virtumondo adware - does this info help?

[Steve]

Hi, I appreciate the help I've been getting here from
Alan, Engel, and others who post solutions. Thank you.

Here are MSAS scan logs regarding what I think is
a "virtumondo" adware trojan thing. It apparently creates
pop-up ads. It's annoying.

Previously:

Winfixer Potentially Unwanted Software more
information...
Details: Winfixer is known to be installed through
inappropriate bundling and without users consent. It is a
software that scans the users system for damaged files
and attempts to fix it if the user pays a fee.
Status: Removed
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected files detected
c:\documents and settings\steve story\local
settings\temp\winfixer2005setup.exe

c:\windows\system32\drivers\df_kmd.sys

c:\program files\winfixer 2005\lock.dat

c:\documents and settings\steve story\local
settings\temp\icd1.tmp\uwas5lp_0001_0811netinstaller.exe

c:\documents and settings\steve story\local
settings\temp\icd2.tmp\uwa5plp_0001_0721netinstaller.exe

c:\documents and settings\steve story\local
settings\temp\ni.uwfx5\setup.exe

c:\program files\common files\winsoftware\pcheck.dll

c:\windows\downloaded program
files\uwa5plp_0001_0721netinstaller.exe

c:\windows\downloaded program
files\uwas5lp_0001_0811netinstaller.exe

c:\windows\downloaded program files\uwfx5netinstaller.exe

c:\windows\downloaded program files\conflict.1
\uwas5lp_0001_0811netinstaller.exe

Infected folders detected
c:\program files\winfixer 2005


Detected Spyware Cookies
No spyware cookies were found during this scan.

****** Ok, I ran Ad-Aware, MSAS, EZVirus, Skybot S&D and
now winfixer seems to be gone. I also ran System Cleaner
to remove and clean old files.

My last scan during MNF.

Spyware Scan Details
Start Date: 9/26/2005 8:10:45 PM
End Date: 9/26/2005 8:16:03 PM
Total Time: 5 mins 18 secs

Detected Threats

Virtumondo Adware more information...
Status: Quarantined
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\InprocServer32 C:\WINDOWS\system32
\ddccy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\InprocServer32 ThreadingModel
apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\ProgID MSEvents.MSEvents.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\TypeLib {BAD59A24-6891-417D-A041-
C8FD495B77F1}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\VersionIndependentProgID
MSEvents.MSEvents

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697} MSEvents Object

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697} AppID

HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\InprocServer32 C:\WINDOWS\system32\ddccy.dll

HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\InprocServer32 ThreadingModel apartment

HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\ProgID MSEvents.MSEvents.1

HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\TypeLib {BAD59A24-6891-417D-A041-
C8FD495B77F1}

HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\VersionIndependentProgID MSEvents.MSEvents

HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697} MSEvents Object

HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697} AppID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}


Detected Spyware Cookies
No spyware cookies were found during this scan.

****Ok. Alan gave instructions how to remove this. I just
want to make sure these are the files I should be looking
for, or, are there more? Also, what's a "HKEY", what does
it do, and why can't one simply go somewhere on the
computer and delete them?

Thanks again, and thanks for your patience. Steve

 

[Jim Byrd]

Hi Steve - Don't know what previous advice you've been given, but . .

Follow the procedures outlined at the following page:

http://www.bleepingcomputer.com/for...janVundoB-Search42com-MSevents-tx18610-0.html

 

[Steve]

-----Original Message-----
Hi Steve - Don't know what previous advice you've been given, but . .

Follow the procedures outlined at the following page:

http://www.bleepingcomputer.com/forums/How-to-remove-the-

TrojanVundoB-Search42com-MSevents-tx18610-0.html

Thanks, Jim. Looks like the same advice Alan gave. I'll
give it a shot.

 

[AndyManchesta]

You really should consider posting a Hijack This log at a
support forum such as Spywareinfo, Tomcoyote ,
atribune.org/forums, geekstogo.com/forum, forums.net-
integration.net etc.. and receive help in removing this
infection,

Ive not been following this thread or the link you have
been asked to visit but I can clearly see MSAS is missing
some of the entries, Its not removing the Trojan file or
the BHO & Winlogon/Notify key that is calling it,

Here's a fix by working off the log you post(I assume
this will be similar to the link with Vundo removal
instructions)

Download Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save it to desktop or Cdrive and extract the files.

make a copy of these instructions so you have them handy
as the most steps need to be done in safe mode with IE
closed.

save the VundoFix tool to your desktop :

www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files


This will create a folder named VundoFix on your desktop.

After the files are extracted, please reboot your
computer into Safe Mode (**Required Step**)

Reboot and Keep tapping F8 then choose safe mode from the
list .

Once in safe mode open the VundoFix folder and
doubleclick on KillVundo.bat
----------------------------------------------------------
If you have problems finding the VundoFix in safe mode go
for it this way :

After booting in "safe mode", push these three keys at
the same time:

<Ctrl><Alt><Del>

The task manager appears on the screen.
Click on the Applications tab, then click New task.
Then click on Browse.
"Browse" your system to the KillVundo.bat file in the
VundoFix folder, then click OK. If you downloaded it to
your desktop, it should be in this folder:
C:\Documents and Settings\<your profile>\Desktop
----------------------------------------------------------

You will first be presented with a message and a list of
forums to seek help at as listed at the top of this page

At this point press enter one time.

Next you will see:

----------------------------------------------------------
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue
with the fix
----------------------------------------------------------

At this point please the following file path (make sure
to enter it exactly as below!):

C:\WINDOWS\system32\ddccy.dll

Press Enter, then press the F6 key, then press Enter one
more time to continue with the fix.

