Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Infected by Virus !

  • Please log in to reply




  • Topic Starter
  • Member
  • PipPip
  • 58 posts
dss.exe/daft has worked...and i was able to fix all red entries.

In the safe mode, i can not find runthis.bat...There is run.txt file in the SDFIX.exe which is a notepad file....i searched a lot but can not find runthis.bat file in safe mode.

Thanks for your help....what to do next?

Edited by Andy_Hi, 24 April 2008 - 07:49 AM.

  • 1





  • Topic Starter
  • Member
  • PipPip
  • 58 posts
1) SDfix is extracting file RunThis.bat while installing but when i go into safe mode and type C:\SDfix\RunThis.bat, it opens a notepad file. There is no RunThis.bat file in SDfix folder and there is a Run.txt file which is a notepad file.

SDfix is not getting installed properly...i have tried 8-10 times but RunThis.bat file is missing...

Edited by Andy_Hi, 24 April 2008 - 09:25 AM.

  • 0



    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok lets try this instead.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Unfortunately combofix is also not working....When i click run, it try to install combofix and after the process is complete, it opens a notepad with following corrupted text written in the notepad:

MZ   @  !L!This program cannot be run in DOS mode.

$ kG///-բ,$բ-</ɁG7G.G.Rich/ PE L G   p   0 @     @        4  0  UPX0   UPX1 p b  @ .rsrc  0  f @ 2.03 UPX!
 ZT\< _ & UE  -SVWH^n '-vtXH'5PQu@ hE
(wmj)|f} u%f;AO|}fr`01 }fgf+'3f;20Yj$hl%0
.P=KS׃/ h4*SPv{\ h xv =T m$8SPn7uuhv>~d] 35shI{a֯VW
 YEj n`,K_V"/ܽx Y_^[ Vd ~$
 9tڟ@;|^$ d ~+8WteUB& v
h_҂[_] { v!,V}u W_(?֦~P9okP?;|3tWq5#p ]
AQh6t$ PJopH#6éNt'-¾nHt$]< PVpR rl gxP]fIVu' { t u!jvEF޶n0un^IpLA/1
C&|"ݽh7F W
V J}&aF*PT^G6e1aeM&f 5Bm:!W~Wjh`پwbhx73o߶_9d^lOlf \QThD?=6t9hP1>Pt%`+{fKR eMQXBq Si 
kB$3t;t^h/WPfެ cWW[lQWVh+m VG m ;2}_l~ɉH ˲, $иP;e+>Z ^eY $_ 7.9>t h6C9;h0h<[h6<  Hs 2H30}O8 G$: ;VQMí_XQ$EM#3!6>J$^O.n:7VaV MracO^,Ҧjs#8}?(- 2Y-?x+G@HE 1"j.~ N
W<o?O\)&\YYuBa5hhP h|#r8t4r$r#3PS )c}5hҩ
im9ڌM&2ڿ#YEt:<Jv&"nK9v w06o7|C-L;rkL* ?) Lr,Y[뉦LHO Mz!M QTViMpV Zu@h
 qCM>SBj#cLfC t sK`euMvV؃B"̇D:17hwjVJ׶=ƆSkVnPS Yv%)Ycs
JV&E2mQnօvPh'șٚ,[email protected]sY \|?3|-BoE\t
Cȇ<ۈ}1Yw!+3]fD|F;u~u\[email protected]_[email protected]Y|seW.|;>^0;Z|FoL$ۍ- Q(Zr~kAVCS>D3[=L 3Ê#e4\)6W5z
d~@,7@/ht[#Zߪp/uRAuaYV%j\V>0jZXƧAhðuPN]<[=@׾u:j2Xk/>tՃx6xG <P
KY P>\_#
t8M ] w0V N
WUlls쁥Bl,M3{D0++MD+‹U1o++u юdFVAQPW=\thH Msh"h4k eõ<!D5eJ
tEZ\t @B
PÀ80$xxu ώ5~PXtYm4SA+VF5[FFgG6( !o8.k+}Ч q}
MZnۊ MPhL%מeĊ qr e (hT@KPk-i &Pb%J[>CH9da[
ufGys+R 8j Qd]7 aGW |EÇ
] \ koyނ v"_(:[email protected]@QXry
=-""}YHY|g UuDPp9jƷ~:< QF'DVW Ew-
r[,A8"]AhknjXdHh@'l9t|#iZH tpu<CF/S-TF>[~UESWh-CL/R'[
9e>t-jG([zM_/1f9Q,`F2礽&o #L^]5QU
ӄ7c}@ F_

