Yesterday I used a free spyware scanner just on a lark to see if this ESET Smart Security version 3.0.621 that I have is all that it's been trumped up to be. Since I've had it, it has yet to find one single thing, not even a tracking cookie which I get every day, all day long.

Lo and behold, the scanner found trojan.vundo. I didn't know what to do (never thought of submitting it to ESET nor do I know how to do that - using another product on top of that) so I went to Google and they had a removal tool for it and that worked out well. ESET claims that they detect and destroy trojans among many other things. Boy am I ticked off at them.

Now, I don't know where I stand with this expensive suite. I don't know how I'm going to keep on top of trojans and how I'm going to get rid of the 5 million tracking cookies I must have by now as I am a heavy surfer of the `Net.

Right now, I am using Windows Defender and the ESET suite. By right, that should be enough considering all the dollars involved here.

I have an HP Pavilion with Vista Premium Home Ed. It came with a kabillion programs running so it's probably about to have a melt-down any minute.

Open to any and all suggestions. Can post here or email me. No preference.

How am I going to clean out all my tracking cookies? I had Trend Micro do it with my XP. I assumed that ESET was going to do it with this one. Silly me.

Thank you and hope there's help out there for me. :-\

Please download and run ESET SysInspector (http://download.eset.com/download/sysinspector/32/ENU/SysInspector.exe), save the log as zip and send it to support[at]eset.com with this thread's url in the subject.

-{ Quote: "How am I going to clean out all my tracking cookies?" }-
...

Have you tried clearing them from your browser options window?

Not sure what you mean. How do I do that please?

I have gone to Internet Options, Browsing History and clicked on Delete Cookies and Temporary Internet Files. I do that ALL the time. Is that what you mean? If so, does that delete them as well as regular cookies? I sure hope so but am not getting my hopes up on that.

I'd love to know if ESET (nod32) also deletes them. Does anyone know the answer to that please? :-\

I also have my Advanced Privacy Settings set to block third party cookies - whatever those are. I read somewhere to do that.

Well, I have more bad news about ESET Smart Security to report, those brats. :dry:

I used a freebie scanner again and guess what it picked up? "Heuristic.Dialer.RAS. Isn't that just peachy? Now what am I supposed to do with that? ESET has yet to find one single thing since I've been using it. Nothing. And I have it all set to the highest and tightest settings. Yet the freebies are finding Trojans and Dialers. Go figure. ???

I really don't know what to do now. Since these are freebies, is there a way you can submit this stuff to ESET along with a scathing letter, LOL? I can't imagine how to submit a file of a quarantined piece of malware from another program directly to ESET if it's not their scan that found it. ???

What a useless product and a huge wasted loss of big bucks. If I wasn't on a modest fixed income I probably would be a tad less enraged. I apologize for my anger. Going ton take a deep breath and stop venting. :'(

I sure have some conundrum on my hands here and don't know which way to turn. Not a good position to be in with a brand new computer. :wacko:

-{ Quote: "I have gone to Internet Options, Browsing History and clicked on Delete Cookies and Temporary Internet Files. I do that ALL the time. Is that what you mean? If so, does that delete them as well as regular cookies? I sure hope so but am not getting my hopes up on that." }-
Is there any particular reason you think it won't?

Just for good measure, use something like CCleaner (www.ccleaner.com) that removes index.dat files as well.

Hi newbie2247,

I was curious about these free spyware scanners that you ran
what were the names of these programs ?

Regards,

Wake

Some of the new Vundu variants...as well as Smitfraud/SpyFalcon, are a real pain to clean up once they hit your system. It doesn't matter which antivirus you run....NOD32...or even Kaspersky...some of the latest variants stay ahead and can sneak into the system. I've dealt with a few Smitfraud and Vundu variants which have made it past NOD32....even just last week at a car wash client we have. There are some good removal instructions and tools at bleepingcomputers....if you Google them. SDFix.exe is what cleans up the latest Smitfraud variant I ran across last week quite well, as well as throwing a few other tools at it before I ran SDFix...such as a TCP/Winsock repair utility, CCleaner, AVG AS, SuperAntispyware, Spybot S&D, NOD scan, and manual inspection of the registry. It was still there after running all of those except SDFix...SDFix finally got rid of the remains and the system was clean.

Interesting.

How did you detect Vundo and how did you remove it?

