Trojan Vundo

Discussion in 'ESET Smart Security' started by newbie2247, Jan 24, 2008.

Thread Status:
Not open for further replies.
  1. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Yesterday I used a free spyware scanner just on a lark to see if this ESET Smart Security version 3.0.621 that I have is all that it's been trumped up to be. Since I've had it, it has yet to find one single thing, not even a tracking cookie which I get every day, all day long.

    Lo and behold, the scanner found trojan.vundo. I didn't know what to do (never thought of submitting it to ESET nor do I know how to do that - using another product on top of that) so I went to Google and they had a removal tool for it and that worked out well. ESET claims that they detect and destroy trojans among many other things. Boy am I ticked off at them.

    Now, I don't know where I stand with this expensive suite. I don't know how I'm going to keep on top of trojans and how I'm going to get rid of the 5 million tracking cookies I must have by now as I am a heavy surfer of the `Net.

    Right now, I am using Windows Defender and the ESET suite. By right, that should be enough considering all the dollars involved here.

    I have an HP Pavilion with Vista Premium Home Ed. It came with a kabillion programs running so it's probably about to have a melt-down any minute.

    Open to any and all suggestions. Can post here or email me. No preference.

    How am I going to clean out all my tracking cookies? I had Trend Micro do it with my XP. I assumed that ESET was going to do it with this one. Silly me.

    Thank you and hope there's help out there for me. :doubt:
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please download and run ESET SysInspector, save the log as zip and send it to support[at]eset.com with this thread's url in the subject.
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    ...

    Have you tried clearing them from your browser options window?
     
  4. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Thanks Marcos Re: Trojan Vundo

    Not sure what you mean. How do I do that please?

    I have gone to Internet Options, Browsing History and clicked on Delete Cookies and Temporary Internet Files. I do that ALL the time. Is that what you mean? If so, does that delete them as well as regular cookies? I sure hope so but am not getting my hopes up on that.

    I'd love to know if ESET (nod32) also deletes them. Does anyone know the answer to that please? :doubt:

    I also have my Advanced Privacy Settings set to block third party cookies - whatever those are. I read somewhere to do that.

    Well, I have more bad news about ESET Smart Security to report, those brats. :cautious:

    I used a freebie scanner again and guess what it picked up? "Heuristic.Dialer.RAS. Isn't that just peachy? Now what am I supposed to do with that? ESET has yet to find one single thing since I've been using it. Nothing. And I have it all set to the highest and tightest settings. Yet the freebies are finding Trojans and Dialers. Go figure. o_O

    I really don't know what to do now. Since these are freebies, is there a way you can submit this stuff to ESET along with a scathing letter, LOL? I can't imagine how to submit a file of a quarantined piece of malware from another program directly to ESET if it's not their scan that found it. o_O

    What a useless product and a huge wasted loss of big bucks. If I wasn't on a modest fixed income I probably would be a tad less enraged. I apologize for my anger. Going ton take a deep breath and stop venting. :'(

    I sure have some conundrum on my hands here and don't know which way to turn. Not a good position to be in with a brand new computer. o_O
     
  5. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: Thanks Marcos Re: Trojan Vundo

    Is there any particular reason you think it won't?

    Just for good measure, use something like CCleaner (www.ccleaner.com) that removes index.dat files as well.
     
  6. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Hi newbie2247,

    I was curious about these free spyware scanners that you ran
    what were the names of these programs ?

    Regards,

    Wake
     
  7. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Some of the new Vundu variants...as well as Smitfraud/SpyFalcon, are a real pain to clean up once they hit your system. It doesn't matter which antivirus you run....NOD32...or even Kaspersky...some of the latest variants stay ahead and can sneak into the system. I've dealt with a few Smitfraud and Vundu variants which have made it past NOD32....even just last week at a car wash client we have. There are some good removal instructions and tools at bleepingcomputers....if you Google them. SDFix.exe is what cleans up the latest Smitfraud variant I ran across last week quite well, as well as throwing a few other tools at it before I ran SDFix...such as a TCP/Winsock repair utility, CCleaner, AVG AS, SuperAntispyware, Spybot S&D, NOD scan, and manual inspection of the registry. It was still there after running all of those except SDFix...SDFix finally got rid of the remains and the system was clean.
     
