Another victim?

Discussion in 'adware, spyware & hijack cleaning' started by Fraha, Jun 23, 2004.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Feb 3, 2003
    The Hague - Netherlands
    Here's the log from the pc of a friend,
    Can somebody have a look and advice please?


    Logfile of HijackThis v1.97.7
    Scan saved at 19:19:12, on 23-6-2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Outlook Express\msimn.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [Microsoft Update] gnmodbo.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] gnmodbo.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)


  2. snapdragin

    snapdragin Administrator

    Feb 16, 2002
    Southern Ont., Canada
    Hi Fraha,

    First bring up TaskManager (ctrl+alt+del keys) and end the running process for wrrudvs.exe and gnmodbo.exe, then close TaskManager.

    Could you navigate to the C:\Windows\System32 folder and find the wrrudvs.exe and gnmodbo.exe files, zip up a copy of them (password protect the zipped file and use the word infected as the password) and email the zipped copy of the files to (replace the AT with an @ ) for analysis. In the body of the email message, state that the password is "infected" and include a link to this thread, so Pieter will be able to find it easily.

    *to add: When you locate the above two files, rename them to wrrudvs.exe.bak and gnmodbo.exe.bak.

    Then download Stinger and run it according to it's directions (make sure you turn off any other antivirus first).

    After running Stinger, rescan with Hijackthis and place a check in the box beside the following items.
    Close all windows except HijackThis, and click *Fix checked:

    (if you did not set this as your Start Page yourself, then fix it too)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    (these two may be gone after running Stinger)
    O4 - HKLM\..\Run: [Microsoft Update] gnmodbo.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] gnmodbo.exe


    Then go to Microsoft's Update Site and download and install ALL Critical Updates listed for XP and IE6.

    Next, followup with a scan from Spybot S&D and AdAware6.

    Download Spybot Search&Destroy, install, and bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

    1. Put a check inside the items listed for download and install them.
    2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
    3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

    Download Ad-Aware6, install, and bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

    Follow these instructions for setting up Ad-Aware for a full scan:
    How To Perform a "Full Scan" with Ad-Aware6.

    Post a new Hijackthis log along with the scan results of Stinger, so we can check it.


    Last edited: Jun 23, 2004
Thread Status:
Not open for further replies.