j -D
LY‰2mm1IZkd;<&unmh$X 7#_t&b%N#6+1Z],&jҿŁ%a@3| L|
IQH;2Ͷ~D3> Nw.Z~&V]^mPML+RYȀ9,Hym~G׉;@pHʥiͅL|S;tm9Ѩ
Y)B4[email protected]
FVLg 3٠b`(}_lhPtJU6X;S ߈ t*fųWSUWVk}.<L8l_gƅ,xغ,^AO2[0 BňX&[email protected]{} 9m->v, P
2(A Jz%} +^TF]3V~7FC3Un`pV%($Y" Z 3\#kAF+$(uo1
,bYOƨbJ|$m UDZ5͒,ewed6Bc
(\SW,_X-]\7]ƇJCpP /.}G'Pku!H)5&QP[w(-=
LىDXPkCgn|W/t*pV^ !(=GhY8
j x1][T^g[SЃ
Z, Ȇ:4QSXcG5&aW( l 4B _\㋳7mxTb{,l*J=G)
563 5<z&BxcB {t d$,՛+o= SۑD <f0$ $4,URY]|6Ju{RA0L__PG0ZjߥU<8.l
1,%Q k G8uXV
wB:ɠajs& 耬zhSJQʐC †,(I{t]W ]
4iW84P ,|h#4HWp , y 
Ws2rhydaƅxEn};f(]{) TN~6߽4*TX+%Zn-Cm5|@o
VƄo'ubh WCwDOTpS d7ó>5h+$zۋʷv JO$VQ{jjp늄$ND7=1
^" rnP/Ip
zSS|1`1ܸKjh'SnHp` %0l扵>"nU
h ^•D]G6.߀8$P}ljVZq ,m{0H% =lE(E4 ~nDA mLێ@]@ Dq}p.Lmg[email protected]\S5HaHG T]X}upm0t'px;-o <~0 ,T
8;Zf}~9Ve|lro ;iHs?4jب[dXassicuAkW 떊F<v-uĝ" .9J9##9(#90 49<H=J(hA+E Mv5[}; ]k ʅ(`1D99 mGIC66<+qyX YwBZ=\3WA{60hPP lwϸ#@"[email protected] \ d-/Bh +\Ɂp Ɂ\t
|\Ɂ\ \ȁJ[e.H~ft FЊǂ ,1<w0|mo \) ,!fRZf(M&
}l O |j6dհ0E+{H?){1 firuPFG}hn&Mxo7
;Ev+[m53Ou]EC9l~h.oGt79M tQ0P"ME]fu1KAau 6<8ŝkzsQ>،E k {~%0-/o)0pЖeY `
f>HL–ISW-" 9364!W*ӭ8̄KѢ91l

u+hnu=0 T/l}
_aC<"/W2uEt**j8ݽ5j 9S 0]kv}Ci}A<2lnb>sl }1X6ؽ!@^ _[~-)H!$Z"r P퀮.!lc۶W~x FȊрw nFF
}f ك?|>qu`"h_ tu <]%t<$t <wKj֓_Gu}Yݔ[j0V|8\7wh6s=$Uel[ŞN $!ѳI
M]tЇTa($x=+?nEl=5+(;_]({*m U|
g(),PgHl<[0k(g th!#_hPCH<olRao* M6YH65-yӊ*"j̥mð]qx#ѫ| h`h9th}t$;W|:1z%x6`eCH<eY[email protected]\PT;jX[(
D8f16k0 |eO-6gKK3H=6W -Kvs
'C,SP"N<Ujer<4³ : lbMxH)~ٰm$ S#pvC s kMt` }ڔt>1d
Ċ~ C817 (FV)i
@pySYꤾ~!Sp{JGA; |cE{r)L*p ?y)0ۖxL<.!
d W0TCnc}\noE#b_NJa|D
OYP0kq Dž` v/` Ít<+ED r;htP?Z7AkYl@\h;t
/QD{ ֒WguH9;Aڭ[email protected]`@ :4S :,j a T܁-bФrƅn68 \evR7 Pue89v38e%P
|yVSj^SfG%Z{CP -⿙f/{
DG ^02
h.APY;KL I-'Fg@-y* -P!b/?jh`(n5][|tL.<DDil
$P f,(Æ >9tM3W*2WVj. 01 l+VP̨6[ | ڄvb/f8Ne dsEn( B=$-67
}j[/6XǍf3tm b9?]7ܰK^]ЉƱ ǭ'ADU},éKA!$idO8]
D@,[sW&]H.BPRr- ^ x֪J;PQqBxKWV|hjX1 eעV=7n8ju31W@ {Sh!͈ h!W %M 8h\Hy81k
_(79/jh2h<QHNLHNT ` lV|$d%gh|$$!Rh=h!$(hhT\jy_͍TZ\pFw᭏YFP,vMf|3 ~yP!p% ?d .T[email protected]=wR٘_AVP;hGR\!Vmi*t\Jx5ڂ&ƍO9/u iPhqcQh0?{N9