Very concerned as I wish to always stay on top of this matter. I want to stay on top of ALL trojans actually. Do tell, please. :)

Regarding CCcleaner, I have always used that; ever since it came out and I continually upgrade it. Thanks for the recommendation - a great one at that. :)

To whoever it was (solcroft ?) earlier asking what freebies I used and then uninstalled, the first one that detected Tojan Vundo was called Spyhunter or Spywarehunter and the one that detected Heuristic.Dialer.RAS (what is that anyway?) was called a-2squared by Emsi Software. I quarantined it and then removed that program too. Afraid to have too many programs confusing my useless ESET and brand new computer. Also afraid I probably let loose that quarantined dialer too. :gack:

I have FIOS and a router (not sure what this stuff is - just hear the spouse talk about it) and hope that router does some protecting since the ESET is not. Lord knows what else I have on this machine. Scary to think about it. :-\ What is a dialer and how much damage can it do? I ask because I probably let it loose (according to the spouse) when I removed the program that found and quarantined it. I installed it again and scanned twice and it did not show up again which I find remarkably surprising. How can that be? :wacko:

Marcos, I downloaded and did that SysInspector thing (very concerned that I may have sent personal and sensitive data now that I think of it - eeks) but I could not find any addy anywhere at all in Tech Support, just "forms", so I sent it off to the only addy's I could find - Sales was one and Marketing was the other. They'll just probably toss it in the rubbish since it has that zipped attachment you recommended, the zipped SysInspector thing. Let's hope not. Never knew such a thing existed, much less what it is. Where did you learn about it? Just curious. ???

As regards the tracking cookies, I have no clue if CCcleaner picks those up or not. I do know that they clean out temp. int. files for me and I don't accept third party cookies - whatever they are. In short, I don't know where I stand on tracking cookies. ESET sure as heck isn't finding them for me. :dry:

I hope I answered all the questions from yesterday and, natch, I added several of my own. Appreciate all the time and wisdom, experience and recommendations all of you share with me. I feel like a goldfish in an ocean full of barracudas and do need all the help you all care to give.


Thanks all! ;D

-{ Quote: "
Never knew such a thing existed, much less what it is. Where did you learn about it? Just curious. ???
" }-

It's an official tool developed by ESET. If you suspect your computer being infected with a trojan, you can send the ESET Sysinspector log to support[at]eset.com as zip along with a short description of the problem.

Thanks. That is if you are humanly able to find a proper email addy at ESET to send it to.

I doubt if the Sales Dept and Marketing Dept that I sent mine to are going to be happy, LOL. I appreciate that tool and advice immensely Marcos. Hopefully, something positive will happen now.

You sure know a lot of good stuff. Wish you were here so I could pick your brain. Lord knows I need the guidance.

I haven't seen any other posts. I hope I get an email if one appears as that's what I selected. Thanks again.

:P

-{ Quote: "and how I'm going to get rid of the 5 million tracking cookies I must have by now as I am a heavy surfer of the `Net.
" }-
Erm, you click tools on ie7 properties and delete all your cookies...

Why do I get the feeling that after 11 post I only see, 2 unknown scanners, 1 good change of a false positive and a lot of harmless cookies.

-{ Quote: "I haven't seen any other posts. I hope I get an email if one appears as that's what I selected. Thanks again.

:P" }-

Actually we have replied to one person who sent an email to support[at]eset.com with this thread's url. If it was you, couldn't it be that you have a spam filter installer that misclassified our email as spam?


Marcos

-{ Quote: "Interesting.

How did you detect Vundo and how did you remove it?" }-

The PC that I stumbled upon...it bundled with another spysheriff variant...that takes over your computers desktop with a big red ominous warning....and about once a minute you get a popup browser taking you to some website to purchase their removal software.

Removed using the steps I labeled above.

yeoldspysheriff,

Thanks for your reply but could you translate that into English - layman's terms for an ignoramus such as myself please?

Marcos,

Yes I did send off a letter to ESET and I do not have these posts coming to me as SPAM (I check my spam folder all the time for errors like that), just haven't received any notifications of new posts. I am seeing them now for the first time. (My luck for you.)

As far as tracking cookies go, I do have CCCleaner but don't know if that picks them up or not - no clue if ESET does either.

I have IE7 and when I hit tools, my dropdown menu does NOT have "properties" listed on it but thanks for that suggestion. Maybe your O/S does have that but mine does not. What it does have at the bottom of that menu is Internet Options which I select, then under the Browsing History heading I hit DELETE for temp. int. files & for cookies. Now, I don't know if that removes data miners or not either. I know it removes cookies, but does it remove ALL cookies. Some are pretty stubborn, correct? Hence my strong concern on this matter.

