like a waste of time to attack and remove the intruder if
>> it
>>| will die in the formatting process anyway.
>>|
>>| I've been using a different machine to change any passwords used on the
>>| infected one so none of them will be vulnerable. Is there anything else
>> I
>>| should be thinking of?
>>|
>>| Thanks for any thoughts. I'm out of my area here.
>>| Ellen
>>|
>>
>> If you were prepared to wip the PC, go for it.
>> Wiping the PC (format & restore) will definitely remove this Trojan.
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>
>>
>
> That is good news!
>
> A couple of the registry lines contains ACRORD32INFO.EXE. Does the ACRORD
> say that it came with Adobe Reader, or that it's just imposed itself on that
> Adobe entry? Others "flashcft" but I could not find the term anywhere in
> English.

http://www.google.com/search?client=opera&rls=en&q=ACRORD&sourceid=opera&ie=utf-8&oe=utf-8

> Lavasoft's Ad-Aware detected this Trojan. Is Ad-Aware a thorough remover?

No, it is not, Multi-AV is a superiour tool. But 'wiping' HDD is a
preferred course of action.
 
1

1234

"Kayman" <kayman@operamail.com> wrote in message
news:sxiwe0bs78z5$.vqu1kagir9pb.dlg@40tude.net...
> On Sun, 13 Jan 2008 00:13:45 -0800, 1234 wrote:
>
>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
>> news:eKj6x9YVIHA.3400@TK2MSFTNGP03.phx.gbl...
>>> From: "1234" <1234@calm.com>
>>>
>>>| Hello,
>>>|
>>>| I have XP SP2 on an HP machine. I've been wanting to wipe it clean and
>>>| restore to original configuration, just haven't gotten to it.
>>>Yesterday
>>>| Ad-Aware found a list of items associated with WIN32.TrojanSpy.Goldun
>>>| (Folder, Regkeys, RegValues, File C:\info.exe).
>>>|
>>>| My first instinct had me gathering removal information. My next
>>>thought
>>>| was -- maybe this was a perfect time to format and restore.
>>>|
>>>| My question is this: Will Formatting and perfoming a Restore or
>>> Recovery to
>>>| factory settings wipe the Trojan as well? If not, what else would be
>>>| needed? Seems like a waste of time to attack and remove the intruder
>>>if
>>> it
>>>| will die in the formatting process anyway.
>>>|
>>>| I've been using a different machine to change any passwords used on the
>>>| infected one so none of them will be vulnerable. Is there anything
>>>else
>>> I
>>>| should be thinking of?
>>>|
>>>| Thanks for any thoughts. I'm out of my area here.
>>>| Ellen
>>>|
>>>
>>> If you were prepared to wip the PC, go for it.
>>> Wiping the PC (format & restore) will definitely remove this Trojan.
>>>
>>> --
>>> Dave
>>> http://www.claymania.com/removal-trojan-adware.html
>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>>
>>>
>>
>> That is good news!
>>
>> A couple of the registry lines contains ACRORD32INFO.EXE. Does the
>> ACRORD
>> say that it came with Adobe Reader, or that it's just imposed itself on
>> that
>> Adobe entry? Others "flashcft" but I could not find the term anywhere in
>> English.
>
> http://www.google.com/search?client=opera&rls=en&q=ACRORD&sourceid=opera&ie=utf-8&oe=utf-8
>
>> Lavasoft's Ad-Aware detected this Trojan. Is Ad-Aware a thorough remover?
>
> No, it is not, Multi-AV is a superiour tool. But 'wiping' HDD is a
> preferred course of action.

Thanks for the link. I had looked it up earlier, seems like a legitimate
part of a troublesome program. I'm still not sure if Adobe is the source of
the Trojan, or the way the Trojan is expressing itself (did I say that
right?). Just a curiosity.

More important to me: If I save Favorites, Mail Settings, Mail, Address
Books, etc., from the infected machine to a CD, in order to use them in the
"new" install, could they in any way "carry" the Trojan information and
reinfect? Seems like it's advised to save important data before killing the
Trojan -- I just want to know if any of the saved treasures (including
documents, spreadsheets, registry settings....) could be potentially
harmful.

Thanks so much for your help!
Ellen
 
D

David H. Lipman

From: "1234" <1234@calm.com>


|
| Thanks for the link. I had looked it up earlier, seems like a legitimate
| part of a troublesome program. I'm still not sure if Adobe is the source of
| the Trojan, or the way the Trojan is expressing itself (did I say that
| right?). Just a curiosity.
|
| More important to me: If I save Favorites, Mail Settings, Mail, Address
| Books, etc., from the infected machine to a CD, in order to use them in the
| "new" install, could they in any way "carry" the Trojan information and
| reinfect? Seems like it's advised to save important data before killing the
| Trojan -- I just want to know if any of the saved treasures (including
| documents, spreadsheets, registry settings....) could be potentially
| harmful.
|
| Thanks so much for your help!
| Ellen
|

Ellen:

Adobe is NOT the source of any Trojan. Names of malware files often use names similar to or
the actual names of legitimate files to obfuscate their malicious intent.

If you copy data specific locations, the Trojan will not be carried over. If you copy parts
of the OS, TEMP, IE TIF, etc., then your action may increase the chance of transferring the
Trojan.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
1

1234

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23BZmXxgVIHA.4140@TK2MSFTNGP04.phx.gbl...
> From: "1234" <1234@calm.com>
>
>
> |
> | Thanks for the link. I had looked it up earlier, seems like a
> legitimate
> | part of a troublesome program. I'm still not sure if Adobe is the
> source of
> | the Trojan, or the way the Trojan is expressing itself (did I say that
> | right?). Just a curiosity.
> |
> | More important to me: If I save Favorites, Mail Settings, Mail, Address
> | Books, etc., from the infected machine to a CD, in order to use them in
> the
> | "new" install, could they in any way "carry" the Trojan information and
> | reinfect? Seems like it's advised to save important data before killing
> the
> | Trojan -- I just want to know if any of the saved treasures (including
> | documents, spreadsheets, registry settings....) could be potentially
> | harmful.
> |
> | Thanks so much for your help!
> | Ellen
> |
>
> Ellen:
>
> Adobe is NOT the source of any Trojan. Names of malware files often use
> names similar to or
> the actual names of legitimate files to obfuscate their malicious intent.
>
> If you copy data specific locations, the Trojan will not be carried over.
> If you copy parts
> of the OS, TEMP, IE TIF, etc., then your action may increase the chance of
> transferring the
> Trojan.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

Thank you, Dave. I can rest now.

Another moment of being eternally grateful for newsgroup folks.

Ellen
 
You must log in or register to reply here.

Similar threads

U
Forgotten power on password
Replies
0
Views
31
Utter NONSENSE
U
U
Forgotten power on password
Replies
0
Views
35
Utter NONSENSE
U
L
Installed a SSD and now I have a format D drive
Replies
0
Views
37
Low end user
L
L
Installed a SSD and now I have a format D drive
Replies
0
Views
39
Low end user
L
A
How to take Backup of the Current configured Domain, Active Directory
Replies
0
Views
24
{AK}
A
Back
Top Bottom