  8. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Interesting.

    How did you detect Vundo and how did you remove it?

    Very concerned as I wish to always stay on top of this matter. I want to stay on top of ALL trojans actually. Do tell, please. :)

    Regarding CCcleaner, I have always used that; ever since it came out and I continually upgrade it. Thanks for the recommendation - a great one at that. :)

    To whoever it was (solcroft ?) earlier asking what freebies I used and then uninstalled, the first one that detected Tojan Vundo was called Spyhunter or Spywarehunter and the one that detected Heuristic.Dialer.RAS (what is that anyway?) was called a-2squared by Emsi Software. I quarantined it and then removed that program too. Afraid to have too many programs confusing my useless ESET and brand new computer. Also afraid I probably let loose that quarantined dialer too. :gack:

    I have FIOS and a router (not sure what this stuff is - just hear the spouse talk about it) and hope that router does some protecting since the ESET is not. Lord knows what else I have on this machine. Scary to think about it. :doubt: What is a dialer and how much damage can it do? I ask because I probably let it loose (according to the spouse) when I removed the program that found and quarantined it. I installed it again and scanned twice and it did not show up again which I find remarkably surprising. How can that be? o_O

    Marcos, I downloaded and did that SysInspector thing (very concerned that I may have sent personal and sensitive data now that I think of it - eeks) but I could not find any addy anywhere at all in Tech Support, just "forms", so I sent it off to the only addy's I could find - Sales was one and Marketing was the other. They'll just probably toss it in the rubbish since it has that zipped attachment you recommended, the zipped SysInspector thing. Let's hope not. Never knew such a thing existed, much less what it is. Where did you learn about it? Just curious. o_O

    As regards the tracking cookies, I have no clue if CCcleaner picks those up or not. I do know that they clean out temp. int. files for me and I don't accept third party cookies - whatever they are. In short, I don't know where I stand on tracking cookies. ESET sure as heck isn't finding them for me. :cautious:

    I hope I answered all the questions from yesterday and, natch, I added several of my own. Appreciate all the time and wisdom, experience and recommendations all of you share with me. I feel like a goldfish in an ocean full of barracudas and do need all the help you all care to give.


    Thanks all! :D
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's an official tool developed by ESET. If you suspect your computer being infected with a trojan, you can send the ESET Sysinspector log to support[at]eset.com as zip along with a short description of the problem.
     
  10. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Thanks. That is if you are humanly able to find a proper email addy at ESET to send it to.

    I doubt if the Sales Dept and Marketing Dept that I sent mine to are going to be happy, LOL. I appreciate that tool and advice immensely Marcos. Hopefully, something positive will happen now.

    You sure know a lot of good stuff. Wish you were here so I could pick your brain. Lord knows I need the guidance.

    I haven't seen any other posts. I hope I get an email if one appears as that's what I selected. Thanks again.

    :p
     
  11. computer geek

    computer geek Registered Member

    Joined:
    Oct 6, 2007
    Posts:
    776
    Erm, you click tools on ie7 properties and delete all your cookies...
     
  12. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    Why do I get the feeling that after 11 post I only see, 2 unknown scanners, 1 good change of a false positive and a lot of harmless cookies.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Actually we have replied to one person who sent an email to support[at]eset.com with this thread's url. If it was you, couldn't it be that you have a spam filter installer that misclassified our email as spam?


    Marcos
     
  14. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    The PC that I stumbled upon...it bundled with another spysheriff variant...that takes over your computers desktop with a big red ominous warning....and about once a minute you get a popup browser taking you to some website to purchase their removal software.

    Removed using the steps I labeled above.
     
  15. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    yeoldspysheriff,

    Thanks for your reply but could you translate that into English - layman's terms for an ignoramus such as myself please?

    Marcos,

    Yes I did send off a letter to ESET and I do not have these posts coming to me as SPAM (I check my spam folder all the time for errors like that), just haven't received any notifications of new posts. I am seeing them now for the first time. (My luck for you.)

