Win 32:Goldun-CE (Tri)

[John B]

Hi,
Can any one give me help in getting rid of the above worm. Does any one have info about it. Avast picked up and moved it to the chest.Thanks
John

[polonus]

Hi John B,

Here is the description of this trojan:
http://www.avira.com/en/threats/section/fulldetails/id_vir/1739/tr_spy.goldun.hw.html
If the trojan has been moved to the chest, it cannot do any harm there, after some time you can safely remove it from there.
With the description given you can check to see if there are no traces left. Before checking your registry, make sure you back it up, just check, make no alterations there. There is no need.

polonus

[John B]

Thanks Polonus, I have a much more severe problem now, my daughter went onto Brooke Frazer website and unfortunately downloaded some nasties. Avast identified
the following trojans when she was online Win32-small-TZ, Win32-LagerQ, Win32:cws-C. Now my PC can connect omnline but cant not access my email (outlook express) or access any websites (Internet explorer).
I am using an old laptop at the moment.
Any ideas to get rid of the nasties???
Also on my tool bar i have got a red circle with white cross, and a prompt comes up and says Warning your computer is probably infected. Microsoft Corporation recommends you to check your computer in the spyware presents.Click here to download updates.   Is this valid or part of a virus?
I have run AdAware, and spy bot latest updates on sunday, they showed some stuff and cleaned it but I still have the above problem.
Thanks for any help.
John

[FreewheelinFrank]

Hi John B,

The warnings you are getting are not from Windows- they are part of a rogue anti-spyware hoax scam.

You need to download this tool and use as instructed on the page:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

I would also recommend CWShredder as I suspect Win32:cws-C may well be part of the CoolWebSearch infection.

http://www.intermute.com/spysubtract/cwshredder_download.html

Follow this with a scan with Ewido anti-malware scanner:

http://www.ewido.net/en/

Finally run both Ad-Aware and Spybot again in safe mode.

[Spiritsongs]

   Hi John B :

     IF you would like an Expert to personally guide you thru
     the removal "process", I recommend you post on the
    "unofficial" Ad-Aware forums at www.landzdown.com .

[John B]

Thanks, It looks like that I have got rid of the smitfraud stuff and the other stuff Avast picked up.
When I scaned with Ewido it came up with Proxy.Xorpixu in my C:\documents and settings. Should I be worried about this???

I have also been getting messages on the bottom tool bar like the following" Network shield blocked Lsass Dcom exploit (sxp) attack from 203109.176...
Should I be worried about this???

Thanks John

[FreewheelinFrank]

Trojan-Proxy.Win32.Xorpix.u is certainly a nasty and you should allow Ewido to delete it:

http://www.sophos.com/virusinfo/analyses/trojxorpixe.html

I have also been getting messages on the bottom tool bar like the following" Network shield blocked Lsass Dcom exploit (sxp) attack from 203109.176...
Should I be worried about this???

If you don't have a firewall running, yes. I suggest you install a free third-party firewall: Zone Alarm free is the most user-friendly, closely followed by Sunbelt/Kerio. A good firewall should block this sort of attack before network shield sees it, so after you install the firewall, you shouldn't get the warning any more.

You should also visit Microsoft Update and download all critical updates, so that your computer won't be vulnerable to this sort of exploit.

[polonus]

Hi John B,

Especially read the last line in FwF's reply. I did not see your hjt log, and I am no clairvoyant, but from the infection(s) I grasp that you haven't updated to SP2. Read this: http://forums.spybot.info/showthread.php?t=425
But mind you, you are only allowed to upgrade to XP SP2, when your comp is absolutely malware free. If you seek help in a forum, always mention your OS, and the browser you use. IE is so deeply embedded into the Windoze OS, that when you are keeping your OS patched fully, this also helps keeping your browser secure. If you consider alternate browsing, or in-browser security, you can read about that topic also in our informative forum here.

Surf safe, and stay secure is the wish of,

polonus