BleepingComputer.com: Expected win32:vundo-ju

Hi,

My 2nd post here :D

I am operating a Dell laptop, running Windows 7 Premium 64bit, 4GB DDR3 RAM, ATI Radeon Mobility 5470HD graphics adaptor. Anti-virus was avast, but is now Windows Security Essentials (explained below).

1> I was downloading Everest Ultimate Edition as my graphics card driver was crashing frequently. When selected to install, I was asked for administrator approval (which I gave). The installation never began (there was a pause in computers performance for about 3 seconds, it froze), and my avast (free edition) detected a virus "win32:vundo-ju", and immediately quarantined it (obviously, the download was a total scam). Looked good, I began a full system scan. Soon there was a avast prompt of blocking a "malicious site". This prompt came every 10 mins or so, so I knew the virus had done its job. I deleted the installation file.

2> I let the avast scan run. Meanwhile, I disconnected from the internet and began to fish around my disks. All seemed normal, other than C:\Windows\
The resown why I went to this drive was that when the malicious site prompt came, it was originating from an executable from that directory. Obviously, that executable was nowhere to be found. But there were a lot of folders that were definitely not supposed to be there. It just so happens, my hard-disk was changed on the 4th of May due to hardware issues. But in the directory, there were files and folders supposedly formed in 2009 (this laptop wasn't even in production at the time, it was purchased from Dell May'10). The folders have the oddest names like "Globalization" and "SysWOW64". There are many more such files. I tried to delete them, but most of them requested the permission of "TrustedInstaller" (a few did get deleted, important point-> the malicious site attempts stopped soon after I deleted the few folders of 2009 that did get deleted). I went into folder properties>Security, here under "Group or user names", two new entries were there, "TrustedInstaller", and "CREATOR OWNER" (!!). This is the same place where other users like "System", "Everyone" "Administrators" are present, these are the old ones. I know they (TrustedInstaller and CREATOR OWNER) are new, as when I got my laptop from repair I had fiddled with permissions over here, and these entries were definitely not there. So, meanwhile avast finished with an all clear. So I know avast is not good enough.


3> I googled for the virus, got some info on windows knowledge base. I also found 2 sites offering a clean-up http://vundofix.atribune.org/ and Dr.Web. After thorough background checks, I opted to run Vundofix first. Scan finish, nothing detected. Then I decided to follow Dr.Web. They asked me to download a "Cure it" program from them which scans and removes malicious software. I went into safe mode and ran the scan (as was asked), but Vundo was not detected (it detected FileCroc p2p installation as a trojan which I think was incorrect as that installation had installed filecroc which ran well until I deleted it, and I let it remove it, it seemed a good scan, ran for 6 hrs). Then I got back into normal functioning and decided I had enough of avast. Microsoft Security Essentials seemed promising, so I downloaded it (did I mention no more malicious threats, but the Windows folders funny files/folder still are there and still want that permission of "TrustedInstaller"). Downloaded MS Security Essential, uninstalled avast, installed MS Sec. Essen., updated it and ran its full scan. It still is going on I am betting nothing will be detected (it is done with C drive).


4> Now I am not sure whether the virus is still there. I am guessing that when it was there, it did the damage, changed a few things here and there, and is now gone leaving its leftovers behind. Also, in Windows Credential Manager, under Generic Credentials, there was a username (something like sa23jaskJ, you know just gibberish and its password), for "virtualapp/didlogical". Google again tells me I must remove it, so I do so ("Remove from vault option" just below the id/password).


Now I have been as thorough as possible, informed you regarding everything I have tried (read experimented). I believe I am not supposed to run any scan yet, so I have not. This is my 2nd post (first being intro), so I apologise if I have made any mistake.

A last bit, my desktop based Windows Live Mail is no more being able to connect to the email client (gmail). It says "Your IMAP command could not be sent to the server due to non-network issues. This could, for example, indicate a lack of memory on your system". There is plenty a GB free on all drives, I even deleted a few mails, but to no avail. I am not sure if it is related, but I felt I should let you know.

Attached:
Screenshot of c:\Windows http://www.flickr.com/photos/9630791@N03/5754391289/in/photostream
The malicious site warning by avast http://www.flickr.com/photos/9630791@N03/5754936858/in/photostream
Expectantly awaiting thy command

Thanks for taking the time out

Cheers
D

This post has been edited by DELTA33582: 24 May 2011 - 08:36 AM

bump


Edit:
I forgot to mention, MS Essential gave the comp a clean chit. Downloaded and running Immunet 5.0 (its scan ran for a good 24 hrs, though I admit I had to pause it a few times, needed to get work done, and it was heavy on the resources). Immunet got a virus out (Mozilla Thunderbird installation, got to be a negative), but thats it.

So I am sure the virus is out, but the changes it did are yet to be undone.

This post has been edited by DELTA33582: 28 May 2011 - 08:29 PM

bump

Hello and to BleepingComputer.

Let's see what we're dealing with here.

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

• Before we begin, you should disable any anti-malware software you have installed so it does not interfere with RKill running. This is because some anti-malware software mistakenly detects RKill as malicious. Please refer to this page if you are not sure how to disable your security software.
  
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  
• If nothing happens or if the tool does not run, please let me know in your next reply

***************************************************

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes Log

Hey Blade,

Thanks for your help mate. It just so happens that my OS went out of control (the GUI turned all Windows-98'ish, lots of errors), so I went ahead with a clean installation after backing important stuff on another machine. So the delay in getting back to you.

Real sorry for the bother, much appreciated though

Thanks again,
Cheers
Devvrat

Not a problem.

~Blade