Virus question

A

Anon

New Member
Ok...I was surfing the net and Norton popped up that it found HTML.Redlof.A and when it couldn't fix it, denied access to it. So, I run the scan, Norton sees the virus, I tell it to delete and it seems to have done it but when I minimize the repair wizard, it said my computer isn't free of virus and when I opend the log viewer, it says delete failed. But now when I run the system scan, it doesn't detect the virus so is the virus gone or no? :confused:

Thanks
 
Professur

Professur

Well-Known Member
Did you reboot anywhere in there? Usually when a AV quarentines a file, it moves it to a restricted folder. Look for the quarentine folder, and you'll probably find it there. But since it's in quarentine, the scan won't show it, because it knows that everything in there is infected and excludes it.
 
Professur

Professur

Well-Known Member
Odd. Have you checked on Norton's site to see exactly what they have to say about that virus?

Are you sure it was local? It might have caught it incoming, and not been able to delete it from the remote location. Where were you when you got poppupped?
 
Professur

Professur

Well-Known Member
OK, No. 3 of the first section, it describes the changes the virus would make to your registry. Nip in and see if yours has those changes. If not, your clear. I think you will be. I think you caught it coming in, and blocked it. I'd clear my buffers and cookies, tho, just in case it's sitting in a saved page.
 
A

Anon

New Member
Are those the files on the right corner when I open the registry editor? If they are, I found these:

(Not sure how to check this one)

HKEY_CLASSES_ROOT\dllFile

the virus changes these subkeys:

DefaultIcon

is changed to the same value as the value of the DefaultIcon subkey that is under the registry key
Click to expand...

(These two didn't have the subkey thing that I could see)

HKEY_CLASSES_ROOT\vxdfile

It adds the subkey ScriptEngine

and changes its value to

VBScript

It adds the subkey ScriptHostEncode

and changes its value to

{85131631-480C-11D2-B1F9-00C04F86C324}
Click to expand...

p/s:I'm really quite illiterate when it comes to stuff like this
 
Professur

Professur

Well-Known Member
A simple way is to click on edit, find in the regedit.

Search for "ScriptHostEncode" and compare the values. That'll be the dead giveaway.
 
A

Anon

New Member
Ok...from what I get from this

In the registry key

HKEY_CLASSES_ROOT\dllFile

the virus changes these subkeys:

DefaultIcon

is changed to the same value as the value of the DefaultIcon subkey that is under the registry key

HKEY_CLASSES_ROOT\vxdfile

It adds the subkey ScriptEngine

and changes its value to

VBScript

It adds the subkey ScriptHostEncode

and changes its value to

{85131631-480C-11D2-B1F9-00C04F86C324}
Click to expand...

does that mean that only that one key would have changed? and have ScriptEngine and ScriptHostEncode added in? If that is the case, I don't see either of those under dllFile. But the ScriptHostEncode under my VBScript does match that value though?
 
Professur

Professur

Well-Known Member
That would be a yes. Just follow the instructions to clear it out. But take a backup first. The instructions for backing up the registry are a little further down the page. Do that first.

Remember, if you have a backup, you'll probably never need it. But if you don't have one, you'll surely need it.

Good luck, and lemme know how it goes.

BTW the "where you were" meant what site you were on when you got hit, so that we can avoid it, or possibly send the webmaster a warning. Unless it's somewhere you don't want to publicly admit to viewing. In which case, never mind.
 
Professur

Professur

Well-Known Member
Ok, read over what you typed. Do me a favour. Don't edit what you've already typed. You lose me, and user support isn't my strong point.

Start with "ScriptHostEncode". Search that and post the value. We'll go from there.
 
Professur

Professur

Well-Known Member
It's not supposed to be. Don't worry about where it is, just search out all occurences (press F3 to go to the next one) and tell me what the values are.
 
A

Anon

New Member
1. {0CF774D1-F077-11D1-B1BC-00C04F86C324}
2. {0CF774D0-F077-11D1-B1BC-00C04F86C324}
3. {85131630-480C-11D2-B1F9-00C04F86C324}
4. {06290BD4-48AA-11D2-8432-006008C3FBFC}
5. {85131631-480C-11D2-B1F9-00C04F86C324}

are the ones I could find
 
Professur

Professur

Well-Known Member
Yeah. The ones at the very bottom. But update your antivirus files from the website first. Then print out those directions. Read them over several times. Hi-lite the detail parts of the instructions. They can get confusing.

You want to do this with only the regedit window open, and the instructions at hand, printed out. Backup the registry. Then go one instruction at a time. It's not rocket science. But one mistake can bugger your system. If you're tired or nervous, sleep on it and do it in the morning. It's not gonna get any worse.
 
You must log in or register to reply here.
Top