    As far as tracking cookies go, I do have CCCleaner but don't know if that picks them up or not - no clue if ESET does either.

    I have IE7 and when I hit tools, my dropdown menu does NOT have "properties" listed on it but thanks for that suggestion. Maybe your O/S does have that but mine does not. What it does have at the bottom of that menu is Internet Options which I select, then under the Browsing History heading I hit DELETE for temp. int. files & for cookies. Now, I don't know if that removes data miners or not either. I know it removes cookies, but does it remove ALL cookies. Some are pretty stubborn, correct? Hence my strong concern on this matter.

    I hope I didn't miss any questions. Looking forward to answers on mine, which reminds me, I do have one last serious and important one.

    I have tried several freebies as you all know and lots of them find nothing, like AVG & Superspyware for 2 examples - so highly tauted.

    To enhance my Nod32, I am very much in the market for at least 2 very good free anti-spyware scanners/programs, not shareware and not one of those trial ones. Would very much appreciate any and all recommendations for such. :D

    Please feel free to post recommendations, send them to me privately or if my personal email addy is on here from registration, send them there. I truly do need some excellent and FREE programs/scanners to enhance my ESET Nod 32 Security Suite.

    Do other users here of this product know if it does remove the data miners/tracking cookies? :doubt:

    Thanks all for everything! Have a great day. :cool:
     
  16. Jenee

    Jenee Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    185
    I had a PC that was infected with Vundo. The correct name is Win32/Adware Virtumonde.CLI. It infects the system through the installation of Winfixer. It is the hardest thing to get rid of but fortunately, with perseverence, ESS will get rid of it. If ESS is installed on a system that already has this trojan then it modifies the egui.exe file. ESS then quarantines egui.exe so there is no ESS icon on startup.
    I ran the PC in safe mode, ran a scan whcih quarantined all the nasties, replaced egui.exe with a clean file, removed the trojan entries from the registry, restarted the pc again in safe mode and ran another scan. Finally fixed.

    This is the other thread I started re this problem:
    https://www.wilderssecurity.com/newreply.php?do=newreply&noquote=1&p=1171165
     
  17. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Jenee,

    "it modifies the egui.exe file. ESS then quarantines egui.exe so there is no ESS icon on startup."

    That's exactly just one of the problems that I am having although my scans no longer are detecting Trojan Vundo. By "removing the nasties" in safe mode, could you please be more specific/clearer in what this means, step by step please because I plan to do it just as soon as you translate "remove the nasties". Boy, do I need that info.

    Also, you will need to tell me how you obtained and replaced the file, step by step. I apolgize for being such an ignorant non-techie PC user. A total novice here in the forum so I don't know the nomenclature, if you will. :oops:

    I appreciate your reply and hope you feel up to what I need in order to help me out. If not, I understand. :blink:

    Never installed Winfixer. Do not even know what it is. Just so you know.
     
  18. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    Spyhunter, from some research I have done (google is my friend :D), is nothing but a FP machine. Every single review of this product is appauling and it is repeatedly slammed for its FP's, probably used to separate users from their money ;).

    As for tracking cookies, they are not as "dangerous" or as much of a "privacy risk" as some AV and AS companies would have you believe. Just use CCleaner - http://www.ccleaner.com as suggested earlier in the thread, and they will be eradicated. A fantastic program for general housekeeping.

    If you are looking for a decent Anti-spyware app, then SuperAntiSpyware would be your best bet. Ignore the dodgy sounding name, this program is a gem - http://www.superantispyware.com.
     