Next you will see:

----------------------------------------------------------
Please type in the second filepath as instructed by the
forum staff
Then Press Enter, Then F6, Then Enter Again to continue
with the fix.
----------------------------------------------------------

At this point please type the following file path (make
sure to enter it exactly as below!):

C:\WINDOWS\system32\yccdd.*

Press Enter, then press the F6 key, then press Enter one
more time to continue with the fix.

The fix will run then HijackThis will open.

In HijackThis, please place a check next to the following
items

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-
868B0683C697} - C:\WINDOWS\system32\ddccy.dll

O20 - Winlogon Notify: ddccy - C:\WINDOWS\SYSTEM32
\ddccy.dll

With the above checked then press FIX CHECKED

After you have fixed these items, close Hijackthis and
Press any key to Force a reboot of your computer.

Pressing any key will cause a "Blue Screen of Death" this
is normal, do not worry!

Once your machine reboots continue with the instructions
below

please run this online virus scan:

ActiveScan

http://www.pandasoftware.com/products/activescan.htm

That should then be fixed but let us know if you have
problems and if so post the vundofix.txt from the
vundofix folder and a Hijack This log.

(If Panda detects Vundo in System Volume Information-then
Flush system restore)

Clear System Restore, First Create a New Restore Point

Goto Start Menu > Run > And copy & paste this in

%SystemRoot%\System32\restore\rstrui.exe

Press Enter, Choose create a restore point and Next ,
Name it and press Create

Next clear the infected Restore Points

Goto Start Menu and Run and type

cleanmgr

Press Enter, Goto the "More Options" tab and press Clean
up on the System Restore area to remove all the restore
points except the one we just created

All The Best

Andy

 

[CynthiaB]

I don't know about the others here, but I use a utility called SPYWARE
BLASTER which nips these things in the bud. I also have windows popup
feature turned OFF (using administrative tools).
I take things to a web site called SHIELDS UP and come up STEALTH every time
http://grc.com/default.htm

You might try that and see what's open and what vulnerabilities you have.
It's enlightening!
Cynthia
328013
-------------------------------------------------------------------------------------------------------------------------------------
Hi, I appreciate the help I've been getting here from
Alan, Engel, and others who post solutions. Thank you.

Here are MSAS scan logs regarding what I think is
a "virtumondo" adware trojan thing. It apparently creates
pop-up ads. It's annoying.

 

[Steve]

Ok. I took al the advice I got from the nice people here
and went to atribune.org/forums and posted a HijackThis
scan log. The instructions seemed a bit intimidating,
however, it REALLY wasn't that bad. First you register,
then download HighjackThis, VundoFix and CleanUp40.

You do a clean up first then do a HighjackThis scan. You
post your log and a pro simply says do this exactly ...
down to the keystroke. I had a small problem requiring
which I reposted a scan and was told exactly what to do.
Voila, no virtumondo or winfixer .... I hope. THey also
gave me a list of recommendations to help prevent this
stuff from happening again.

I did this stuff in "safe mode". I now do all my
virus/spyware scans this way now. It's easy once you
learn how. Heck, it's easy to learn. Anyway, I cleaned
again and ran a MSAS scan and got:

Spyware Scan Details
Start Date: 9/27/2005 6:51:30 PM
End Date: 9/27/2005 7:21:13 PM
Total Time: 29 mins 43 secs

Detected Threats
No spyware threats were found during this scan.
Personally, I am grateful to MSAS for identifying the
problem and for the help I received here! Thank much
guys ... and gal. Steve

 

[Jim Byrd]

Hi Steve - Glad you got it cleaned up. I don't know what preventive
measures they gave you, but you might also want to take a look at those I've
outlined at the end of my Blog, addy in Signature below, in case they're
different.

 

[AndyManchesta]

Hey Steve

Its great news you got this solved so fast, Im also
pleased I was right about MSAS missing the file, BHO
entry and Winlogon/Notify key

The BHO entries you removed on that forum were related to
Microsoft Money & Adobe but with the files being missing
its good advise to remove them to clean up.

Here's the post for anyone thats interested in the fix
and recommendations

http://www.atribune.org/forums/index.php?showtopic=589

 

[Steve]

Here's the link to the thread I was on at
atribune.org/forums

http://www.atribune.org/forums/index.php?showtopic=589

I'll go to your blogspot after this. Thanks again ... and
MSAS is great as far as I can tell. Steve

 

[Steve]

You were right and the advice you gave was perfect. I
wonder why MSAS missed the files? Anyway, I now have
MSAS, Ad-Adware SE, SpywareBlaster, Spybot S&D, System
cleaner, Cleanup!, HiajckThis, and VundoFix. Sheesh.

I do feel a lot more protected now mostly because I am
getting more educated in large part to fine people like
you and the others on this forum. Thanks again, Steve

 

[AndyManchesta]

No Problem

Im glad to be able to help out and really it was a lucky
guess as I didnt see a hijack log first which should of
been the first step, The MSAS log made it easier by
making a reference to the system32 file but didnt detect
the file as a problem so I just used that info and put it
in a canned speech for Vundo which is the same used on
most Hijack This forums as its proven to work well.

You have a great selection of tools and removers now so
you shouldnt get malware problems on your system again
especially if you use spybots immunize and spyware
blasters protection and keep them and MSAS updated,

All the best

Andy

 

[Steve]

At the link are the results of my "stealth test". Cool
site. THANKS! Steve

http://communities.microsoft.com/newsgroups/previewFrame.a
sp?
ICP=spyware&sLCID=us&sgroupURL=microsoft.private.security.
spyware.announcements&sMessageID=%253C02af01c5c3ef%
25242db20a50%[email protected]%253E