My 2nd post here :D
I am operating a Dell laptop, running Windows 7 Premium 64bit, 4GB DDR3 RAM, ATI Radeon Mobility 5470HD graphics adaptor. Anti-virus was avast, but is now Windows Security Essentials (explained below).
1> I was downloading Everest Ultimate Edition as my graphics card driver was crashing frequently. When selected to install, I was asked for administrator approval (which I gave). The installation never began (there was a pause in computers performance for about 3 seconds, it froze), and my avast (free edition) detected a virus "win32:vundo-ju", and immediately quarantined it (obviously, the download was a total scam). Looked good, I began a full system scan. Soon there was a avast prompt of blocking a "malicious site". This prompt came every 10 mins or so, so I knew the virus had done its job. I deleted the installation file.
2> I let the avast scan run. Meanwhile, I disconnected from the internet and began to fish around my disks. All seemed normal, other than C:\Windows\
The resown why I went to this drive was that when the malicious site prompt came, it was originating from an executable from that directory. Obviously, that executable was nowhere to be found. But there were a lot of folders that were definitely not supposed to be there. It just so happens, my hard-disk was changed on the 4th of May due to hardware issues. But in the directory, there were files and folders supposedly formed in 2009 (this laptop wasn't even in production at the time, it was purchased from Dell May'10). The folders have the oddest names like "Globalization" and "SysWOW64". There are many more such files. I tried to delete them, but most of them requested the permission of "TrustedInstaller" (a few did get deleted, important point-> the malicious site attempts stopped soon after I deleted the few folders of 2009 that did get deleted). I went into folder properties>Security, here under "Group or user names", two new entries were there, "TrustedInstaller", and "CREATOR OWNER" (!!). This is the same place where other users like "System", "Everyone" "Administrators" are present, these are the old ones. I know they (TrustedInstaller and CREATOR OWNER) are new, as when I got my laptop from repair I had fiddled with permissions over here, and these entries were definitely not there. So, meanwhile avast finished with an all clear. So I know avast is not good enough.
3> I googled for the virus, got some info on windows knowledge base. I also found 2 sites offering a clean-up http://vundofix.atribune.org/ and Dr.Web. After thorough background checks, I opted to run Vundofix first. Scan finish, nothing detected. Then I decided to follow Dr.Web. They asked me to download a "Cure it" program from them which scans and removes malicious software. I went into safe mode and ran the scan (as was asked), but Vundo was not detected (it detected FileCroc p2p installation as a trojan which I think was incorrect as that installation had installed filecroc which ran well until I deleted it, and I let it remove it, it seemed a good scan, ran for 6 hrs). Then I got back into normal functioning and decided I had enough of avast. Microsoft Security Essentials seemed promising, so I downloaded it (did I mention no more malicious threats, but the Windows folders funny files/folder still are there and still want that permission of "TrustedInstaller"). Downloaded MS Security Essential, uninstalled avast, installed MS Sec. Essen., updated it and ran its full scan. It still is going on I am betting nothing will be detected (it is done with C drive).
4> Now I am not sure whether the virus is still there. I am guessing that when it was there, it did the damage, changed a few things here and there, and is now gone leaving its leftovers behind. Also, in Windows Credential Manager, under Generic Credentials, there was a username (something like sa23jaskJ, you know just gibberish and its password), for "virtualapp/didlogical". Google again tells me I must remove it, so I do so ("Remove from vault option" just below the id/password).
Now I have been as thorough as possible, informed you regarding everything I have tried (read experimented). I believe I am not supposed to run any scan yet, so I have not. This is my 2nd post (first being intro), so I apologise if I have made any mistake.
A last bit, my desktop based Windows Live Mail is no more being able to connect to the email client (gmail). It says "Your IMAP command could not be sent to the server due to non-network issues. This could, for example, indicate a lack of memory on your system". There is plenty a GB free on all drives, I even deleted a few mails, but to no avail. I am not sure if it is related, but I felt I should let you know.
Screenshot of c:\Windows http://www.flickr.com/photos/9630791@N03/5754391289/in/photostream
The malicious site warning by avast http://www.flickr.com/photos/9630791@N03/5754936858/in/photostream
Expectantly awaiting thy command
Thanks for taking the time out
Edited by DELTA33582, 24 May 2011 - 08:36 AM.