Xoftspy doesn't work. So does norton 2005, neither does AVG or Avast. They keep popping up and they compromise my speed.

Help!

Redlof na stupid virus.

it's replicate itself in almost all the folders in the infected PC and this makes opening of folders slow down a lil bit, it was written in VBScript and some part of the code refer to Microsoft, i think this was a plot to make it seems like a legitimate file from MS.

The virus has these files folder.htt and desktop.ini.

The only way i manage to eradicate it from my network was by using Antivir. You can download it from www.free-av.com, it's free.

Then update it, if you don't it will not detect redlof. Once you are through with scanning a system you must do the same for all the systems in your network if you have one, am sure other systems will be infected too.

thanks joftech

also try running your anti-virus in safemode, because alot of process's don't start in safe mode

also try running your anti-virus in safemode, because alot of process's don't start in safe mode

am not sure that will fix the problem, if the virus process is not running how is the antivirus going to find and remove the virus. It can only remove files that are signature to the virus. But i think it make more sense to run the antivirus in normal mode.

joftech:

also try running your anti-virus in safemode, because alot of process's don't start in safe mode

am not sure that will fix the problem, if the virus process is not running how is the antivirus going to find and remove the virus. It can only remove files that are signature to the virus. But i think it make more sense to run the antivirus in normal mode.

joftech

I have to agree with Hidden Hunter - it is better to run Antivirus scans in safe mode where applicable. There are agreed steps one can take to ensure that any infected PC can be cleaned with the least about of effort, and running scans in safe mode is one of them. The reason for this is to stop the code in question form auto starting as windows starts. These apps tend to run processes that can be very difficult to end as they just reproduce themselves.

Normally the applications come onto a PC disguised as something else then run on a PC as processes that only a keen eye can spot. So when removing these programs one needs to ensure that you remove both the installed process, and the initial disguised downloaded payload.

In my experience the best way to deal with this type of problem is to first of all research the virus and obtain its name then download if possible a good cleaning tool written specifically for it e,g stinger. Or download a good antivirus software (I use trend micro, and AVG) and it associated updates and install them all. Then disable if applicable system restore, and delete any temporary files or cached internet explorer files. Next boot into safe mode and run a scan of your PC.

When this process does not work then you know you’re in for a bit of a battle. I personally am always prepared for these types of battle and have bootable CD’s that contains the tools I need to clean an infected PC without having to install them on the infected PC itself.

Here’s some info from Trend micro on how to remove the VBS REDLOF virus mentioned in this tread.

MANUAL REMOVAL INSTRUCTIONS

Removing Autostart Entries from the Registry
Removing autostart entries from registry prevents the malware from executing during startup.
1. Open Registry Editor. Click Start>Run, type REGEDIT then press Enter.
2. In the left panel, double-click the following: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
3. In the right panel, locate and delete the entry:
Kernel32="%System%\Kernel.dll"
or
Kernel32=”%System%\Kernel32.dll”
*Where %System% refers to the System folder, which is usually C:\Windows\System (Windows 9x and ME), or C:\WINNT\System32 (Windows NT and 2000), and C:\Windows\System32 (Windows XP).
4. Close the Registry Editor.

Addressing Registry Shell Spawning

Registry shell spawning executes the malware when a user tries to run a DLL file. The following procedures should restore the registry to its original state:
1. Open Registry Editor. Click Start>Run, type REGEDIT.EXE then press Enter.
2. In the left panel, double-click the following:
HKEY_CLASSES_ROOT>dllfile>shell>open
3. Still in the left panel, select the “open folder” key by right-clicking its folder icon. Select the Delete command from the pop-up menu.
4. Repeat steps 2 and 3 for the following registry key folders:
HKEY_CLASSES_ROOT\dllfile\ScriptEngine
HKEY_CLASSES_ROOT\dllfile\shellex
HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode
5. Close the Registry Editor.

Restoring Deleted System file

To enable your system to function properly, restore the file
%System%\Kernel32.dll
using your original Windows installation CD or from a reliable backup source.
Applying Patches
The malware runs on infected systems with unpatched VM ActiveX component vulnerability. Visit the Microsoft Security Bulletin (MS00-075) for patch links and more information on this vulnerability.

Well I hope this helps

I normally use HijackThis to remove programs that i don't want to start at system startup, and i normally use prcview(www.prcview.com) to terminate these unwanted processes. The fun of having to deal with them this way is just too great, even that way i get to know their mode of operation.

I have used the method in my earlier post to remove that same virus several times and it worked smoothly.

Joftech

HijackThis is a great utility that I carry as part of my arsenal of tools also, and agreed it is great for viewing and stopping processes, but I think autoruns by sysinternals is even better i suggest you download a copy for you collection. I have never used Prcview so will have a look at it.

The only issue I have with these types of applications is that in resloving a virus problem you may stop the process but not the root cause which these applications can not identify. Some viruses I have dealt with render the PC useless, such that you cant connect to the web to update Antivirus signatures, and you can't run any executables either and so you stuck. I have bad instances where the virus was remove or resurfaced hours later - due to the root cause not being eliminated completely.

From your post it appears you have the time to deal with these types of problems. I run an IT services business and our customers pay us by the hour to reslove their IT woes. So if I can remove a virus in say 1 -2 hrs or less then I stand a good chance of repeat business. So speed is very important there is no time to play with these problems as the clock is ticking.

you can easily edit the programs that startup with windows by doing this:
Go to START--> RUN:
Then type

msconfig

Go through the tabs and remove programs you don't want to startup with windows

Then reboot, i mean restart by doing

shutdown -r

or

shutdown -r -t ( to specify any time)

I've not had anything to do with this redlof of a thing since i switched to linux fedora core 4. lol

problem is niggy there are many way's to hide programs from showing up in msconfig (they're are even a few good reasons why you would want to do this as well)

I agree with Hidden Hunter, msconfig does give you access to autostart entries as listed in the registry or under other users profiles. Hijackthis, and Autoruns allows access to this information as well as other useful bits like browser settings example.

Another thread gone off-topic cos nairaland has too many good computer men...

Chxta:

Another thread gone off-topic because nairaland has too many good computer men...

yeah rite....i don't even know which one to chose and its still killing my system.....i'd rather switch to linux...

@lordimpaq, welcome to the 'Heaven' of OPENSOURCE !!!The Angels are rejoicing!

guys i felt that to remove the redlof - i needed to download a number of Anti Virus kits including AV, AVG, Avast and Solo too
but then sometimes its easier to try to simple ways
i went to folder options and unhid the system files and in the search mode of the win explorer searched for all the .htt and .ini and deleted the files ( desktop.ini & folder.htt).
although not all the files were deleted, those which relented, i deleted them with the "V" explorer
regards
now please tell the best free server based av kit

morpheoous