Options
Sis helping brother: pls take a look at his
I have run spybot, ad-aware and AVG. attached is the hijack log file and the results to AVG scan. thanks. 
Logfile of HijackThis v1.97.7
Scan saved at 11:12:47 AM, on 8/7/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\Adaptec1\EASYCD~1\CreateCD\createcd.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Emmon\Desktop\application\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.sg/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec1\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Short Message (HKLM)
O9 - Extra button: Instant Messenger (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09EFE03D-D555-4484-92AA-22B27546188A}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{09EFE03D-D555-4484-92AA-22B27546188A}: NameServer = 192.169.34.181 203.120.90.40
Results of Complete Test, date and time 8/7/2004 10:51:33 :
Testing C:\ volume EMMON LUO serial 1F07-1D07
C:\WINDOWS\SYSTEM32\RUNDLL32.VBE Could be infected Startpage
C:\Program Files\Common Files\Microsoft Shared\MSINFO\INFO32.EXE repaired
C:\Program Files\Common Files\AOQUBAFU\RUTMCLTS\FAPLULNL.EXE repaired
C:\Program Files\Common Files\AOQUBAFU\apomerbotm\SCPNUM~1.EXE repaired
C:\Documents and Settings\EMMON\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\EMMON\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\EMMON\Local Settings\TEMP\ISTDNLD.EXE repaired
C:\Documents and Settings\EMMON\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\EMMON\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\My Documents\My Music\NIPPON\FOLDER.HTT Virus found VBS/Redlof
C:\My Documents\PERSONAL\FOLDER.HTT Virus found VBS/Redlof
C:\My Documents\PERSONAL\MADELINE\FOLDER.HTT Virus found VBS/Redlof
C:\My Documents\PERSONAL\MADELINE\PERSONAL\FOLDER.HTT Virus found VBS/Redlof
C:\My Documents\PERSONAL\CHINA\FOLDER.HTT Virus found VBS/Redlof
Test finished, duration 00:10:50.7 s
29461 objects tested, 10 found infected
Logfile of HijackThis v1.97.7
Scan saved at 11:12:47 AM, on 8/7/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\Adaptec1\EASYCD~1\CreateCD\createcd.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Emmon\Desktop\application\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.sg/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec1\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Short Message (HKLM)
O9 - Extra button: Instant Messenger (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09EFE03D-D555-4484-92AA-22B27546188A}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{09EFE03D-D555-4484-92AA-22B27546188A}: NameServer = 192.169.34.181 203.120.90.40
Results of Complete Test, date and time 8/7/2004 10:51:33 :
Testing C:\ volume EMMON LUO serial 1F07-1D07
C:\WINDOWS\SYSTEM32\RUNDLL32.VBE Could be infected Startpage
C:\Program Files\Common Files\Microsoft Shared\MSINFO\INFO32.EXE repaired
C:\Program Files\Common Files\AOQUBAFU\RUTMCLTS\FAPLULNL.EXE repaired
C:\Program Files\Common Files\AOQUBAFU\apomerbotm\SCPNUM~1.EXE repaired
C:\Documents and Settings\EMMON\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\EMMON\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\EMMON\Local Settings\TEMP\ISTDNLD.EXE repaired
C:\Documents and Settings\EMMON\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\EMMON\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\My Documents\My Music\NIPPON\FOLDER.HTT Virus found VBS/Redlof
C:\My Documents\PERSONAL\FOLDER.HTT Virus found VBS/Redlof
C:\My Documents\PERSONAL\MADELINE\FOLDER.HTT Virus found VBS/Redlof
C:\My Documents\PERSONAL\MADELINE\PERSONAL\FOLDER.HTT Virus found VBS/Redlof
C:\My Documents\PERSONAL\CHINA\FOLDER.HTT Virus found VBS/Redlof
Test finished, duration 00:10:50.7 s
29461 objects tested, 10 found infected
0
Comments
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
Nothing in there looks bad, besides the virus. I notice you're running Windows 2000 SP3. You should upgrade to SP4. Also, Redlof relies on an ActiveX exploit. If SP4 doesn't fix the exploit, find the patch at Microsoft. Finally, if you're still infected, follow these removal instructions.