questions about gdiwxp.dll

questions about gdiwxp.dll
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
questions about gdiwxp.dll sean 12-23-2005
Posted by =?Utf-8?B?c2Vhbg==?= on December 23, 2005, 2:24 am
If you were  Registered and logged in, you could reply and use other advanced thread options
recently I've been getting involved in ivestment programs online using
e-gold. I haven't started anything nor have i had any funds in my
e-gold acct.


not long after opening my accts with e-gold, sending a few emails to
some investment program admins, I have experienced a strange thing. I
noticed a few odd connection to my computer from MIT computer lab then
not long after that another connection from standford computer lab. I
made a mistake in not writing down the IPs. (i used netmon 1.55 by
johan samuelson on windows ME 800 mhz emachine)



>From then onward, I woudl notice a small window pop up whenever i start


my e-gold webpage. then it would immediately disappear. I didn't think
much of it, until i couldn't get back into my egold acct.

then I got paranoid and in my panick i did some research, and
discovered I had a dll named
gdiwxp.dll as well as gdiw2k.sys. i did manage to get rid of it. My
guiess is that I may have irritated a scammer admin of a fake
investment program trhrough email due dilligence. then he may have
uploaded the torjans... I'm not sure.


http://www.talkgold.com/forum/r48299-.html has more information.


it is apparently a trojan specifically dedsigned to steal e-gold acct
information and it's been spreading from autosurf programs.
(presumably)


now my question is what type of information is it supposed to gather?
keystrokes? or all information entered into password box regardless of
how it is entered(typing it in,. copying an pasting, using virtual
keybaord or using srk keyboard which is e-gold's implementation of
virtual keybaord)


do you guys have access to this trojan? if so can you perhaps go over
what it's supposed to do?


lastly. is there a specialized microsoft security related issues forum?


thanks all for any information.


sean




Posted by Malke on December 23, 2005, 7:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
sean wrote:

> recently I've been getting involved in ivestment programs online using
> e-gold. I haven't started anything nor have i had any funds in my
> e-gold acct.
>
> not long after opening my accts with e-gold, sending a few emails to
> some investment program admins, I have experienced a strange thing.
> I noticed a few odd connection to my computer from MIT computer lab
> then not long after that another connection from standford computer
>lab. I made a mistake in not writing down the IPs. (i used netmon
>1.55 by johan samuelson on windows ME 800 mhz emachine). From then
>onward, I >woudl notice a small window pop up whenever istart my
>e-gold webpage. >then it would immediately disappear. I didn't think
>much of it, until >i couldn't get back into my egold acct.
>
> then I got paranoid and in my panick i did some research, and
> discovered I had a dll named gdiwxp.dll as well as gdiw2k.sys. i did
>manage to get rid of it. My guiess is that I may have irritated a
>scammer admin of a fake investment program trhrough email due
>dilligence. then he may have uploaded the torjans... I'm not sure.
>
> http://www.talkgold.com/forum/r48299-.html has more information.
>
> it is apparently a trojan specifically dedsigned to steal e-gold acct
> information and it's been spreading from autosurf programs.
> (presumably)
>
> now my question is what type of information is it supposed to gather?
> keystrokes? or all information entered into password box regardless of
> how it is entered(typing it in,. copying an pasting, using virtual
> keybaord or using srk keyboard which is e-gold's implementation of
> virtual keybaord)

> lastly. is there a specialized microsoft security related issues
> forum?

What name did your antivirus program give the trojan? What antivirus are
you running - please include its version and whether your subscription
is active and virus definitions are current. If you kept copies of the
files, you could send them to VirusTotal to find out more.

http://www.virustotal.com/flash/index_en.html

If you don't have a full-featured av installed, you need to get one
immediately. First scan with either Sysclean or Dave Lipman's Multi-AV.
Then install your new av, update it, and do a thorough scan in Safe
Mode. Finish up your housecleaning by scanning for non-viral malware.
Since you are running WinME, you should also have a third-party
firewall installed.

http://www.elephantboycomputers.com/page2.html#TrendMicros_Sysclean
http://www.ik-cs.com/multi-av.htm - how to use Dave Lipman's Multi-AV
http://www.ik-cs.com/programs/virtools/Multi_AV.exe - Multi-AV download
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Without knowing the name of the trojan, we can't answer your question
about what information it collects. However, you should definitely
assume the worst and change all your passwords. As for an MS security
newsgroup, here is a list of all the MS newsgroups so you can find what
you need: http://aumha.org/nntp.htm

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Posted by =?Utf-8?B?c2Vhbg==?= on December 24, 2005, 12:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options


"Malke" wrote:


> What name did your antivirus program give the trojan? What antivirus are
> you running - please include its version and whether your subscription
> is active and virus definitions are current. If you kept copies of the
> files, you could send them to VirusTotal to find out more.
>

i did a file search using find file in windows. I didn't use any antivirus
program at the time. no I have adware, spybot search and destroy, avast
antiviral. and new freeware version of zonealarm 6.1737..

http://www.talkgold.com/forum/r50332-.html

said the file name is Trojan-Spy.Win32.Goldun.fu

i'm not sure if it's correct


> http://www.virustotal.com/flash/index_en.html
>
> If you don't have a full-featured av installed, you need to get one
> immediately. First scan with either Sysclean or Dave Lipman's Multi-AV.
> Then install your new av, update it, and do a thorough scan in Safe
> Mode. Finish up your housecleaning by scanning for non-viral malware.
> Since you are running WinME, you should also have a third-party
> firewall installed.
>

is lipman's mutiav better than avast antiviral program?


