S
Steve
Hi, I appreciate the help I've been getting here from
Alan, Engel, and others who post solutions. Thank you.
Here are MSAS scan logs regarding what I think is
a "virtumondo" adware trojan thing. It apparently creates
pop-up ads. It's annoying.
Previously:
Winfixer Potentially Unwanted Software more
information...
Details: Winfixer is known to be installed through
inappropriate bundling and without users consent. It is a
software that scans the users system for damaged files
and attempts to fix it if the user pays a fee.
Status: Removed
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.
Infected files detected
c:\documents and settings\steve story\local
settings\temp\winfixer2005setup.exe
c:\windows\system32\drivers\df_kmd.sys
c:\program files\winfixer 2005\lock.dat
c:\documents and settings\steve story\local
settings\temp\icd1.tmp\uwas5lp_0001_0811netinstaller.exe
c:\documents and settings\steve story\local
settings\temp\icd2.tmp\uwa5plp_0001_0721netinstaller.exe
c:\documents and settings\steve story\local
settings\temp\ni.uwfx5\setup.exe
c:\program files\common files\winsoftware\pcheck.dll
c:\windows\downloaded program
files\uwa5plp_0001_0721netinstaller.exe
c:\windows\downloaded program
files\uwas5lp_0001_0811netinstaller.exe
c:\windows\downloaded program files\uwfx5netinstaller.exe
c:\windows\downloaded program files\conflict.1
\uwas5lp_0001_0811netinstaller.exe
Infected folders detected
c:\program files\winfixer 2005
Detected Spyware Cookies
No spyware cookies were found during this scan.
****** Ok, I ran Ad-Aware, MSAS, EZVirus, Skybot S&D and
now winfixer seems to be gone. I also ran System Cleaner
to remove and clean old files.
My last scan during MNF.
Spyware Scan Details
Start Date: 9/26/2005 8:10:45 PM
End Date: 9/26/2005 8:16:03 PM
Total Time: 5 mins 18 secs
Detected Threats
Virtumondo Adware more information...
Status: Quarantined
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.
Infected registry keys/values detected
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\InprocServer32 C:\WINDOWS\system32
\ddccy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\InprocServer32 ThreadingModel
apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\ProgID MSEvents.MSEvents.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\TypeLib {BAD59A24-6891-417D-A041-
C8FD495B77F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\VersionIndependentProgID
MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697} MSEvents Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697} AppID
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\InprocServer32 C:\WINDOWS\system32\ddccy.dll
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\InprocServer32 ThreadingModel apartment
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\ProgID MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\TypeLib {BAD59A24-6891-417D-A041-
C8FD495B77F1}
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\VersionIndependentProgID MSEvents.MSEvents
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697} MSEvents Object
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697} AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}
Detected Spyware Cookies
No spyware cookies were found during this scan.
****Ok. Alan gave instructions how to remove this. I just
want to make sure these are the files I should be looking
for, or, are there more? Also, what's a "HKEY", what does
it do, and why can't one simply go somewhere on the
computer and delete them?
Thanks again, and thanks for your patience. Steve
Alan, Engel, and others who post solutions. Thank you.
Here are MSAS scan logs regarding what I think is
a "virtumondo" adware trojan thing. It apparently creates
pop-up ads. It's annoying.
Previously:
Winfixer Potentially Unwanted Software more
information...
Details: Winfixer is known to be installed through
inappropriate bundling and without users consent. It is a
software that scans the users system for damaged files
and attempts to fix it if the user pays a fee.
Status: Removed
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.
Infected files detected
c:\documents and settings\steve story\local
settings\temp\winfixer2005setup.exe
c:\windows\system32\drivers\df_kmd.sys
c:\program files\winfixer 2005\lock.dat
c:\documents and settings\steve story\local
settings\temp\icd1.tmp\uwas5lp_0001_0811netinstaller.exe
c:\documents and settings\steve story\local
settings\temp\icd2.tmp\uwa5plp_0001_0721netinstaller.exe
c:\documents and settings\steve story\local
settings\temp\ni.uwfx5\setup.exe
c:\program files\common files\winsoftware\pcheck.dll
c:\windows\downloaded program
files\uwa5plp_0001_0721netinstaller.exe
c:\windows\downloaded program
files\uwas5lp_0001_0811netinstaller.exe
c:\windows\downloaded program files\uwfx5netinstaller.exe
c:\windows\downloaded program files\conflict.1
\uwas5lp_0001_0811netinstaller.exe
Infected folders detected
c:\program files\winfixer 2005
Detected Spyware Cookies
No spyware cookies were found during this scan.
****** Ok, I ran Ad-Aware, MSAS, EZVirus, Skybot S&D and
now winfixer seems to be gone. I also ran System Cleaner
to remove and clean old files.
My last scan during MNF.
Spyware Scan Details
Start Date: 9/26/2005 8:10:45 PM
End Date: 9/26/2005 8:16:03 PM
Total Time: 5 mins 18 secs
Detected Threats
Virtumondo Adware more information...
Status: Quarantined
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.
Infected registry keys/values detected
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\InprocServer32 C:\WINDOWS\system32
\ddccy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\InprocServer32 ThreadingModel
apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\ProgID MSEvents.MSEvents.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\TypeLib {BAD59A24-6891-417D-A041-
C8FD495B77F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}\VersionIndependentProgID
MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697} MSEvents Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697} AppID
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\InprocServer32 C:\WINDOWS\system32\ddccy.dll
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\InprocServer32 ThreadingModel apartment
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\ProgID MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\TypeLib {BAD59A24-6891-417D-A041-
C8FD495B77F1}
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697}\VersionIndependentProgID MSEvents.MSEvents
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697} MSEvents Object
HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-
868B0683C697} AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-
4362-B103-868B0683C697}
Detected Spyware Cookies
No spyware cookies were found during this scan.
****Ok. Alan gave instructions how to remove this. I just
want to make sure these are the files I should be looking
for, or, are there more? Also, what's a "HKEY", what does
it do, and why can't one simply go somewhere on the
computer and delete them?
Thanks again, and thanks for your patience. Steve