{ h!P2m6&$u3=xqWG“TÞ %LDhA;Err{+V╚=yF9
WЋl3E>5 ]uWYh:#Pj
8+З圄:sB 8Da$Y n :eeP`@Dfds>C#7<@@/88tPWCNȓ<<m]_ _6%^QC G60JxD7nf+b~,m~h$U7
<H(s|E< Uc?Pƻ2`6h,;8+n6^SXA Jx/xW$#*5_ͽpXT-kz.VhF(?HC2$ԖϳSu܉KEor4dܡGPP< G:4288<r GD2؅~L$ܥ65,aBH=.X$4\b!|`{8 &i\Yh#)mu_s sP9:tٝZZ<k|BPYGv`}2PLK 9焴@RM-,A Q0*Di)xu}3Sc=&BG羃|pE Zcs!lB;y2/bjTJ<1c6"|M }AYH񰌐;D]ؐQY$Tl‹u tDیL܈|+'FWaWmknζWzKB$MtHwB5|F 0rr
A\Ȑ,.d|-): 3`_%m :m\.s l<VqB&l$!-E:T+P]jBCɄB*:g
E`1ݩ[email protected]\bv5WZk=VW{
:ø WYh97tmWoUt N~ }&#c\=X.(<a&irY(U4Veu%$&SCh`>,+S,+.lV /4n!Zd|)<!h"CrY9\@LrHÉh! a{H6[$t-:l$Lq+M~
Ԣ!h-P~ fdB NF;´Vh`h h&^E~BaxHw6UtMN.Gˀ7ygS:)D9+SpָV
?ٚ "8 %Zg%v'GWhA Y

