.png)
By 
12:29 PM
My girlfriend once brought this virus through her USB drive. She picked it up in an internet cafe near her school and she was curious enough to activate it. :)
When I realize what she has done, I then check the kind of damage this script caused to my laptop and my initial investigation tells me that it did not cause anything but populated itself to all my drives. (I could be wrong!) It even claims to protect your PC. But a virus is a virus and should be terminated. (evil grin)
Here are the steps to remove this malicious file:
Once activated this script will copy 3 files to your drives:
- Autorun.inf,
- ntidr.vbs and
- Radz_services.vbs
And also copies SysRes.vbs to C:\WINDOWS.
Step 0 make sure that you open all your drives.
And you have set "show hidden files" in Tools->Folder Options.. View tab.
Step 1. Download Process Explorer (freeware)
Step 2. In the process Explorer under explorer.exe
find wscript.exe
Step 3. Right click then kill process.
Step 4. find autorun.inf, ntidr.vbs and radz_services.vbs in all your drive.
delete the 3 files in the drives.
Step 5. Go to C:\WINDOWS and delete SysRes.vbs.
Step 6. find all instance of ntidr and radz in the registry.
I found them in
HKLM\Software\Microsoft Visual Studio\FileMRUList\ (probably because I attempted to open this file in Visual Studio)
HKLM\Software\Microsoft\MountPoint2\ something encrypted texts
under Shell\AutoPlay, Shell\Auto Run, Shell\Explore and Shell\Open
Step 7. Search for sysres.vbs in the registry.
"C:\WINDOWS\system32\wscript.exe" "C:\WINDOWS\SysRes.vbs"
Step 8. Search for ntidr and radz in your computer and delete them.
This steps if followed religiously should have fixed the problem.
To check if it the problem is fixed reboot then check you drives (make sure you safely remove USB).
If problem is still there then you must have missed something in your steps so go all over the steps again (religiously). If problem is still there google it and find solution elsewhere. :)
Let me know if I missed something.
Deleting Radz_services,vbs
By Joseph Librero
12:29 PM
5 comments
The author of the said malware speaks. He has his antidote and just visit his website. You know why he created such script? Just to protect the ff:
* Internet Explorer HOMEPAGE – Protect from Pornographic Websites.
* Task Manager – Protect from Disable.
* Registry - Protect from Disable.
* Flash Drives/USB – To Protect from Auto running of Virus.
* Local Drives – To Protect from Auto running of Virus.
yeah i browse through the website. still it doesn't sound right.. if he wants to help, it should come as a downloadable and not as something that infects PCs. Any malware author can claim those benefits and for all we know a back-door in you PC is already created. Sometimes good intentions are not enough.
this is what i found in his website... it worked for me.
@ Echo off
C:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
D:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
cls
E:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
F:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
G:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
H:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
How to remove Radz_Services?
These are the Procedure how to remove Radz_Services.
Step 1. End Task the wscript.exe.
Right Click on the Taskbar.
Select Task Manager.
Then Click the Processes Tab,
Find the wscript.exe on the list.
Select wscript.exe then right click
select End Process then after
Click Yes to End Process.
Step 2. Remove the MountPoints2.
Click Start>Select Run> Type REGEDIT and Click OK.
Press Ctrl+F and find MountPoints2.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Then Right Click the MountPoints2
select Delete then Select Yes.
Step 3. Delete the ff. ntidr.vbs, sowar.vbs, sysres.vbs, and radz_services.vbs.
Click Start>Select Run> Type CMD and Click OK.
On the C:\Documents and Settings\Username> type CD\ then ENTER.
Ex. C:\Documents and Settings\Username>cd\Then Enter.
So the Display is like this. C:\>
On the C:\> type DEL sowar.vbs /s/a/f/q then Enter.
Wait the Deleted file - C:\sowar.vbs.
And Going Back to C:\>
On the C:\> type DEL ntidr.vbs /s/a/f/q then Enter.
Wait the Deleted file - C:\ntidr.vbs.
And Going Back to C:\>
On the C:\> type DEL sysres.vbs /s/a/f/q then Enter.
Wait the Deleted file - C:\sysres.vbs.
And Going Back to C:\>
On the C:\> type DEL Radz_Services.vbs /s/a/f/q then Enter.
Wait the Deleted file - C:\Radz_Services.vbs.
And Going Back to C:\>
On the C:\> type D: or Other Local Drives Letter.
Also Flash Drive and Memory Card./So the Display is like this.
D:\>
On the D:\> type DEL sowar.vbs /s/a/f/q then Enter.
Wait the Deleted file - D:\sowar.vbs.
And Going Back to D:\>
On the D:\> type DEL ntidr.vbs /s/a/f/q then Enter.
Wait the Deleted file - D:\ntidr.vbs.
And Going Back to D:\>
On the D:\> type DEL sysres.vbs /s/a/f/q then Enter.
Wait the Deleted file - D:\sysres.vbs.
And Going Back to D:\>
On the D:\> type DEL Radz_Services.vbs /s/a/f/q then Enter.
Wait the Deleted file - D:\Radz_Services.vbs.
And Going Back to D:\>
Follow the CMD command to Other Drives. (E,F,G,H,I,J,K,L,M,….)
Step 4. To Sure that Radz_Services and other Support file was Deleted.
Open a Notepad. Or Click Start>Select Run> Type Notepad
Copy this ff. script bellow. :
@ Echo off
C:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
D:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
cls
E:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
F:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
G:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
H:
Cd\
Del ntidr.vbs /f/a/s/q
Del sowar.vbs /f/a/s/q
Del sysres.vbs /f/a/s/q
Del radz_services.vbs /f/a/s/q
Md ntidr.vbs
Md sowar.vbs
Md radz_services.vbs
Attrib +s +h +r +a sowar.vbs
Attrib +s +h +r +a ntidr.vbs
Cls
After you copy the Script to Notepad
save as into Remove.bat as a filename.
Run that file after you saved.
Double Click. Or Open.
Please wait after the window close.
http://www.radzservices.blogspot.com/
what is this website? may i please know what the author's website is? my pc is badly infected with this virus/malware/whatever-you-may-call-them-just-get-it-out-of-my-pc. thank you, thank you very much.