VBS/Redlof virus?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

digiangel

Thread Starter
Joined
Aug 25, 2003
Messages
51
Okay after just two minutes before I woke up this moring I had a dream that my husband came in and told me on the computer he got a memory error and he coudn't do anything else. then two seconds later he came in and said Baby you left the computer on last night. I was like yah I'm sorry. He said its detected a VIRUS.

I had to laugh at that..

anyways here is my Virus's name Redlof any one know anything about it, it was sent to my vault but im not sure if there is another problem.. here's my log if anyone wants to take a peek


Logfile of HijackThis v1.96.2
Scan saved at 6:15:15 AM, on 12/09/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\DOWNLO~1\AVGANI~1\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\downloads\avganitvirus\avgcc32.exe
C:\WINNT\loadqm.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N2 - Netscape 6: user_pref("browser.startup.homepage", "http:/www.yahoo.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5Cdownloads%5CNetscape6%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe
O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/029f222d494d84fca921/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37708.1549768519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
first you don't seem to be posting a complete log, there are running processes that aren't appearing in the start up section.

I assume you have several items in the ignore list, please open HJt & press config, & ignore list, then press delete all and then do a new scan & post the log.

you definitely still have at least one virus showing, but that one normally puts more than one entry
 

digiangel

Thread Starter
Joined
Aug 25, 2003
Messages
51
Thanks DVK. I'm at work at the moment so I will post up my new log after 430pm EST.
 

digiangel

Thread Starter
Joined
Aug 25, 2003
Messages
51
I checked my ignor list and there was nothing in it. here is my log again

Logfile of HijackThis v1.96.2
Scan saved at 6:13:05 PM, on 12/09/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\DOWNLO~1\AVGANI~1\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\downloads\avganitvirus\avgcc32.exe
C:\WINNT\loadqm.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N2 - Netscape 6: user_pref("browser.startup.homepage", "http:/www.yahoo.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5Cdownloads%5CNetscape6%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe
O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/029f222d494d84fca921/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37708.1549768519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
 
Joined
Jul 26, 2002
Messages
46,349
digiangel

Make sure "show hidden files" is checked in Folder options > View

Turn off System restore.

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/029f222d494d84...ip/RdxIE601.cab

Restart your computer in safe mode: press f8 on startup and select Safe Mode from the boot menu.

In safe mode do a search for and delete the svchos1.exe file

Restart to normal and verify that this entry is gone:

O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe

If it is turn sys. restore back on and create a restore point.

See here http://us.mcafee.com/virusInfo/defa...virus_k=100587&affid=125#removal_instructions for further info on svchos1.exe
 

digiangel

Thread Starter
Joined
Aug 25, 2003
Messages
51
okay I was able to fix the problems but in my search for the file there is no svchos1.exe anywhere I have all my hidden files turned on, and there is nothing in my system 32 folder or in my regedit. in my config start up I do have the svchos1.exe that is disabled but I am not able to delete it.

I have deleted this file 3 times now.
 
Joined
Jul 26, 2002
Messages
46,349
Run hijack This again and verify that
O4 - HKLM\..\RunServices: [MS Config Loader] svchos1.exe
is gone. If that entry has not returned you are OK I'd say.
 

digiangel

Thread Starter
Joined
Aug 25, 2003
Messages
51
OH my bad I didn't realize that you wanted me to re run HJ this.. doh. and by the look of things its gone...

Thankies


Logfile of HijackThis v1.96.2
Scan saved at 7:35:32 PM, on 12/09/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\DOWNLO~1\AVGANI~1\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\downloads\avganitvirus\avgcc32.exe
C:\WINNT\loadqm.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N2 - Netscape 6: user_pref("browser.startup.homepage", "http:/www.yahoo.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5Cdownloads%5CNetscape6%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\czxbl1g7.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37708.1549768519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top