Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
XP
accessibility
basics
beta.general
beta.help-and-support
configuration_manage
customize
device_driver.dev
embedded
embedded.techpreview
games
general
hardware
help_and_support
messenger
moviemaker
music
network_web
newusers
perform_maintain
photos
print_fax
security_admin
setup_deployment
video
winlogo
wmi
work_remotely
  
 
date: Tue, 30 Sep 2008 05:05:00 -0700,    group: microsoft.public.windowsxp.perform_maintain        back       


Windows Script Host "Can not find script file "C:\ntidr.vbs".    
Hi all,

Our area recently got hit with a funky virus; Radz_Services.vbs. This thing 
was passed to us through our USB and due to how often we switch our memory 
cards, before we knew it all of our memory cards and all three hard drives 
were infected.

It made it's way into our "C" drive folder along with a later discovered 
ntidr.vbs and SysRes.vbs in our our Windows folder. The minute I noticed that 
Radz file I knew it stunk. I searched it and found very little in the way of 
solutions. 

The symptoms were instability in my IE (6). This was frustrating. I did a 
full scan of two of my drives and McAfee didn't notice a thing. I scanned the 
files directly and again, nothihg from McAfee.

I went back to some of the search solutions and tried to follow one of them, 
bad results followed. 

Here's what happened: Every time I deleted Radz_Service.vbs it returned. I 
then looked at my hidden files and allowed viewing of protected files. That's 
when I noticed the ntidr.vbs file. I tried deleting the SysRes.vbs file and 
it too kept reappearing. Then, after searching the ntidr.vbs file I found 
nothing in the way of it being a legitimate OS file, so I deleted it too. The 
Radz and SysRes files ceased to reappear.

Now for the fun part... I was no longer able to enter my "C" drive. That's 
when I got the "Can not find script file "C:\ntidr.vbs" message under the 
"Windows Script Host" title.

It gets better... I shut down and restarted Windows and BAM, "NTLDR Is 
Missing, press cntl alt del to restart". That was strange. I had no idea what 
that was. I didn't know if my drives had crashed (that pc had 2, neither 
functioned). The next thing I did was get a third drive and use it to boot 
and check out one of the others. The data was safe. Okay, so I took out the 
good drive and put it back into its PC and set out to search this new issue. 
BAM AGAIN, now that one had the NTLDR error. That was wierd. I had no idea 
how that could have happened.

Fortunately I had one final old standby 7-year-old 766 pc. I hooked that up 
and searched out a solution to the NTLDR problem. Fortunately I found some 
real good advice for that and was able to make a boot cd and get the files I 
needed from Windows.

Okay, where I'm at now is I've restored two of my drives to functionality 
but I'm back to that one annoying issue of the virus. Since I didn't want my 
IE to be disturbed I had to get rid of the Radz file so that meant also 
deleting the ntidr.vbs hidden file "system" file. But again, after getting 
rid of that I can't get into my "C" or "E" drives. I saved and zipped the 
ntidr.vbs and SysRes.vbs files just in case they are legit... but I didn't 
find any indication out there that they are.

How can I restore my access to my "C" and "E" drives without restoring the 
ntidr.vbs files which seems to activate the Radz file which then disrupts my 
IE?

Thanks in advance for any help.

Regards,
Craig
date: Tue, 30 Sep 2008 05:05:00 -0700   author:   Craig

RE: Windows Script Host "Can not find script file "C:\ntidr.vbs".    
"Craig" wrote:

> Hi all,
> 
> Our area recently got hit with a funky virus; Radz_Services.vbs. This thing 
> was passed to us through our USB and due to how often we switch our memory 
> cards, before we knew it all of our memory cards and all three hard drives 
> were infected.
> 
> It made it's way into our "C" drive folder along with a later discovered 
> ntidr.vbs and SysRes.vbs in our our Windows folder. The minute I noticed that 
> Radz file I knew it stunk. I searched it and found very little in the way of 
> solutions. 
> 
> The symptoms were instability in my IE (6). This was frustrating. I did a 
> full scan of two of my drives and McAfee didn't notice a thing. I scanned the 
> files directly and again, nothihg from McAfee.
> 
> I went back to some of the search solutions and tried to follow one of them, 
> bad results followed. 
> 
> Here's what happened: Every time I deleted Radz_Service.vbs it returned. I 
> then looked at my hidden files and allowed viewing of protected files. That's 
> when I noticed the ntidr.vbs file. I tried deleting the SysRes.vbs file and 
> it too kept reappearing. Then, after searching the ntidr.vbs file I found 
> nothing in the way of it being a legitimate OS file, so I deleted it too. The 
> Radz and SysRes files ceased to reappear.
> 
> Now for the fun part... I was no longer able to enter my "C" drive. That's 
> when I got the "Can not find script file "C:\ntidr.vbs" message under the 
> "Windows Script Host" title.
> 
> It gets better... I shut down and restarted Windows and BAM, "NTLDR Is 
> Missing, press cntl alt del to restart". That was strange. I had no idea what 
> that was. I didn't know if my drives had crashed (that pc had 2, neither 
> functioned). The next thing I did was get a third drive and use it to boot 
> and check out one of the others. The data was safe. Okay, so I took out the 
> good drive and put it back into its PC and set out to search this new issue. 
> BAM AGAIN, now that one had the NTLDR error. That was wierd. I had no idea 
> how that could have happened.
> 
> Fortunately I had one final old standby 7-year-old 766 pc. I hooked that up 
> and searched out a solution to the NTLDR problem. Fortunately I found some 
> real good advice for that and was able to make a boot cd and get the files I 
> needed from Windows.
> 
> Okay, where I'm at now is I've restored two of my drives to functionality 
> but I'm back to that one annoying issue of the virus. Since I didn't want my 
> IE to be disturbed I had to get rid of the Radz file so that meant also 
> deleting the ntidr.vbs hidden file "system" file. But again, after getting 
> rid of that I can't get into my "C" or "E" drives. I saved and zipped the 
> ntidr.vbs and SysRes.vbs files just in case they are legit... but I didn't 
> find any indication out there that they are.
> 
> How can I restore my access to my "C" and "E" drives without restoring the 
> ntidr.vbs files which seems to activate the Radz file which then disrupts my 
> IE?
> 
> Thanks in advance for any help.
> 
> Regards,
> Craig

At the Start when reading your post I laugh but the more I read more  I feel 
your pain ;-)
This Malware written in VB basic and you need to neutralize  it and gain 
access to your drives.