!$E  "$S D#mqnDe+W\+uro\lWT/
(4.;(ʻhFB81M dB4BH'
! AL C;~7A
FuRᔍt֨t[email protected]SGF
n0ׅ4S"F ><٦[;,>> %LSKxs/8,]d /PSB
? ->;Wt߆A|V M, >r
tiS4 [YE G
?hbE Yh L0މ6Г&F E
!EC1AnT{&bU 0R5F(P+W%"ou{Pc_Uh(Ŧu
pR@ro(QQHko.<+HH;@ DC8}Qa;|+iB4(G/vWڈ] -4 wCC`!'CpUK%!|ج,=X3 vO5ء3y68>V(}A+\`GݾX`\  \tQu\S> @
/\Cgng;6|\<7:˽m,4;}@c\Y!NRЍC9^>!j"n^~:N7~W) &0U|9 QzvP;FRt ^uM>SY+oE x *bg5n/s T"./1 Nvzh>41U/PH60{?אc}WQ^쉝g} p}Vv<u;7
21E H1Hk!^ޮ+ʅ v^9~_[:@Z
CN߻ wq!~p4;Z
}9d[= %
ǃC 7 /#;0ђ~}lW &h3I.SɄs D{x9vj$P
Ww( P# K~B`#X~h/s{n-\/ &dЍ<πWXն=XR!Wvž!Ҽ #\! LI Ȕ<)s$0+t]CB_^
)3$] IBd
Ksol%B2]!߭_ %)s ҼBLvX)y>WHw,+4vBBpSBܸv4?dҜBl^!Ѭ
{^$ a)[FjE@s"~fS!-5>|`h;%#e
yh_x{|WB+I+친_?̐]B:@\3QSF⣺L&N|uH P$8 m8x=B)dw!;v T IsHk6+B mF"bt*}p8#QFQPkIFFj HlGFC|݃Wm44XEPDHZՍCT3VX\`CDJmhWń,p!D&K-郲DXcUk[email protected]%8F^'n`tqQPqqr5#?~=0I< 굺JP3fOj Npt!0Hq|![email protected]Y!AoWn)Z@/(,˽v&%jQ[E_f(Z/f DDnrQGD "J ʧe۸_jH! @Vhcfjc4XEԝ$ 0p8AHXKr#\s9cD,NWVDyXp:MS\8;< D8sI_<:V)Iz|#(4~b8;eU_=pSy+ [email protected][}S{fP8ܖfM L`WFڳ3 JXXFV,v
h03$4VFkc'8`[email protected]6t`I_(!+$K&ZtupPi ]686Xk9FJYCF×6 [kU=L <_ 
]`Dex-ko_)Z Dž@aOdUpM1>c :E|hV|xfX? mj;$KqG ٺI~Y&ZHZ >?[ I6I ƀ=l\}aR
Ԇ3x,\Xh|9O1$4F\ʼnT?D?,ݎ7l3aWtXW V"vstL<;7(a`h
UbsFs|2,lD^.Zp]D[email protected]P-%{M|@ Ǿ;=x2h}4K |&QādK^:Q=
`.h[ a4K}3jdiuGIKGt"?!Ƅ;`A@Q BkGŤ$g 3A\ =ϴnVDX`@6Yzk1G0x!"WC?X IMpj*^0Mh u.,0R< w H_A<vaw+f- [o2uFfu xBSWsxGF>jyRv =hPGG(ht
hjXhxZuigj[ uBA]݌[!S9]$gP~KEh)h% Y]uxt]xs%jD=1hU! u (TKuduh0ihV3웰V4T 5(Wv,OX}
cC ,a)\pW
- {[|0=ºL8g`UǮ l8
)'"79)9'| [email protected]Qp©CZ|D\ΙVS PԘL,
ezxt~KzKu}r6%8hYN]8^I Yj|=s16f#Ovf
p EZѶ06&:Ċ(%
N3mxo(`Y~ >0`@uf@]at[email protected]
rGhd'88pG,| j _Wx9`=-6hNB/u#- /a_?2ѓt T' }h[email protected]R?+ey P[h36]vbءVISUhqFj s{8S _\ǟZV_F8lْt*j^1h] hp'hhRF[email protected]qhh)Zg
$ÌjjPHG!liVW":N\pyI%% ָKz@|UQPV
8J.d3&Ld Lc FV$S 8HHꬂ!IXbĺj[VKb[email protected]`S*7aGCPJhKv,
/+gȖ U%WKv#5!~,%l$Ne(TU8${Wk #
Y `-NQY/ѝ(ńHڰ҄8DY;tWpSp6YMW@J~K.F/GUplJ uuh&"4dtâVP[email protected]c`Db@WdmlF؅xf_(/$j^nD $Mp/G`8\ux.> Y_7lmtl
;F Icb[d~ PIyxH
s;vznR,Ɇ&T  :n~pIԊe!
(zPkZbRS  F#DfG'3wB8kן9V|#
Y8ZE%A.Y(}$Iض9+h Yt9:: yxE)9:({!pg}8V? qp;uI]?p 9W¬ 4 b DVnQ_U[email protected]"|nicǩm ']]6$[|}G ]d%]
%hO`)WCHj)i {Z>i
\-4` .6$/tb?Gjo >_}CM>ͨz`
RdHtle[! [_ mrm8 uJ MUmh&[4:R2\]`!(R}L 0S, >y:
.R<B>ڿa3Q-u][email protected]\Q1!zjD>t,9R вT#h0MSNPA
#EJŮ$wC^u+@ *&5t]ᅝ
!:){@} !a1,QH] 6jX&3` Y-,4wz zg(
?!&`u- tX%f\t. &C#E
W h>.C*RHV Q46JY !d\_a-!]jhX u6a]H ?}`MBh'\.# cD>㟈9$"$9ţ{!'`?,ꀾ0t(c~Vj
[email protected]؟=E97h+(AjD޳R-c=-0ޱ  RJSڊ ,a`c+
}T <@!фsWV*6
j_ Q%h8P#ȒhhW
Í~>;t'*b*>tV A @W- Dl`M&h$z 
0= -C W- f3w5x,K93YHNoL=hx!,hlgh|
z^ųٗŴ2$ȔLr܌ rȑƘ0j$̙bvv"[E9;`J{ ~
~g~: j:2*H x+h(&taP|nS.2X0= u
SE%YP,`WKD0 $@[ VO`T,= VtG;G(x?6Cs]V((ֵ;Etu4&jXd;w [email protected]@i@CA3WyY9c)c/hɖ T 9pTmdCWwx:ȵC.uue\Dv
=W95 xV-lyMhQ|gQPDmh(dAjCx{q'7S98rq:@BoMx\‰fGnl8ulDz%YH{}Yj X"$-"\z
XTow25}αC;]hScDz{: hF]xS8 $lyd+3w u0޳I4ȉ&1rg$V,5l0cLl yxBp8B$e=ז[email protected]XȽ  -l4HǽF (H`xnY̽N yG;}r,mpEu|8 BzSj7`Հ3@ò eZ#rK( MZR+y Lq ~T{[email protected](T{rp
`uJH%P9'bz'GAeZY-MPP0![W"VqE\!-u4Pr`n2s!#ŠZIoj?;u"8%~+TKF3TfDĄPZ /]WHn"L1TU/!T=; Fj3t_Tq(@l!TW%c\Q(YTOWp8INrPd|ƴ!'9Ơ1>~F H(1cM>,mD>[email protected] Xp& 5z h^
8ߐ- $lȐ 2܍B2trL^ C υ</$.>!u+& zĄ(ljxٱ1
B[ǣo_-$?PCzf&p0爘+]K"$7d 3[email protected]$oFH]F dB"]0\*Fa)lD)t+VM~rK#N {jD9I}@ #
Aܛ| `99MA g#U399Ht  Z>"LEsp &D 9 brhԛ
͌[email protected])%+G<62z "[yL\`#W~ʼn7-;׋q_%1`vb-Vm;HG~-x"hI6=Ou^_5: S
t3H)F'a?$Q?%LFyW`mmRF=(At)Bի.pxj%5j2Xj' nZ 
DQ]P"<\no Q/+HQ~&90$֣
97tT!/jwh $ ?/\'+ƳKX s8+";D ;jyF OGy4$jh U:@ӔWOnYp]
,3Ujd2^tzР.q )^
WCIpx-h;x5.\ܒKNд9ؓKN.6w9= n^tA
t91YY)!Y  PD M@I8sZa߸Jd2ng+Zj80<S{({İSp-;_,oأ(Cz}jtQNE݁@irbPtf-l*.PHVڟ_X`X6q-Et/7!cF\Vh6Hr2}HIVw*[5#^]fu;h 't'z,D2k^D/LHHt8,om"
*Wb\6h lhth hhQGl1Y<֡\ajٕ;(([AJtFw%h|ˀأ8
T Y4S|).MkZP
p/2.gTL X#-[HWXsJ,=>Y|4 J}I -f$ f^jG;plZ5P
Ux p8ܮ@w4hIQ8hC f2`sc,US9h2܂p]hQk"CN#
1 n|6ӍeC!A=~[email protected]ij CURjjLPW|6+MvUR? 9v/S +V`]QkFOl!Ar[rjW?G(?!F[email protected]E]~JS~! `Y C')AG;'|?
