Winfixer Traffic Explorer

Question

My latitude is infected by Winfixer Traffic explorer. None of the spyware detects them. From the forums I learned that there is no single solutions and is unique to the machines. Please help, given below is the Hijack this log Logfile of HijackThis v1.99.1 Scan saved at 7:09:02 AM, on 9/7/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\System32\1XConfig.exe C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\PROGRA~1\CYBERG~1\cgasvc.exe C:\PROGRA~1\CYBERG~1\cgagent.exe c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files
etDeploy\Launcher
dserv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32
iSvcLoc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\RegSrvc.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\CyberArmor\casvc.exe C:\WINDOWS\system32
ipalsm.exe C:\WINDOWS\system32
ipalsm.exe C:\PROGRA~1\CYBERA~1\pcs.exe C:\WINDOWS\System32	askswitch.exe C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\pctspk.exe C:\Program Files\DELL\AccessDirect\dadapp.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\System32\DSentry.exe C:\PROGRA~1\CYBERG~1\cgahelp.exe C:\PROGRA~1\CYBERG~1\cgav.exe C:\PROGRA~1\CYBERA~1\pcshelp.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Superior View\Change Proxy Settings\Change Proxy Settings.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\CYBERG~1\cgahelp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\CYBERA~1\pcshelp.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\logvb.dll O2 - BHO: dataPower PPTFly Plugin Class - {C6D75153-D615-4CEB-860C-40D11EC04BCC} - C:\Program Files\ids\plugin\dataPower\IEPlugin\Program\PPTFly.dll (file missing) O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32	askswitch.exe O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [CgaHelper] C:\PROGRA~1\CYBERG~1\cgahelp.exe -check O4 - HKLM\..\Run: [CgaViewer] C:\PROGRA~1\CYBERG~1\cgav.exe -check O4 - HKLM\..\Run: [CyberArmorHelper] C:\PROGRA~1\CYBERA~1\pcshelp.exe -check O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [gcasServ] 'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe' O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Change Proxy Settings.lnk = C:\Program Files\Superior View\Change Proxy Settings\Change Proxy Settings.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: cahooknt.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: logvb - C:\WINDOWS\Cursors\logvb.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: DistRestart - Unknown owner - C:\WINDOWS\srvany.exe O23 - Service: ndserv - Open Software Associates Ltd. - C:\Program Files
etDeploy\Launcher
dserv.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINDOWS\System32\PSSDNSVC.EXE O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe' -service (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

RKinner · Answer

The following lines are from the WinFixer Bug.
Unfortunately you can't just check them and Fix Checked. They will just come back with new names.

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\logvb.dll
O20 - Winlogon Notify: logvb - C:\WINDOWS\Cursors\logvb.dll

I have two fixes:

http://www.bleepingcomputer.com/forums/How-to-remove-the-TrojanVundoB-Search42com-MSevents-t18610.html

IF the above line wraps and doesn't work use: http://tinyurl.com/7n5f8

and

http://tinyurl.com/72khc (See Rawe's procedure in Post#2)

The first is rather complex but is pretty certain to succeed and I presume it is safe. Haven't used it but
usually bleepingcomputer is very good.

The second is the standard procedure I have been using and is a bit simpler. It has worked about 10 times with no problems but 1 user reported
he had to reload windows after use, another had some odd problems and one said it didn't do anything.
The text file with it says you have to have internet access when you run it. It might work better in Safe Mode with Networking.

In either case you will need to adjust the procedure for your particular infection. By that I mean you will need to note the lines
I gave you above and substitute them for the lines he tells you to check.

XP only:

Make sure before you do anything that your System Restore is working and that you have a recent Restore Point.
That way if something goes wrong you have a chance to recover.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

Let me know which method you used and how it worked for you.

Ron

RKinner · Answer

IF you rightclick on it and select Open With Notepad it will show you:

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

The - sign after the initial "[" just indicates a removal so it is just removing each of the keys listed.

Glad it fixed your problem.

Ron

Make sure you have System Restore running (toggle it off and On today to get rid of any bad stuff it may have retained) and then you can just go back to an earlier time if you hit a bad site. One way to make this more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new.

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm

Never hurts to do one of the free on line scans from Panda or Trend. They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
In addition to Microsoft AntiSpy
http://www.microsoft.com/athome/security/downloads/default.mspx
I like to run Spybot S&D.
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while.
http://www.lavasoftusa.com/software/adaware/

vinnis · Answer

Out of curiosity, what does the registry fix (fixvundo.reg) do in my machine.   Thanks, Vinnis

RKinner · Answer

The second option has been replaced today by a new program.   See:   http://www.atribune.org/forums/index.php?showtopic=447&hl=killvundo   The paths the program asks you for would be:   C:\WINDOWS\Cursors\logvb.dll and   C:\WINDOWS\Cursors\bvgol.*   This one now automatically checks and Fix Checkeds the entries in HijackTHis for you.   Ron

vinnis · Answer

Hi Ron, I used the first method and it just worked fine. I was desparate to get rid of them. Now I see very less hard disk and network activity on my machine.   Thanks you have a nice day. Vinnis

vinnis · Answer

Thanks Ron, Vinnis

Virus & Spyware

Was this post helpful?