Problem removing win32/cript.exe virus!
Results 1 to 8 of 8

Thread: Problem removing win32/cript.exe virus!

  1. #1
    Old ancient one vanman's Avatar
    Join Date
    Jul 2002
    Location
    Freestate,South Africa
    Posts
    570

    Unhappy Problem removing win32/cript.exe virus!

    Greetings all,
    I have a serious problem regarding the removal of this virus(win32/cript.exe) on one of my clients pc,s..This is what i have done so far..
    1.Ran AVG antivirus which removed 5 others and the one i am having trouble with..
    2.Ran spyware doctor ver 4 which picked up 84 threats and cleaned them..
    3.I have also used xoftspy which picked up another 3 threats which were removed..
    4.Disabled system restore eventually because every time i restarted it seemed to be fine and as soon as you connect to the internet avg picks up the same virus again..I even went into safemode and repeated everything but to no avail..
    5.The only thing which tickles me is that the windows firewall is disabled because of the use of group policies.My client said they have never used group policies and he does not even know where to do what with it..I ran gpedit.msc to see if i could change anything but to no avail..Is it possible that the machine would have to be formatted?

    The machine is a intel celeron 2.5 gig,512 ram,120gig hdd,win xp prof,

    Any ideas???
    Practise what you preach.

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    I found this on another forum, if this is against forum rules, I apologize, and feel free to remove this post, but this might help...

    it appears that you have to know the path to the virus...

    originally posted at: http://www.techspot.com/vb/all/windo...exe-virus.html

    Ok, download the Pocket Killbox programme from HERE (http://www.bleepingcomputer.com/files/killbox.php). Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Let me know the results and post a fresh HJT log.

    Regards Howard
    the next reply from the person with the problem seemed to indicate that the problem had been resolved.
    Last edited by westin; March 24th, 2007 at 11:25 PM.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    This might help:

    http://www3.ca.com/securityadvisor/v....aspx?id=40493

    It is one of those that changes its name and Registry settings each time it runs.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Try going into safe mode with networking and do a Housecall with Trend Micro, if your restore points have been flushed after disabling and rebooting, there won't be any instances of this virus in any volumeinformation folders (restore points).

    you can also try Stinger.


    HTH
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  5. #5
    Junior Member
    Join Date
    Jan 2007
    Location
    /home
    Posts
    28
    As dalek said, use a scanner online (save the report).


    Other software that can help out is Mwav

    If the problem continue, you can use a script called SilentRunners to generate a report and use it to find the virus source.




    Regards
    Linux User Registered #399288

  6. #6
    Old ancient one vanman's Avatar
    Join Date
    Jul 2002
    Location
    Freestate,South Africa
    Posts
    570
    Greetigs all,
    Sorry for coming back to you so late but with good reason though..The good news is that we managed to remove the virus, thanks to you great people..To make a long story short the following was done..I firstly tried to use killbox like weston suggested but it only removed it up untill where i could remember all the paths..I then used nihils link and read through the removal procedures and so on..I then decided to download stinger like dalek said and it removed 3 win 32 virusus.Guess what it was still there..I was frustrated like hell and then decided to use mwav like 4cr0nDk suggested..Guys this little program is EXCELLENT!! It removed close to 64-70 virus+adware+spyware threats..I disabled system restore,enabled view hidden and system files in windows explorer and rebooted to safe mode and ran the application..It ran close to 2 and a 1/2 hours..I could not believe this..I then restarted and checked the windows firewall i spoke about which were still greyed out ..

    Guys i could not get that firewall on!!!I even downloaded an extra firewall but to no avail..I then decided to phone my son at the IT Engineering section at Sun City resort..We went through all the group policy items ,configuring etc..NOTHING!! He then suggested i type the message "windows firewall greyed out "in the google searchbar.To my suprise it came up with a few site suggestions of which i chose this one found here: http://portal.aguk.net/2006/12/windo...re-greyed-out/ ..Obviously i tried method 2 first but to no avail..Then method 1.IT WORKED!!!!Big sigh of relief..Rebooted and with firewall activated went on the internet without a hitch..Hey guys i realised again how little ppl know about the internet and with that i mean using a system which was not adequetly eqiupped with the right software for this purpose..No wonder ppl are afraid to use it..I think the isp,s have a great resposibility to protect their clients as well as retailers selling the pc,s..
    Thanks again and i hope my experience will also benefit someone else in future..P.S.I have attached 1 log file of stinger but the actual big one is 12mb from mwav..i tried to compress it with winzip but it is still 790kb. Howard (weston) has asked me specificly to add them,if anyone wants to read it.

    Thanks again to all for the quick responses
    cheers
    vanman
    Attached Files Attached Files
    Practise what you preach.

  7. #7
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Looks like it found the W32/Sdbot.worm, MS has some information on this worm in regards to Plug and Play... http://www.microsoft.com/technet/sec...ry/899588.mspx

    Glad we could help...
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  8. #8
    Junior Member
    Join Date
    Jan 2007
    Location
    /home
    Posts
    28
    Well, congratulations then.....

    One note about mwav is you were lucky, and many other users, the program itself is comercial, the company released it "scan and clean" as they say until 31st of this month, after that, if the company doesn't give another "Bonanza" as they called, without pay, the program will only scan but won't clean.......cheers


    Just a coment if anyone is interested in the program in the close future


    Now, to enjoy the clean system :P




    Regards
    Linux User Registered #399288

Similar Threads

  1. cell phone virus ??
    By yourdeadin in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: August 6th, 2004, 08:45 PM
  2. Virus -problem
    By mrg81 in forum Microsoft Security Discussions
    Replies: 5
    Last Post: June 24th, 2004, 10:57 PM
  3. Problem with my sound/soundcard. Possible trojan or virus?
    By thesecession in forum Newbie Security Questions
    Replies: 5
    Last Post: July 11th, 2003, 09:04 AM
  4. Virus or trojan removal
    By Guus in forum The Security Tutorials Forum
    Replies: 4
    Last Post: July 10th, 2002, 12:54 AM
  5. Writing the QBasic Virus
    By jethro in forum The Security Tutorials Forum
    Replies: 4
    Last Post: July 9th, 2002, 08:57 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides