1. /
  2. Security Response/
  3. VBS.Redlof.A

VBS.Redlof.A - Removal

Risk Level 2: Low

Discovered:
April 16, 2002
Updated:
February 13, 2007 11:38:48 AM
Also Known As:
VBS/Redlof@M [McAfee], VBS.Redlof [AVP], VBS_REDLOF.A [Trend], VBS/Redlof-A [Sophos]
Type:
Virus
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

NOTE: These instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Update the virus definitions.
  2. Run a full system scan and delete all the files detected as VBS.Redlof.A.
  3. Reverse the changes that the virus made to the registry.
For details on how to do this, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.


Scanning for and deleting the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all files.
  2. Run a full system scan.
  3. If any files are detected as infected with VBS.Redlof.A, click Delete. Replace the deleted files from a clean backup or re-install them.

Reversing the changes that the virus made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document, "How to make a backup of the Windows registry," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit and then click OK. (The Registry Editor opens.)
  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    Kernel32

  5. Navigate to the key:

    HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\
    Microsoft\Outlook Express\[Outlook Version].0\Mail


  6. In the right pane, delete the values:

    Compose Use Stationery
    Stationery Name
    Wide Stationery Name

  7. Navigate to the key:

    HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail

  8. In the right pane, delete the value:

    EditorPreference

  9. Navigate to and delete these subkeys:

    HKEY_CLASSES_ROOT\dllFile\Shell

    HKEY_CLASSES_ROOT\dllFile\ShellEx
    HKEY_CLASSES_ROOT\dllFile\ScriptEngine

    HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode

  10. Exit the Registry Editor.


Writeup By: Andre Post

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver