4 month old laptop WinXP and protected with Symantec anti virus (bought full version when comp was bought). Norton AV protection is always, auto protect.

Here is the web site my wife visited:

*** http: //freehostdepartment.co/n/naguever/us.html***

(I didn't make this a link so members would not accidentally click on it)

A Symantec window pops up with ‘severe risk’ that my computer has been infected with VB.Redlof.A

The virus file is located on my computer at:
Documents & settings\owner\local settings\application data\mozilla\firefox\profiles\ciltn30e.default\cac he\4b404e95d01

Symantecs actions taken: Repair failed and access denied.



So I use windows explorer to look on my computer, I don't see the file 'local settings' under ‘owner‘, so I do a search with 'show hidden files' and find the 'local settings' file. I continue on to 'cache' and find maybe 50 files with similar numbers and letters but not 4b404e9501

I hit 'live update' on Symantic Norton AV and do a full scan, and nothing comes up (?)

So I'm thinking that this is just a false alarm, maybe a joke pop-up perhaps (?).

But when I look at Symantics Norton AV log view and then AV security risk, I see the entry for the VBS.Redlof.A detection.

So I change the settings in Symantec AV from ‘repair the infected file’ to ‘try to repair then quarantine if unsuccessful‘. I again visit that web page, and again the same ‘severe risk’ pop-up Symantec message comes up but this time it reads that it was quarantined. I check the AV log view to confirm and it was quarantined.


So, I go to Symantec’s web page and find the info on VB.Redlof.A here:

http://securityresponse.symantec.com/avcenter/venc/data/vbs.redlof.a.html

And read how to get rid of this virus, ‘removal instructions’.

The instruction are to run a scan and delete the infected files, so I
run another full virus scan, but no infected files are found (?)


Questions:
I now wonder if this file actually make it to my computer
*Because:
I cannot find it in windows explorer and searching hidden files.
Norton AV does not detect it on a thorough and full scan.
And, I‘d expect Norton would block it from getting onto the computer in the first place.

The only time I get a virus warning is visiting that page, could someone here who knows how not to be infected with this virus, visit that web page and let me know if the virus attacks them, or if it’s just a prank pop-up etc.?

***
If it is confirmed that the web page does have the VB.Redlof.A virus,

Then I guess it’s possible to be infected with the VB.Redlof.A virus, yet not having it be detected in Norton AV software or found any where on the computer (?) Is this true?

If true, that even though the infected file cannot be located on her computer and that Norton AV cannot find any infected files, that the computer still is infected than I will reluctantly begin the deleting process as instructed at Symantec‘s web page.

Since Symantec’s web page only shows files in Internet Explorer and Outlook to be deleted, since my wife doesn‘t use these, I suspect [following is a question] I‘ll need to id the files within Firefox and Thunderbird that needs deletions (?).



I and my wife appreciate any and all help,
Thanks MarkC :)

I may have not been clear about the AV scans I did:
I did a full AV scan and searched in all, including hidden files, before and after I changed the the Symantec AV settings from ‘repair the infected file’ to ‘try to repair then quarantine if unsuccessful‘. Both times, before and aftern and still didn't find the infected file or any virus:
Documents&settings\owner\localsettings\applicationdata\mozil la\firefox\profiles\ciltn30e.default\cache\4b404e9 5d01

Also, the computer is using the latest version of Firefox 1.5.0.1
TIA MarkC

Norton most likely prevented the script from running. If you want to be sure, open the registry and look for the changes in the Symantec article. If they are there, you are infected, if they are not, you are probably safe.

Thanks Ben :)

Im a bit of a n00b, could you explain how to "open the registry and look for the changes in the Symantec article"

Thanks a lot Ben,
Mark

Click Start-->Run--> Regedit.

You will have to navigate to the keys in question. DO NOT CHANGE ANYTHING or you can render your PC DOA.

By the way Ben Zoma has been dead for about 2000 years........ I just like the quote

Ok, I logged into the registry and followed Symantec’s instructions:

1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and delete “Kernal32”

I did not find “Kernal32”

2. Go to HKEY_CURRENT_USER\Identies\myuserid\software\Micro soft\Outlook Express\11.0\Mail
and delete the values:
"Compose Use Stationary"
"Stationary Name"
"Wide Stationery Name"

There is no “Mail” folder to check in

3. Go to HKEY_CURRENT_USER\Software\Microsoft\Office\X.0\Ou tlook\Options\Mail
and delete EditorPreferences

There is no “Mail” folder

4. Navigate and delete these subkeys:
HKEY_CLASSES_ROOT\dllfile\Shell
HKEY_CLASSES_ROOT\dllfile\ShellEx
HKEY_CLASSES_ROOT\dllfile\ScriptEngine
HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode

These subkeys were not found.