> http://www.elephantboycomputers.com/page2.html#TrendMicros_Sysclean
> http://www.ik-cs.com/multi-av.htm - how to use Dave Lipman's Multi-AV
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe - Multi-AV download
> http://www.elephantboycomputers.com/page2.html#Removing_Malware


i'll check these out.

> Without knowing the name of the trojan, we can't answer your question
> about what information it collects. However, you should definitely
> assume the worst and change all your passwords. As for an MS security
> newsgroup, here is a list of all the MS newsgroups so you can find what
> you need: http://aumha.org/nntp.htm

Trojan-Spy.Win32.Goldun.fu maybe the name... but the files that it deposits
are
gdiwxp.dll and gdiw2k.sys

thanks for any further information.

>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

Posted by David H. Lipman on December 24, 2005, 9:33 am
If you were  Registered and logged in, you could reply and use other advanced thread options


| i did a file search using find file in windows. I didn't use any antivirus
| program at the time. no I have adware, spybot search and destroy, avast
| antiviral. and new freeware version of zonealarm 6.1737..
|
| http://www.talkgold.com/forum/r50332-.html
|
| said the file name is Trojan-Spy.Win32.Goldun.fu
|
| i'm not sure if it's correct
|

Did you submit the DLL to Virus Total as requested ? If tyou had done so, you
would know if
it is a Trojan or not and what AV software recognizes it.

As for my Multi AV Scanning Tool, it has the scanners of; McAfee, Sophos, Trend
Micro and
Kaspersky and is only a "On Demand" scanner unlike Avast which is both a "On
Demand" and "On
Access" scanner. One needs to have a full time AV application running in "On
Access"
scanning to prevent infections. However, if one slips by them one may have to
use alternate
AV scanners to remove it. Ergo, the use of my tool.

Lastly if you do have Avast and you use the Multi AV Scanning Tool, disable
Avast prior to
runninmg the Tred micro module. There is a known False Positive declaration by
Avast of
VBS/RedLof on the Trend Micro Sysclean utility.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Malke on December 24, 2005, 9:34 am
If you were  Registered and logged in, you could reply and use other advanced thread options
sean wrote:

See my answers inline.

>
> i did a file search using find file in windows. I didn't use any
> antivirus program at the time. no I have adware, spybot search and
> destroy, avast antiviral. and new freeware version of zonealarm
> 6.1737..
>
> http://www.talkgold.com/forum/r50332-.html said the file name is
>Trojan-Spy.Win32.Goldun.fu

Googling for Trojan-Spy.Win32.Goldun.fu brings me some pages in Korean
which sadly I can't read. It also is listed on Kaspersky AV's French
page as one of the trojans Kaspersky detects. There are no details
about what it does, but honestly it really doesn't matter. You should
assume that your passwords are compromised and make sure the rest of
your machine is clean. Many trojans collect passwords and any other
information that looks juicy like Social Security Numbers, strings of
numbers that might be bank accounts, etc. Many trojans also download
more malware onto your computer.

> is lipman's mutiav better than avast antiviral program?

Multi-AV and TrendMicro's Sysclean are *first-line* antivirus tools, not
full-featured antivirus programs. They are used to first get your
computer into a cleanish state because a lot of viruses and non-viral
malware will disable/break your installed av (which you didn't have
anyway) and/or make it impossible to install a full-featured av. You
clean up the computer with one of those tools first in order to install
the full-featured av, update it, and then scan with it in Safe Mode.
Avast is better than nothing, but I do think you get better results
with a paid-for av. Some good ones are Kaspersky, NOD32, and I use
F-Prot on my Windows machines. However, I have put the free Avast on
clients' machines when they didn't want to buy an antivirus program.

> Trojan-Spy.Win32.Goldun.fu maybe the name... but the files that it
> deposits are gdiwxp.dll and gdiw2k.sys

Googling for gdiwxp.dll and gdiw2k.sys doesn't bring any links, but that
isn't surprising. Many virus/malware programs create randomized names
for their files. In fact, when you *don't* get any Google links for a
filename there is a high possibility of the file being malware - 100%
certain of course, but a good chance.

You need to insure your machine is 100% virus/malware-free and then it
would be very smart to change your passwords for email, online banking,
and any other websites where you must log in.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Similar ThreadsPosted
WINDOWS DEFENDER QUESTIONS = NOT HERE PLEASE ! March 17, 2006, 2:58 pm
Re: Windows Defender Problems/Questions? March 28, 2006, 4:37 am
2 small questions about Avira logfile April 8, 2008, 3:20 pm

The site map in XML format XML site map

Contact Us | Privacy Policy