Windows Script Host "Can not find script file "C:\ntidr.vbs".

  • Thread starter Thread starter Craig
  • Start date Start date
C

Craig

Hi all,

Our area recently got hit with a funky virus; Radz_Services.vbs. This thing
was passed to us through our USB and due to how often we switch our memory
cards, before we knew it all of our memory cards and all three hard drives
were infected.

It made it's way into our "C" drive folder along with a later discovered
ntidr.vbs and SysRes.vbs in our our Windows folder. The minute I noticed that
Radz file I knew it stunk. I searched it and found very little in the way of
solutions.

The symptoms were instability in my IE (6). This was frustrating. I did a
full scan of two of my drives and McAfee didn't notice a thing. I scanned the
files directly and again, nothihg from McAfee.

I went back to some of the search solutions and tried to follow one of them,
bad results followed.

Here's what happened: Every time I deleted Radz_Service.vbs it returned. I
then looked at my hidden files and allowed viewing of protected files. That's
when I noticed the ntidr.vbs file. I tried deleting the SysRes.vbs file and
it too kept reappearing. Then, after searching the ntidr.vbs file I found
nothing in the way of it being a legitimate OS file, so I deleted it too. The
Radz and SysRes files ceased to reappear.

Now for the fun part... I was no longer able to enter my "C" drive. That's
when I got the "Can not find script file "C:\ntidr.vbs" message under the
"Windows Script Host" title.

It gets better... I shut down and restarted Windows and BAM, "NTLDR Is
Missing, press cntl alt del to restart". That was strange. I had no idea what
that was. I didn't know if my drives had crashed (that pc had 2, neither
functioned). The next thing I did was get a third drive and use it to boot
and check out one of the others. The data was safe. Okay, so I took out the
good drive and put it back into its PC and set out to search this new issue.
BAM AGAIN, now that one had the NTLDR error. That was wierd. I had no idea
how that could have happened.

Fortunately I had one final old standby 7-year-old 766 pc. I hooked that up
and searched out a solution to the NTLDR problem. Fortunately I found some
real good advice for that and was able to make a boot cd and get the files I
needed from Windows.

Okay, where I'm at now is I've restored two of my drives to functionality
but I'm back to that one annoying issue of the virus. Since I didn't want my
IE to be disturbed I had to get rid of the Radz file so that meant also
deleting the ntidr.vbs hidden file "system" file. But again, after getting
rid of that I can't get into my "C" or "E" drives. I saved and zipped the
ntidr.vbs and SysRes.vbs files just in case they are legit... but I didn't
find any indication out there that they are.

How can I restore my access to my "C" and "E" drives without restoring the
ntidr.vbs files which seems to activate the Radz file which then disrupts my
IE?

Thanks in advance for any help.

Regards,
Craig
 
Craig said:
Hi all,

Our area recently got hit with a funky virus; Radz_Services.vbs. This thing
was passed to us through our USB and due to how often we switch our memory
cards, before we knew it all of our memory cards and all three hard drives
were infected.

It made it's way into our "C" drive folder along with a later discovered
ntidr.vbs and SysRes.vbs in our our Windows folder. The minute I noticed that
Radz file I knew it stunk. I searched it and found very little in the way of
solutions.

The symptoms were instability in my IE (6). This was frustrating. I did a
full scan of two of my drives and McAfee didn't notice a thing. I scanned the
files directly and again, nothihg from McAfee.

I went back to some of the search solutions and tried to follow one of them,
bad results followed.

Here's what happened: Every time I deleted Radz_Service.vbs it returned. I
then looked at my hidden files and allowed viewing of protected files. That's
when I noticed the ntidr.vbs file. I tried deleting the SysRes.vbs file and
it too kept reappearing. Then, after searching the ntidr.vbs file I found
nothing in the way of it being a legitimate OS file, so I deleted it too. The
Radz and SysRes files ceased to reappear.

Now for the fun part... I was no longer able to enter my "C" drive. That's
when I got the "Can not find script file "C:\ntidr.vbs" message under the
"Windows Script Host" title.

It gets better... I shut down and restarted Windows and BAM, "NTLDR Is
Missing, press cntl alt del to restart". That was strange. I had no idea what
that was. I didn't know if my drives had crashed (that pc had 2, neither
functioned). The next thing I did was get a third drive and use it to boot
and check out one of the others. The data was safe. Okay, so I took out the
good drive and put it back into its PC and set out to search this new issue.
BAM AGAIN, now that one had the NTLDR error. That was wierd. I had no idea
how that could have happened.

Fortunately I had one final old standby 7-year-old 766 pc. I hooked that up
and searched out a solution to the NTLDR problem. Fortunately I found some
real good advice for that and was able to make a boot cd and get the files I
needed from Windows.

Okay, where I'm at now is I've restored two of my drives to functionality
but I'm back to that one annoying issue of the virus. Since I didn't want my
IE to be disturbed I had to get rid of the Radz file so that meant also
deleting the ntidr.vbs hidden file "system" file. But again, after getting
rid of that I can't get into my "C" or "E" drives. I saved and zipped the
ntidr.vbs and SysRes.vbs files just in case they are legit... but I didn't
find any indication out there that they are.