  19. Jenee

    Jenee Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    185
    The PC that I fixed did not have ESS installed. It had other antivirus/firewall/spyware programs installed that did not stop or remove this trojan. It was a neighbour's PC and they had already spent several hundred dollars with a PC repairer trying to rid the problem and they asked me as a last resort. You may not recognise the name Winfixer but you may have seen a popup which said you had viruses on your PC and this would fix them. It then gives you Vundo.
    You need to start your PC in safe mode (most PCs will give you the option of safe mode if you keep pressing the F8 key after you turn the power on.
    Go to the ESS program folder and double click on egui.exe. ESS will then show a box that will give you the option to do a scan. Run the scan. When the scan is finished, do a search on your PC for any other files named "pmkjk". ESS will probably already have quarantined pmkjk.exe but there may still be a pmkjk.dll so delete it.
    Then go to the run command and type in regedit. This will open the registry editor. If you are not familiar with the registry editor you may need to get assistance from someone who is, as it is very critical that you are careful with the registry. You need to locate the subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    click once on The word Run and in the right hand pane you will see a list of programs that are started when Windows starts. Right click and delete any entry that has "pmkjk" or "WindowsUpd = (adware filename)"

    Then go to the subkey
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    and in the right pane delete and value that had "pmkjk" in it or "SysUpd = adware filename)"

    Close the registry editor and restart the PC in safe mode again and run another ESS scan.

    Restart the PC in normal mode. Go to the program folder where ESS is installed and delete egui.exe. Reinstall ESS and take the Repair option. This should replace the egui.exe file (I copied one in from another clean PC that I had but the Repair should do this for you) and the Repair will also put an entry in the registry to run egui.exe on startup. After the Repair is done, restart your PC and ESS should now be running normally again.

    I am not sure of this but it would appear that Vundo is able to embed itself in some antivirus/firewall files without the user knowing and then becomes self generating.
    It was a nuisance that egui.exe appeared to become infected but it had no effect on the integrity of ESS.

    It serves no purpose denigrating any antivirus/firewall company over this one as it seems it gets into a PC by invite. However, I doubt it would get into a PC already properly protected by ESS and ESS seems to be one of the few that can get rid of it.
     
  20. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
    Grrrr I Hates Vundo
     
  21. ASpace

    ASpace Guest

    You might have different variant . There are many many ... many variants of Vundo/Virtumonde . Injected DLLs are easy to remove with ESET's UnDll but sometimes it is more to be done if you are on already infected computer.

    If you still haven't contacted ESET (as per Marcos suggestion in post #2) , you may need to register in a forum providing malware cleaning services (such as Aumha) and ask experts for help. Such services are not provided here.

    WinFixer is rougue application (adware application) , ~ a kind of Zlob/Smitfraud infection.
     
  22. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Thanks for all that advice everyone. Sounds complicated and daunting - not sure I can do it.

    I will go to that Malware site and nose around too.

    Now have the CCleaner and Superantispyware. The later is a pain in the butt because it forces a restart. Don't care for that at all but what can one do? I know CCleaner gets rid of cookies and temp. inter. files but had no idea that it also removed data miners. That's good to know. I'd love to use the registry cleaner portion but am scared silly from all the stuff I've read about them removing things that they should not and so forth.

    I see the words SmithFraud a lot. What is it? Could I have it? If I did, would ESET have removed it?

    Besides viruses, what else does ESET block and remove? What I love about it is how fast it scans. I had Trend Micro for years on my old XP and the scans were not this fast and I often wonder if it let something in that caused my puter to crash and burn. I loved XP and miss it so much. I HATE Vista. Maybe I just have to get used to it.

    Again, thank you for your advise. I shall print it out and see if I can summon up the courage to do it. Scared silly I might mess up and wreak havoc. :doubt:
     
  23. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    One last thing I forgot to mention which is important I think. :doubt:

    Every time I do a restart, I get a balloon message in the icon tray next to the ESET icon that says: Windows has blocked some programs from running. Click her to run the programs. I always do and it is ALWAYS the gui.exe thing, whatever that is. Does anyone know what's up with that? Should I put up with it or is there a resolution that a scared dummy like myself can handle? :blink:

    Thank you all again. I am very grateful for your assistance. Only wish I was a bit more savvy and confident. :oops:
     
  24. Jenee

    Jenee Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    185
    It sounds like you have the Windows firewall turned on. You should turn Windows firewall off as there can be conflicts and problems having two firewalls running.
     
  25. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Jenee,

    Thanks for your reply but that absolutely is not the case. I checked and double checked.

    Drats! If only the resolution was that.

    Sure is one heck of a puzzle, isnt it? :(
     
Thread Status:
Not open for further replies.