Removing file infected with Trojan.Goldun

jamesashburton - Welcome to the Board

Download HijackThis through Quicklinks in my signature, save it to a folder on your hard drive, say C:\HJT - not to the Desktop or a temporary location. Boot into Safe Mode and run HJT and post the log here.

 

Trojan.Goldun is a backdoor trojan that steals passwords. After it has been cleaned out, change your passwords at these sites if you use them:
1. online banking
2. stock or investment sites
3. any other sites where you use a password

 

Aaaaaaaaaron - Welcome to the Board

Reboot into Safe Mode and scan again with HJT. Place a checkmark against these entries and hit 'Fix Selected' ....

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: directpt - C:\WINDOWS\SYSTEM32\directpt.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Stay in Safe mode and navigate to C:\WINDOWS\SYSTEM32 and delete directpt.dll

Reboot and post another HJT log which I will look at in the morning.

Take careful note of TonyT's comments about passwords in post #3

 

OK, reboot into Safe Mode ....

Click Start > Run and copy/paste this line into the run box and press Enter ....

regsvr32 /u C:\WINDOWS\SYSTEM32\directpt.dll

If you type it in note the space btween the 2 and the forward slash and again between the u and C.

Scan with HJT and check this line and Fix Selected.

Stay in Safe mode and navigate to C:\WINDOWS\SYSTEM32 and delete directpt.dll

Reboot into Normal Mode, scan again with HJT and post the log.

 

Time for brute force

Download and install MoveOnBoot. It will add a new menu item to the right click menu when you right click on a file.

Navigate to C:\WINDOWS\SYSTEM32 and right click on directpt.dll and select 'Delete file(s) at next boot'.

Reboot and see if it is gone.

 

Well, if you found it before you should be able to find it again, if it is there Safe mode is no different from normal mode in this respect. Presumably you had the view menu set as before - as a check go to the View menu and uncheck 'Hide protected operating system files' and look again.

Post another HJT log and we'll see if the critter is still there.

 

OK - you are getting there - the file has gone.

Scan again with HJT and put a checkmark against this entry ....

O20 - Winlogon Notify: directpt - directpt.dll (file missing)

Reboot, scan again, post the log and hopefully that will be the end of it

 

Your log looks clean to my eye - you're 'good to go'

Turn off System Restore to clear your restore points which may contain the infection, reboot and turn on System Restore.