How can I restore my access to my "C" and "E" drives without restoring the
ntidr.vbs files which seems to activate the Radz file which then disrupts my
IE?

Thanks in advance for any help.

Regards,
Craig
Click to expand...

At the Start when reading your post I laugh but the more I read more I feel
your pain ;-)
This Malware written in VB basic and you need to neutralize it and gain
access to your drives.

How to take ownership of a file or folder in Windows XP
http://support.microsoft.com/?kbid=308421

Try to Disbale the Autorun on removable sotrages.
How to correct "disable Autorun registry key" enforcement in Windows
http://support.microsoft.com/kb/953252

Autorun.inf
ntdir.vbs
radz_services.vbs
c:\windows\sysres.vbs

Manual Solution:

1. Reboot System into safemode
2. Click My Computer --> Tools --> Folder options --> View --> tick: show
hidden files and folders --> untick: Hide extensions for known file types -->
untick: Hide protected operating system files (Recommended)
3. Goto C:\Windows and look for Sysres.vbs and delete.
4. Goto regedit and search for Sysres.vbs and delete all values that it has.
5. Also in regedit search for ntdir.vbs and radz_services.vbs and delete all
value that it has.
6. Insert your WindowsXP Prof SP2 or SP3 Installer CD.
7. Navigate on I386 folder and copy Ntdetect.com
8. Overwrite C:\Ntdetect.com
9. Restart and boot to your WinXP SP2 or SP3 installer CD
10. Select "R" for REPAIR
11. Choose 1: C
12. C:\Windows prompt will appear then type "FIXMBR"
13. Answer "Y" for Yes
14. Type Exit
15. Voila, your computer is fully restored
</Q>

<from http://balut4sale.blogspot.com>
My girlfriend once brought this virus through her USB drive. She picked it
up in an internet cafe near her school and she was curious enough to activate
it. :)

When I realize what she has done, I then check the kind of damage this
script caused to my laptop and my initial investigation tells me that it did
not cause anything but populated itself to all my drives. (I could be wrong!)
It even claims to protect your PC. But a virus is a virus and should be
terminated. (evil grin)
Here are the steps to remove this malicious file:
Once activated this script will copy 3 files to your drives:
- Autorun.inf,
- ntidr.vbs and
- Radz_services.vbs
And also copies SysRes.vbs to C:\WINDOWS.

Step 0 make sure that you open all your drives.
And you have set "show hidden files" in Tools->Folder Options.. View tab.
Step 1. Download Process Explorer (freeware)
Step 2. In the process Explorer under explorer.exe
find wscript.exe
Step 3. Right click then kill process.
Step 4. find autorun.inf, ntidr.vbs and radz_services.vbs in all your drive.
delete the 3 files in the drives.
Step 5. Go to C:\WINDOWS and delete SysRes.vbs.
Step 6. find all instance of ntidr and radz in the registry.
I found them in
HKLM\Software\Microsoft Visual Studio\FileMRUList\ (probably because I
attempted to open this file in Visual Studio)
HKLM\Software\Microsoft\MountPoint2\ something encrypted texts
under Shell\AutoPlay, Shell\Auto Run, Shell\Explore and Shell\Open

Step 7. Search for sysres.vbs in the registry.
"C:\WINDOWS\system32\wscript.exe" "C:\WINDOWS\SysRes.vbs"

Step 8. Search for ntidr and radz in your computer and delete them.


This steps if followed religiously should have fixed the problem.
To check if it the problem is fixed reboot then check you drives (make sure
you safely remove USB).
If problem is still there then you must have missed something in your steps
so go all over the steps again (religiously). If problem is still there
google it and find solution elsewhere. :)
Let me know if I missed something.
</Q>
Virus Profile: VBS/Autorun.worm.k
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142697

Run a thorough scan by doing the following steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html

Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html

I will be happy to help you furthere if the above didn't help!
Download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
my address is : to_you_ross(at remove this and repalce with the
obvious)yahoo.co.uk
( _ is underscore)

HTH.
nass
 
Autorun.inf
ntdir.vbs
radz_services.vbs
c:\windows\sysres.vbs

Thanks, that was the solution I found with my initial search. It didn't help
me because my regedit had hundreds of files and I couldn't find any of them
in there.
This guy had an idea it might be in a specific place because he tried to
open the file with a specific program.

I tried to do a search but nothing came up other than the files in the C/E
and Windows files. In regedit I noticed a "Find" but as I said, they didn't
come up.

Also, regarding that "Taking control of a folder" this is my "C" folder,
when I right clicked properties there was no security tab with options to
reset.

What I'm hoping for is, is there a search for regedit so I don't have to go
through every one of those folders?

I'm still not at all clear on how to recover the "C/E" folders without
restoring the ntidr.vbs files.

Oh yeah, the one file that did show up in a search is was the autorun.inf
but there were maybe fifteen of them from Adobe, Microsoft, HP, etc. I
suspect those are not the ones mentioned in the "fix".

Thanks again,
Craig
 
Back
Top