Seems the computer is not infected and I have cleared the private data cache in Firefox.

Just that Norton’s AV ‘Severe Risk’ pop-up alerting of VBS.Redlof.A infection on the computer with the action taken; "Repair failed and access denied" is a bit unnerving. That, and I couldn’t locate the file "4b404e9501" which was supposed to have been infected.

This is my wife's computer, our other computer (the one I've been working on for sometime with recaps, and other hardware upgrades etc., not the one I am using at this moment) has had several viruses and trojans. These were pretty bad and would not allow the computer to visit any well known antivirus web sites. So my wife bought Norton Internet Security with AV and tried to install it, the trojan/virus would not allow it to be installed via the optical drive. I finally used another computer (my main Internet computer I'm on now), downloaded a free copy of Avast, put it on a USB storage device, placed it in the infected computer and booted it up. Avast loaded and took care of the viruses and trojans, then I backed up some files and then deleted the C; drive and reloaded all of the software...Any way, you can see why my wife and I may be a bit over concerned about viruses. Now all of our computers are well protected. This warning "Extreme Risk" and "Your computer *IS* infected" and "Unable to repair, access denied" messages had us very concerned, especially on her new laptop.

Thanks :)
MarkC

Hmmm...at this point you might want to try an on-line scan. I would suggest www.trendmicro.com (http://www.trendmicro.com) and see not only if you can connect, but if anything is found...

[edit] One other thing you might want to address is why you keep getting infected. It sounds like this is a an ongoing problem...

You might want to change browswers for Internet exploring etc., with specific features disabled...

Didn't mean to cause confusion, the last paragraph is about a third computer that had been infected in the past (XP Desktop). I remember vividly getting the Trojan about 3 years back; first a pop-up window appeared which looked exactly like a Norton AV warning, with instructions to click a button to delete a virus. I clicked on it, but then the window kept popping up and over and over and I could hear the hard drive working away, so I quickly unplugged the machine. I don't remember all the details, but I couldn't restore the computer to an earlier date as all were erased. So I set the computers current date to a date in the future, and then rebooted and then did a restore to the actual date (which the computer thought was an earlier date) and was able to get it working that way. Later the fake Norton's AV warning message window popped up when my wife was using it, and it kept popping up over and over. The virus seemed to take over Norton and convinced windows it was the legitimate Norton. From that date on, the computer browser (used IE and Netscape at the time) would not log onto any anti-virus software web site. Since we had a back up computer (Desk to WinME machine), we stopped using it (plus the XP machine was getting very slow...later I learned that the capacitors had ruptured, so perhaps that was why it was so slow). Then we moved and I decided to start using it again as it had XP and my camera software needed XP to work properly, plus we had a few years of digi pics on there, and so we bought a store copy of Norton Internet Security to finally rid the virus. We tried to install it but the virus wouldn't allow it to load. We called for assistance from Norton toll free number, but all we got through to we some people in India who kept telling us over and over to visit Norton's web sight, even after we explained ourselves over and over that the virus would not allow the computer to connect to Norton's web sight. I didn't want to erase the hard drive because of all the digital pics we took. Then later, while using our back up computer (the one I'm using now, 933Mhz WinME) I learned about Avast and downloaded it. I then placed a copy on a USB drive, installed it into the infected XP machine and then booted it up. It was a success, and I was able to restore the digi-pic files and finally format and re-install all of the original software. The rest is history as I recfapped teh MOBO and it's now used as a gaming, and digi-pic machine. I use the ME desktop for the internet.

Anyway, the laptop is the focus of this thread as it is the computer that was used when the VBS.Redlof.A virus alert popped up. Apparently it did not cause harm due to it's age of creation (2002) since Windows security updates have made it obsolete. It did not install according to the registry, just seems odd that Norton gave the warning that it had been installed on the system and was that "Repair failed and access denied" message.
MarkC