1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

VBS/Redlof virus?

Discussion in 'Virus & Other Malware Removal' started by digiangel, Sep 12, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. digiangel

    digiangel Thread Starter

    Joined:
    Aug 25, 2003
    Messages:
    51
    Okay after just two minutes before I woke up this moring I had a dream that my husband came in and told me on the computer he got a memory error and he coudn't do anything else. then two seconds later he came in and said Baby you left the computer on last night. I was like yah I'm sorry. He said its detected a VIRUS.

    I had to laugh at that..

    anyways here is my Virus's name Redlof any one know anything about it, it was sent to my vault but im not sure if there is another problem.. here's my log if anyone wants to take a peek


    Logfile of HijackThis v1.96.2
    Scan saved at 6:15:15 AM, on 12/09/2003
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\DOWNLO~1\AVGANI~1\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\downloads\avganitvirus\avgcc32.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    C:\downloads\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http:/www.yahoo.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5Cdownloads%5CNetscape6%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe
    O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/029f222d494d84fca921/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37708.1549768519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    first you don't seem to be posting a complete log, there are running processes that aren't appearing in the start up section.

    I assume you have several items in the ignore list, please open HJt & press config, & ignore list, then press delete all and then do a new scan & post the log.

    you definitely still have at least one virus showing, but that one normally puts more than one entry
     
  3. digiangel

    digiangel Thread Starter

    Joined:
    Aug 25, 2003
    Messages:
    51
    Thanks DVK. I'm at work at the moment so I will post up my new log after 430pm EST.
     
  4. scoutt

    scoutt

    Joined:
    Sep 4, 2003
    Messages:
    63
  5. digiangel

    digiangel Thread Starter

    Joined:
    Aug 25, 2003
    Messages:
    51
    I checked my ignor list and there was nothing in it. here is my log again

    Logfile of HijackThis v1.96.2
    Scan saved at 6:13:05 PM, on 12/09/2003
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\DOWNLO~1\AVGANI~1\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\downloads\avganitvirus\avgcc32.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\downloads\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http:/www.yahoo.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5Cdownloads%5CNetscape6%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe
    O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/029f222d494d84fca921/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37708.1549768519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    digiangel

    Make sure "show hidden files" is checked in Folder options > View

    Turn off System restore.

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/029f222d494d84...ip/RdxIE601.cab

    Restart your computer in safe mode: press f8 on startup and select Safe Mode from the boot menu.

    In safe mode do a search for and delete the svchos1.exe file

    Restart to normal and verify that this entry is gone:

    O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe

    If it is turn sys. restore back on and create a restore point.

    See here http://us.mcafee.com/virusInfo/defa...virus_k=100587&affid=125#removal_instructions for further info on svchos1.exe
     
  7. digiangel

    digiangel Thread Starter

    Joined:
    Aug 25, 2003
    Messages:
    51
    okay I was able to fix the problems but in my search for the file there is no svchos1.exe anywhere I have all my hidden files turned on, and there is nothing in my system 32 folder or in my regedit. in my config start up I do have the svchos1.exe that is disabled but I am not able to delete it.

    I have deleted this file 3 times now.
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run hijack This again and verify that
    O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe
    is gone. If that entry has not returned you are OK I'd say.
     
  9. digiangel

    digiangel Thread Starter

    Joined:
    Aug 25, 2003
    Messages:
    51
    OH my bad I didn't realize that you wanted me to re run HJ this.. doh. and by the look of things its gone...

    Thankies


    Logfile of HijackThis v1.96.2
    Scan saved at 7:35:32 PM, on 12/09/2003
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\DOWNLO~1\AVGANI~1\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\downloads\avganitvirus\avgcc32.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\downloads\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http:/www.yahoo.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5Cdownloads%5CNetscape6%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37708.1549768519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Looks like your finished. Good job!(y)

    Happy Surfing! :D
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164203

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice