Another victim?

Discussion in 'adware, spyware & hijack cleaning' started by Fraha, Jun 23, 2004.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Here's the log from the pc of a friend,
    Can somebody have a look and advice please?

    Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 19:19:12, on 23-6-2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\wrrudvs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\System32\gnmodbo.exe
    C:\ht\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vinden.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [Microsoft Update] gnmodbo.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] gnmodbo.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)


    Regards

    Frans
     
    Fraha, Jun 23, 2004
    #1
  2. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Fraha,

    First bring up TaskManager (ctrl+alt+del keys) and end the running process for wrrudvs.exe and gnmodbo.exe, then close TaskManager.

    Could you navigate to the C:\Windows\System32 folder and find the wrrudvs.exe and gnmodbo.exe files, zip up a copy of them (password protect the zipped file and use the word infected as the password) and email the zipped copy of the files to pieterATwilderssecurity.org (replace the AT with an @ ) for analysis. In the body of the email message, state that the password is "infected" and include a link to this thread, so Pieter will be able to find it easily.

    *to add: When you locate the above two files, rename them to wrrudvs.exe.bak and gnmodbo.exe.bak.

    Then download Stinger and run it according to it's directions (make sure you turn off any other antivirus first).

    After running Stinger, rescan with Hijackthis and place a check in the box beside the following items.
    Close all windows except HijackThis, and click *Fix checked:

    (if you did not set this as your Start Page yourself, then fix it too)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vinden.nl/

    (these two may be gone after running Stinger)
    O4 - HKLM\..\Run: [Microsoft Update] gnmodbo.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] gnmodbo.exe

    ___

    Then go to Microsoft's Update Site and download and install ALL Critical Updates listed for XP and IE6.


    Next, followup with a scan from Spybot S&D and AdAware6.

    Download Spybot Search&Destroy, install, and bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

    1. Put a check inside the items listed for download and install them.
    2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
    3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

    Download Ad-Aware6, install, and bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

    Follow these instructions for setting up Ad-Aware for a full scan:
    How To Perform a "Full Scan" with Ad-Aware6.

    Post a new Hijackthis log along with the scan results of Stinger, so we can check it.

    Regards,

    snap
     
    Last edited: Jun 23, 2004
    snapdragin, Jun 23, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...