I hope I didn't miss any questions. Looking forward to answers on mine, which reminds me, I do have one last serious and important one.

I have tried several freebies as you all know and lots of them find nothing, like AVG & Superspyware for 2 examples - so highly tauted.

To enhance my Nod32, I am very much in the market for at least 2 very good free anti-spyware scanners/programs, not shareware and not one of those trial ones. Would very much appreciate any and all recommendations for such. ;D

Please feel free to post recommendations, send them to me privately or if my personal email addy is on here from registration, send them there. I truly do need some excellent and FREE programs/scanners to enhance my ESET Nod 32 Security Suite.

Do other users here of this product know if it does remove the data miners/tracking cookies? :-\

Thanks all for everything! Have a great day. 8)

I had a PC that was infected with Vundo. The correct name is Win32/Adware Virtumonde.CLI. It infects the system through the installation of Winfixer. It is the hardest thing to get rid of but fortunately, with perseverence, ESS will get rid of it. If ESS is installed on a system that already has this trojan then it modifies the egui.exe file. ESS then quarantines egui.exe so there is no ESS icon on startup.
I ran the PC in safe mode, ran a scan whcih quarantined all the nasties, replaced egui.exe with a clean file, removed the trojan entries from the registry, restarted the pc again in safe mode and ran another scan. Finally fixed.

This is the other thread I started re this problem:
http://www.wilderssecurity.com/newreply.php?do=newreply&noquote=1&p=1171165

Jenee,

"it modifies the egui.exe file. ESS then quarantines egui.exe so there is no ESS icon on startup."

That's exactly just one of the problems that I am having although my scans no longer are detecting Trojan Vundo. By "removing the nasties" in safe mode, could you please be more specific/clearer in what this means, step by step please because I plan to do it just as soon as you translate "remove the nasties". Boy, do I need that info.

Also, you will need to tell me how you obtained and replaced the file, step by step. I apolgize for being such an ignorant non-techie PC user. A total novice here in the forum so I don't know the nomenclature, if you will. :-[

I appreciate your reply and hope you feel up to what I need in order to help me out. If not, I understand. :blink:

Never installed Winfixer. Do not even know what it is. Just so you know.

Spyhunter, from some research I have done (google is my friend ;D), is nothing but a FP machine. Every single review of this product is appauling and it is repeatedly slammed for its FP's, probably used to separate users from their money ;).

As for tracking cookies, they are not as "dangerous" or as much of a "privacy risk" as some AV and AS companies would have you believe. Just use CCleaner - http://www.ccleaner.com as suggested earlier in the thread, and they will be eradicated. A fantastic program for general housekeeping.

If you are looking for a decent Anti-spyware app, then SuperAntiSpyware would be your best bet. Ignore the dodgy sounding name, this program is a gem - http://www.superantispyware.com.

-{ Quote: "Jenee,

"it modifies the egui.exe file. ESS then quarantines egui.exe so there is no ESS icon on startup."

That's exactly just one of the problems that I am having although my scans no longer are detecting Trojan Vundo. By "removing the nasties" in safe mode, could you please be more specific/clearer in what this means, step by step please because I plan to do it just as soon as you translate "remove the nasties". Boy, do I need that info.

Also, you will need to tell me how you obtained and replaced the file, step by step. I apolgize for being such an ignorant non-techie PC user. A total novice here in the forum so I don't know the nomenclature, if you will. :-[

I appreciate your reply and hope you feel up to what I need in order to help me out. If not, I understand. :blink:

Never installed Winfixer. Do not even know what it is. Just so you know." }-

The PC that I fixed did not have ESS installed. It had other antivirus/firewall/spyware programs installed that did not stop or remove this trojan. It was a neighbour's PC and they had already spent several hundred dollars with a PC repairer trying to rid the problem and they asked me as a last resort. You may not recognise the name Winfixer but you may have seen a popup which said you had viruses on your PC and this would fix them. It then gives you Vundo.
You need to start your PC in safe mode (most PCs will give you the option of safe mode if you keep pressing the F8 key after you turn the power on.
Go to the ESS program folder and double click on egui.exe. ESS will then show a box that will give you the option to do a scan. Run the scan. When the scan is finished, do a search on your PC for any other files named "pmkjk". ESS will probably already have quarantined pmkjk.exe but there may still be a pmkjk.dll so delete it.
Then go to the run command and type in regedit. This will open the registry editor. If you are not familiar with the registry editor you may need to get assistance from someone who is, as it is very critical that you are careful with the registry. You need to locate the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

click once on The word Run and in the right hand pane you will see a list of programs that are started when Windows starts. Right click and delete any entry that has "pmkjk" or "WindowsUpd = (adware filename)"

Then go to the subkey
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

and in the right pane delete and value that had "pmkjk" in it or "SysUpd = adware filename)"

Close the registry editor and restart the PC in safe mode again and run another ESS scan.

Restart the PC in normal mode. Go to the program folder where ESS is installed and delete egui.exe. Reinstall ESS and take the Repair option. This should replace the egui.exe file (I copied one in from another clean PC that I had but the Repair should do this for you) and the Repair will also put an entry in the registry to run egui.exe on startup. After the Repair is done, restart your PC and ESS should now be running normally again.

I am not sure of this but it would appear that Vundo is able to embed itself in some antivirus/firewall files without the user knowing and then becomes self generating.
It was a nuisance that egui.exe appeared to become infected but it had no effect on the integrity of ESS.

It serves no purpose denigrating any antivirus/firewall company over this one as it seems it gets into a PC by invite. However, I doubt it would get into a PC already properly protected by ESS and ESS seems to be one of the few that can get rid of it.

-{ Quote: "Some of the new Vundu variants...as well as Smitfraud/SpyFalcon, are a real pain to clean up once they hit your system." }-

Grrrr I Hates Vundo

-{ Quote: "By "removing the nasties" in safe mode, could you please be more specific/clearer in what this means, step by step please because I plan to do it just as soon as you translate "remove the nasties". Boy, do I need that info." }-

You might have different variant . There are many many ... many variants of Vundo/Virtumonde . Injected DLLs are easy to remove with ESET's UnDll but sometimes it is more to be done if you are on already infected computer.

If you still haven't contacted ESET (as per Marcos suggestion in post #2) , you may need to register in a forum providing malware cleaning services (such as Aumha (http://forum.aumha.org)) and ask experts for help. Such services are not provided here.

-{ Quote: "Never installed Winfixer. Do not even know what it is." }-

WinFixer is rougue application (adware application) , ~ a kind of Zlob/Smitfraud infection.

Thanks for all that advice everyone. Sounds complicated and daunting - not sure I can do it.

I will go to that Malware site and nose around too.

Now have the CCleaner and Superantispyware. The later is a pain in the butt because it forces a restart. Don't care for that at all but what can one do? I know CCleaner gets rid of cookies and temp. inter. files but had no idea that it also removed data miners. That's good to know. I'd love to use the registry cleaner portion but am scared silly from all the stuff I've read about them removing things that they should not and so forth.

I see the words SmithFraud a lot. What is it? Could I have it? If I did, would ESET have removed it?

Besides viruses, what else does ESET block and remove? What I love about it is how fast it scans. I had Trend Micro for years on my old XP and the scans were not this fast and I often wonder if it let something in that caused my puter to crash and burn. I loved XP and miss it so much. I HATE Vista. Maybe I just have to get used to it.

Again, thank you for your advise. I shall print it out and see if I can summon up the courage to do it. Scared silly I might mess up and wreak havoc. :doubt:

One last thing I forgot to mention which is important I think. :-\

Every time I do a restart, I get a balloon message in the icon tray next to the ESET icon that says: Windows has blocked some programs from running. Click her to run the programs. I always do and it is ALWAYS the gui.exe thing, whatever that is. Does anyone know what's up with that? Should I put up with it or is there a resolution that a scared dummy like myself can handle? :blink:

Thank you all again. I am very grateful for your assistance. Only wish I was a bit more savvy and confident. :-[

It sounds like you have the Windows firewall turned on. You should turn Windows firewall off as there can be conflicts and problems having two firewalls running.

Jenee,

Thanks for your reply but that absolutely is not the case. I checked and double checked.

Drats! If only the resolution was that.

Sure is one heck of a puzzle, isnt it? :(

hello
this could be caused by the data protection settings .
right click my computer,properties,advanced,
performance settings,data execution protection.

Is the program gui.exe or egui.exe as the ESS tray icon is run from egui.exe. Normally, if egui.exe is blocked then you wouldn't see the ESS tray icon.

