Greetings all,
I have a serious problem regarding the removal of this virus(win32/cript.exe) on one of my clients pc,s..This is what i have done so far..
1.Ran AVG antivirus which removed 5 others and the one i am having trouble with..
2.Ran spyware doctor ver 4 which picked up 84 threats and cleaned them..
3.I have also used xoftspy which picked up another 3 threats which were removed..
4.Disabled system restore eventually because every time i restarted it seemed to be fine and as soon as you connect to the internet avg picks up the same virus again..I even went into safemode and repeated everything but to no avail..
5.The only thing which tickles me is that the windows firewall is disabled because of the use of group policies.My client said they have never used group policies and he does not even know where to do what with it..I ran gpedit.msc to see if i could change anything but to no avail..Is it possible that the machine would have to be formatted?
The machine is a intel celeron 2.5 gig,512 ram,120gig hdd,win xp prof,
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
Once your system has rebooted, turn system restore back on and rehide your protected OS files.
Let me know the results and post a fresh HJT log.
Regards Howard
the next reply from the person with the problem seemed to indicate that the problem had been resolved.
Last edited by westin; March 24th, 2007 at 11:25 PM.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
Try going into safe mode with networking and do a Housecall with Trend Micro, if your restore points have been flushed after disabling and rebooting, there won't be any instances of this virus in any volumeinformation folders (restore points).
Greetigs all,
Sorry for coming back to you so late but with good reason though..The good news is that we managed to remove the virus, thanks to you great people..To make a long story short the following was done..I firstly tried to use killbox like weston suggested but it only removed it up untill where i could remember all the paths..I then used nihils link and read through the removal procedures and so on..I then decided to download stinger like dalek said and it removed 3 win 32 virusus.Guess what it was still there..I was frustrated like hell and then decided to use mwav like 4cr0nDk suggested..Guys this little program is EXCELLENT!! It removed close to 64-70 virus+adware+spyware threats..I disabled system restore,enabled view hidden and system files in windows explorer and rebooted to safe mode and ran the application..It ran close to 2 and a 1/2 hours..I could not believe this..I then restarted and checked the windows firewall i spoke about which were still greyed out ..
Guys i could not get that firewall on!!!I even downloaded an extra firewall but to no avail..I then decided to phone my son at the IT Engineering section at Sun City resort..We went through all the group policy items ,configuring etc..NOTHING!! He then suggested i type the message "windows firewall greyed out "in the google searchbar.To my suprise it came up with a few site suggestions of which i chose this one found here: http://portal.aguk.net/2006/12/windo...re-greyed-out/ ..Obviously i tried method 2 first but to no avail..Then method 1.IT WORKED!!!!Big sigh of relief..Rebooted and with firewall activated went on the internet without a hitch..Hey guys i realised again how little ppl know about the internet and with that i mean using a system which was not adequetly eqiupped with the right software for this purpose..No wonder ppl are afraid to use it..I think the isp,s have a great resposibility to protect their clients as well as retailers selling the pc,s..
Thanks again and i hope my experience will also benefit someone else in future..P.S.I have attached 1 log file of stinger but the actual big one is 12mb from mwav..i tried to compress it with winzip but it is still 790kb. Howard (weston) has asked me specificly to add them,if anyone wants to read it.
Thanks again to all for the quick responses
cheers
vanman
One note about mwav is you were lucky, and many other users, the program itself is comercial, the company released it "scan and clean" as they say until 31st of this month, after that, if the company doesn't give another "Bonanza" as they called, without pay, the program will only scan but won't clean.......cheers
Just a coment if anyone is interested in the program in the close future