Trojan.Vundo.H NOT being detected

Discussion in 'ESET Smart Security' started by gslabbert5119, Mar 23, 2009.

Thread Status:
Not open for further replies.
  1. gslabbert5119

    gslabbert5119 Registered Member

    Joined:
    Jul 15, 2008
    Posts:
    6
    I have been fighting the following virus and it seems that ESET security plus is not finding them.

    Files Infected:
    c:\Windows\System32\wejureke.dll (Trojan.Vundo.H)
    c:\Windows\SysWOW64\wejureke.dll (Trojan.BHO)

    I continually get these pop-ups and had to resort to using Malwarebytes' Anti-Malware 1.34 to find them, but this does not remove them either. I bought the ESET security 3.0.350.0 and everything is up to date. Below is the list of my updates.
    I have had ESET running for some months now without any problems or issues and this problem popped up (excuse the pun) this weekend. I have checked the knowledgebase and have found nothing.


    ******** ESET Configuration ************
    Virus signature database: 3954 (20090323)
    Update module: 1028 (20090302)
    Antivirus and antispyware scanner module: 1199 (20090321)
    Advanced heuristics module: 1092 (20090309)
    Archive support module: 1091 (20090213)
    Cleaner module: 1039 (20090320)
    Anti-Stealth support module: 1010 (20090302)
    Personal firewall module: 1040 (20080924)
    Antispam module: 1011 (20090114)

    ***** Malwarebytes log file **********
    Malwarebytes' Anti-Malware 1.34
    Database version: 1883
    Windows 6.0.6001 Service Pack 1

    3/23/2009 8:56:04 AM
    mbam-log-2009-03-23 (08-56-00).txt

    Scan type: Quick Scan
    Objects scanned: 15409
    Time elapsed: 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 1
    Registry Values Infected: 4
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\Windows\System32\wejureke.dll (Trojan.Vundo.H) -> No action taken.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm73fffa3f (Trojan.Vundo.H) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zogababala (Trojan.Vundo.H) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wejureke.dll -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wejureke.dll -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\System32\wejureke.dll (Trojan.Vundo.H) -> No action taken.
    c:\Windows\SysWOW64\wejureke.dll (Trojan.BHO) -> No action taken.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    ESET SysInspector should be able to reveal these malicious dlls. Unfortunately, Virtumonde is about nothing but business and thus they are continually being modified by a group of guys to avoid detection by AVs. MB uses a different approach to detection than typical signatures or heuristics, hence it's able to detect threats on infected systems better. I wouldn't chance my arm that that it would protect you against all other threats like other AVs before threats are executed, however.
     
  3. miki69

    miki69 Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    133
    Location:
    Vienna, Austria
    you should delete this file wejureke.dll (anyhow it's quarantined now), and then you should try right click on C: drive, below scan with ESET you have advanced action and then clean files, click on this and should be able to delete the rest of infections.

    Cheers,
    Miki
     
  4. gslabbert5119

    gslabbert5119 Registered Member

    Joined:
    Jul 15, 2008
    Posts:
    6
    I have deleted the file but after each reboot it andother files return, so this is of no help. I have opened a case with ESET but no response as of yet.

    I have no intention to replace ESET with Malware, I just need ESET to perform as advertised and remove the Trojans. Afterall tat is what I paid for.
     
  5. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    Try with a free SUPERAntiSpyware.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    If you're unable to analyse ESET SysInspector logs yourself, did you create one and conveyed it to customer care for perusal?
     
  7. gslabbert5119

    gslabbert5119 Registered Member

    Joined:
    Jul 15, 2008
    Posts:
    6
    SysInspector logs detected threats log is empty, nothing in the quarantine either. Quite a few Incorrect IP packet length and DNS cache poisoning attacks, but they were blocked by the firewall.

    I think that I have got rid of the files after running Malware, then wise registry cleaner, then Malware again, then SUPERAntispyware, then Wise Registry cleaner again. Each time a new set of files was found. I had to run Malware 4 times with booting each time in safe mode to clean everything out. Still this should not have gotten past my ESET, well I did not expect it to. I have opened a ticket but still no response. Any idea on how long before a Threat not detected case is handled?

    Thanks to those who helped, so far. hope that it is gone permanently
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Again, sending a SysInspector from the infected computer is crucial when contacting customer care. A customer care representative would check the log and ask you to send the suspicious files to the viruslab for analysis so that detection could be added.

    I have no clue what customer care did you contact. It's already evening here in Slovakia, but morning in the US. If you are from the US, it may take up to 24 hours to get a response (during work days). However, all they can do is recommend you sending an ESI log the next time you run into a suspicious file.
     
  9. silverfox55

    silverfox55 Registered Member

    Joined:
    Apr 28, 2008
    Posts:
    97
    Location:
    The Original Washington
Thread Status:
Not open for further replies.