Jenee,

The first one. The icon is in the tray with that prompt from windows saying "windows has blocked some programs from running". Then I just click on it. Don't know what the heck is going on. I hate this Vista, really. I am new to Vista and ESET. The computer store loaded the ESET on the puter when we bought it. They highly recommended it so we bought it right then and there and they loaded it onto the puter for us. So, I am trying to familiarize myself with both. :o

I had XP and Trend Micro PCcillin for years and got used to them. When I finally mastered them, the puter crashed and the hard drive was beyond repair. :'(

This new setup cost a fortune and I want to tread carefully and do everything within my power to do so correctly. That is why I am here picking your brains and begging for your wisdom and experiences. Truly appreciate all your help.

Is there a Vista Premium Home forum here? I am having a big problem with installing the free MS stationery into my Windows Mail program that comes with it. Had no problem with the Outlook Express that came with the XP. ???

Again, thanks all. :) As you can see, I need lots of good advise. In over my head hear learning about both ESET nod32 & Vista Premium Home. :(

"hello
this could be caused by the data protection settings .
right click my computer,properties,advanced,
performance settings,data execution protection."

Thank you but I don't understand what you just wrote. Could you break it down and then tell me what to do when I get to "data execution protection" if I manage to get there, that is please?

I had a recent Vundo variant infection. Nod32 didn't see it at all. BOClean stopped a part of it from running, and AVG Antispyware correctly identified it, claimed to be fixing it, but after I did a reboot, it was always there again. VundoFix, the recommended repair at that time, didn't even see the thing.

Presumably what happens is that these are a collection of small programs, and in any variant, they might only change one or two or three. Your antimalware app might delete most of it, but the new bit just redownloads or reinstalls the stuff you've just deleted and you're back to square one.

I eventually got rid of it by using a combination of Process Explorer and the video, Advanced Malware Cleaning here: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359. This was probably the most important part of the whole process, as it enabled me to understand what was going on, and to check with some high degree of reliability that what the software actually was doing what it should have been doing.

Alongside that, there were two other apps that played their part. The 30 day demo of Trojan Hunter, and the wonderful free version of SuperAntiSpyware. Both of these would detect a part of the malware, but not the whole lot, but in combination, the two of them managed to clean the whole lot out. That said, it took about two days before I was completely clean, during which time the malware was being prevented from running, but it was still present on the machine. And there were a couple of updates during that period, so it may well be that one or other app. had an update that detected my particular variant. Since then, I've noticed that SuperAntiSpyware adds a couple of new Vundo Variants with every single update, so there has to be a lot of the things out there.

Most important in all this though, was learning how to use Process Explorer properly though the Sysinternals video. I can't recommend that highly enough. Also, BOClean always stopped the payload from actually executing, so props to that as well.

I am surprised that you say Nod32 did not recognise Vundo as ESS certainly recognised and quarantined some of the files in the system I had which was infected. The problem with Vundo is that it seems to be able to infect files that run at startup and these are the ones that need to be removed.
The best thing to do first is run a full scan with ESS and check the log files to see the names of the files that are infected and what they are infected with.

Hi newbie 2247

I read your thread with great interest.Was just wondering how you got along with your problem...situation.Would like to just throw it out there my brother had a couple of versions of Vundo he picked up.The new version of Spybot S+D took care of them no prob.The new version looks much improved and seems to be alot more updates lately and more visually pleasing it is freeware.Do you have Spyware blaster installed also...it is freeware.

I sympathize with your Vista situation...they are gonna have to tear my XP from my cold dead body.

So how did you make out??

Thanks for asking.

I used the Symantec removal tool and as far as I know it removed it. But now I am reading here that it comes back and that it has variants and all sorts of scary stuff. What are the symptoms and how do all these people know this stuff. I used a freebie on a lark and found it. Googled up a remover and to the best of my knowledge, got rid of it.

Recently I sent ESET a couple of those SYSINTERNAL thingamajigs they send you and want you to run and send back to them and they said all is well.

The other thing I did at the same time was used another freebie which found a dialer. I used a freebie dialer remover but not sure what the status is. ESET said I was clean, so I believe them. I just wish this stuff didn't slip though thier protective walls, you know? Major bummer. :(

Do I have to keep scanning with freebies? I know a lot of them give false positives to force you to buy their products and a lot of the honest freebies do not detect many things.

Open to any and all recommendations, suggestions, ideas and so forth. Will be most appreciated. :)

you have to keep running different anitivirus to get it. My wife's machine got it & it took me scans of Nod32, Superantispyware, Dr Web's Cureit, F-Secure & Kaspersky. The best 2 that I feel finally got it was F-secure & Kaspersky. It has buried it self in a 2 cabs temp files deep in the user file of windows & I had to manually delete it, than it was gone...