How to take ownership of a file or folder in Windows XP
http://support.microsoft.com/?kbid=308421

Try to Disbale the Autorun on removable sotrages.
How to correct "disable Autorun registry key" enforcement in Windows
http://support.microsoft.com/kb/953252

Autorun.inf
ntdir.vbs
radz_services.vbs
c:\windows\sysres.vbs

Manual Solution:

1. Reboot System into safemode
2. Click My Computer --> Tools --> Folder options --> View --> tick: show 
hidden files and folders --> untick: Hide extensions for known file types --> 
untick: Hide protected operating system files (Recommended)
3. Goto C:\Windows and look for Sysres.vbs and delete.
4. Goto regedit and search for Sysres.vbs and delete all values that it has.
5. Also in regedit search for ntdir.vbs and radz_services.vbs and delete all 
value that it has.
6. Insert your WindowsXP Prof SP2 or SP3 Installer CD.
7. Navigate on I386 folder and copy Ntdetect.com
8. Overwrite C:\Ntdetect.com
9. Restart and boot to your WinXP SP2 or SP3 installer CD
10. Select "R" for REPAIR
11. Choose 1: C
12. C:\Windows prompt will appear then type "FIXMBR"
13. Answer "Y" for Yes
14. Type Exit
15. Voila, your computer is fully restored 
</Q>

<from http://balut4sale.blogspot.com>
My girlfriend once brought this virus through her USB drive. She picked it 
up in an internet cafe near her school and she was curious enough to activate 
it. :)

When I realize what she has done, I then check the kind of damage this 
script caused to my laptop and my initial investigation tells me that it did 
not cause anything but populated itself to all my drives. (I could be wrong!) 
It even claims to protect your PC. But a virus is a virus and should be 
terminated. (evil grin)
Here are the steps to remove this malicious file:
Once activated this script will copy 3 files to your drives:
- Autorun.inf,
- ntidr.vbs and
- Radz_services.vbs
And also copies SysRes.vbs to C:\WINDOWS.

Step 0 make sure that you open all your drives.
And you have set "show hidden files" in Tools->Folder Options.. View tab.
Step 1. Download Process Explorer (freeware)
Step 2. In the process Explorer under explorer.exe
find wscript.exe
Step 3. Right click then kill process.
Step 4. find autorun.inf, ntidr.vbs and radz_services.vbs in all your drive.
delete the 3 files in the drives.
Step 5. Go to C:\WINDOWS and delete SysRes.vbs.
Step 6. find all instance of ntidr and radz in the registry.
I found them in
HKLM\Software\Microsoft Visual Studio\FileMRUList\ (probably because I 
attempted to open this file in Visual Studio)
HKLM\Software\Microsoft\MountPoint2\ something encrypted texts
under Shell\AutoPlay, Shell\Auto Run, Shell\Explore and Shell\Open

Step 7. Search for sysres.vbs in the registry.
"C:\WINDOWS\system32\wscript.exe" "C:\WINDOWS\SysRes.vbs"

Step 8. Search for ntidr and radz in your computer and delete them.


This steps if followed religiously should have fixed the problem.
To check if it the problem is fixed reboot then check you drives (make sure 
you safely remove USB).
If problem is still there then you must have missed something in your steps 
so go all over the steps again (religiously). If problem is still there 
google it and find solution elsewhere. :)
Let me know if I missed something. 
</Q>
Virus Profile: VBS/Autorun.worm.k
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142697

Run a thorough scan by doing the following steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[  ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html

Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html

I will be happy to help you furthere if the above didn't help!
Download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
my address is : to_you_ross(at remove this and repalce with the
obvious)yahoo.co.uk
( _ is underscore)

HTH.
nass
---
http://www.nasstec.co.uk
date: Tue, 30 Sep 2008 08:03:01 -0700   author:   nass

RE: Windows Script Host "Can not find script file "C:\ntidr.vbs".    
Autorun.inf 
ntdir.vbs 
radz_services.vbs 
c:\windows\sysres.vbs 

Thanks, that was the solution I found with my initial search. It didn't help 
me because my regedit had hundreds of files and I couldn't find any of them 
in there.
This guy had an idea it might be in a specific place because he tried to 
open the file with a specific program.

I tried to do a search but nothing came up other than the files in the C/E 
and Windows files. In regedit I noticed a "Find" but as I said, they didn't 
come up.

Also, regarding that "Taking control of a folder" this is my "C" folder, 
when I right clicked properties there was no security tab with options to 
reset.

What I'm hoping for is, is there a search for regedit so I don't have to go 
through every one of those folders?

I'm still not at all clear on how to recover the "C/E" folders without 
restoring the ntidr.vbs files.

Oh yeah, the one file that did show up in a search is was the autorun.inf 
but there were maybe fifteen of them from Adobe, Microsoft, HP, etc. I 
suspect those are not the ones mentioned in the "fix".

Thanks again,
Craig
date: Tue, 30 Sep 2008 11:03:01 -0700   author:   Craig

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us