Trojan Vundo

hello
this could be caused by the data protection settings .
right click my computer,properties,advanced,
performance settings,data execution protection.

 

Is the program gui.exe or egui.exe as the ESS tray icon is run from egui.exe. Normally, if egui.exe is blocked then you wouldn't see the ESS tray icon.

 

Jenee,

The first one. The icon is in the tray with that prompt from windows saying "windows has blocked some programs from running". Then I just click on it. Don't know what the heck is going on. I hate this Vista, really. I am new to Vista and ESET. The computer store loaded the ESET on the puter when we bought it. They highly recommended it so we bought it right then and there and they loaded it onto the puter for us. So, I am trying to familiarize myself with both.

I had XP and Trend Micro PCcillin for years and got used to them. When I finally mastered them, the puter crashed and the hard drive was beyond repair.

This new setup cost a fortune and I want to tread carefully and do everything within my power to do so correctly. That is why I am here picking your brains and begging for your wisdom and experiences. Truly appreciate all your help.

Is there a Vista Premium Home forum here? I am having a big problem with installing the free MS stationery into my Windows Mail program that comes with it. Had no problem with the Outlook Express that came with the XP.

Again, thanks all. As you can see, I need lots of good advise. In over my head hear learning about both ESET nod32 & Vista Premium Home.

"hello
this could be caused by the data protection settings .
right click my computer,properties,advanced,
performance settings,data execution protection."

Thank you but I don't understand what you just wrote. Could you break it down and then tell me what to do when I get to "data execution protection" if I manage to get there, that is please?

 

I had a recent Vundo variant infection. Nod32 didn't see it at all. BOClean stopped a part of it from running, and AVG Antispyware correctly identified it, claimed to be fixing it, but after I did a reboot, it was always there again. VundoFix, the recommended repair at that time, didn't even see the thing.

Presumably what happens is that these are a collection of small programs, and in any variant, they might only change one or two or three. Your antimalware app might delete most of it, but the new bit just redownloads or reinstalls the stuff you've just deleted and you're back to square one.

I eventually got rid of it by using a combination of Process Explorer and the video, Advanced Malware Cleaning here: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359. This was probably the most important part of the whole process, as it enabled me to understand what was going on, and to check with some high degree of reliability that what the software actually was doing what it should have been doing.

Alongside that, there were two other apps that played their part. The 30 day demo of Trojan Hunter, and the wonderful free version of SuperAntiSpyware. Both of these would detect a part of the malware, but not the whole lot, but in combination, the two of them managed to clean the whole lot out. That said, it took about two days before I was completely clean, during which time the malware was being prevented from running, but it was still present on the machine. And there were a couple of updates during that period, so it may well be that one or other app. had an update that detected my particular variant. Since then, I've noticed that SuperAntiSpyware adds a couple of new Vundo Variants with every single update, so there has to be a lot of the things out there.

Most important in all this though, was learning how to use Process Explorer properly though the Sysinternals video. I can't recommend that highly enough. Also, BOClean always stopped the payload from actually executing, so props to that as well.

 

I am surprised that you say Nod32 did not recognise Vundo as ESS certainly recognised and quarantined some of the files in the system I had which was infected. The problem with Vundo is that it seems to be able to infect files that run at startup and these are the ones that need to be removed.
The best thing to do first is run a full scan with ESS and check the log files to see the names of the files that are infected and what they are infected with.

 

Hi newbie 2247

I read your thread with great interest.Was just wondering how you got along with your problem...situation.Would like to just throw it out there my brother had a couple of versions of Vundo he picked up.The new version of Spybot S+D took care of them no prob.The new version looks much improved and seems to be alot more updates lately and more visually pleasing it is freeware.Do you have Spyware blaster installed also...it is freeware.

I sympathize with your Vista situation...they are gonna have to tear my XP from my cold dead body.

So how did you make out??

 

Thanks for asking.

I used the Symantec removal tool and as far as I know it removed it. But now I am reading here that it comes back and that it has variants and all sorts of scary stuff. What are the symptoms and how do all these people know this stuff. I used a freebie on a lark and found it. Googled up a remover and to the best of my knowledge, got rid of it.

Recently I sent ESET a couple of those SYSINTERNAL thingamajigs they send you and want you to run and send back to them and they said all is well.

The other thing I did at the same time was used another freebie which found a dialer. I used a freebie dialer remover but not sure what the status is. ESET said I was clean, so I believe them. I just wish this stuff didn't slip though thier protective walls, you know? Major bummer.

Do I have to keep scanning with freebies? I know a lot of them give false positives to force you to buy their products and a lot of the honest freebies do not detect many things.

Open to any and all recommendations, suggestions, ideas and so forth. Will be most appreciated.

 

you have to keep running different anitivirus to get it. My wife's machine got it & it took me scans of Nod32, Superantispyware, Dr Web's Cureit, F-Secure & Kaspersky. The best 2 that I feel finally got it was F-secure & Kaspersky. It has buried it self in a 2 cabs temp files deep in the user file of windows & I had to manually delete it, than it was gone...