!t{BVB_)ûN$^ , ۳I'EI ((0$K9JKHǢOeQ|Lɪ}+UC\¬/xY+ C|\v@s WƍK`W]9+F;s 0!/C taxzXSg۶;҇{7QU|NCu3m 48 Du_oZBQp9C}sti;R O[5 Ch4,uL5ٵ5aL.ؼЂJPFU&d!FQ<6&:P8fWP Q.\U6v~~K965S`IRK 4~Y~o]z.At
gQ$F,CW% o|W7g$`Y[email protected]XԝC[Xl?юVT $L Q}V l,D}@ L32KG4 kzpm
MϪ%tX[0*ABäJv S].Rk >>WX RFAWjhME!`+g(d77$XQ% vP毾u&4H
oPU؀)T*⁈M Q/|;A } i` Jl
S^ D|4WK#KU#6`:ZFbJ-Tm_FvvaI>=t"_!]m #u?&M
I$Bx!%3+ JblɕǾȭ~l8MtH^8ڰò4v6j4e 2rUF`Q L8n4rSh 7%r 0h
9HhRd EYHC|xtplXTP[email protected]<8jp6|c=X_!Z׆8MZuH<ȁ9oAPEL= l]D$ecŃ {vRyt6 gB6\\s
٥ޑX 6(7:ш_ {O Nv>'pT?APbb2h5߭q0̀>"u:F w:t<
ٶ6 ״QdE>(EV+ v5A&SRc
B|9;je]r  MPQj.4e<~ .bd(,tە[4$מ}Hvٚ։d
Ts Qs $/}
Qqdk(Y3` gă gQL$~߁-&+~o @'hQ- zzU-!D# WhB()# ^.s
y- , Ef?-@ 9E [email protected]/CC; >V@:F?0NirCmdMrS Sans Serif v2.0_5
Copyght 2003 -8Z '7of9$Fo me infmation abou~7usg thif
ility, ۷n(ad.lp fe\uUnxc.chmOurtp://w .sitnnetenIf y_ c6 _tov޶W
dowyd ecr{'ll bew)6eAw>hsd~oacyfu1pvh exeDik[8asK/,{ ? FErr~d
dG! ɮ6} S msc_xe.d LocLibramS |m u s i?y7|n . l CteA[ᅅsmyCaG6oDIPlG dipStdHtup h&n oDveIgeToFc1GEnd 5%0iz naBpFomHBITMAPmail protected]{ff/,󿹱y a g e / p6 goj+) - 6g+ ,#t9;t[)e!#bp# aغgna4 UnknW \ %d:+<>:"/\|W k?>l32=:wsk%8.8X 2.2oM}Pye:X?k3can~cwrgnN97laKrYS+LaD[&dAt;^5Vsl/\/:*?"|lN%\N gFPQnKAͅ5k H"sKwKQ
y>--6vcdic pn۸̜Cuxi
5ޯs?tVj]lCks\ >l
s7dDRegiv#-r;l.sn*vm f
4 W dF_Lte CXmm.X+,ml_gskps0Y}_mp=$go,$ dehppda ?i<fQ;ic]ou*khm˰Q7bIn LtnRW9iމZo͠,xwYl$#32h<770hC|@ZGS1aiWmnh0l;ЃVfk 9{Оkvy/ydisw7SksЬO
mgy+Byk-+0!  cgƥpsc`i'l{
sX˧= mF+0ke_Qyw/&D``wa+@t
Q$\넧e\erc4s %
VKeݛWKq x[ A݋
#]c2niXy3^s ; /ckg Th.
WORWDNARYO f3O G oBe8_,_dX˺ !f >(sub'6Kd]k%i -Βk sQs*B- Zx ҰC~-A7kiONCs
"!TMHN-Mphaj*W-c\PRASY!#3\Ǜe8-2wb)gf_Z{j ,GͽY<ʎaT c`e$[S 6#Vo[ ߵf! 2Q/WhpEjǓHHbs2ބJwW_oblX5cp-u9er aaswl5 XZ7lIn0
uY; ) Sˆx637Z
{2;dǘm߆eAeGHsIvKhm#K ",Ak3? d
xm0dc ^Ceo^Qh6u\M(`0UaM6g wI қыs7scn[J+hlHC჉V"hp21%ihS _8N\~}w[v6nrKby,kb>Lpʠ35+dOC!dDAuo
<1o Doksh5Z( nތX
bt?3b| dr`f2vW2t1 {vj5^ASuc=Rƪ"#LrHo1gatϦwKa[5UfXOnv/^aOһa.S; I" BPPOCPa\Dguy\/Mecs[Gmd [+Ay pi>/PTptF;Lks|VAdAdju_&k hWEÐIS=؆EA/J5sWk=8{~%Pۙ;eƹR DxmMDA3 I^X
Qj%*& V1 srL,atG#53AWWASHS͐vFPPWHEOocyciF'RCA\8pDD.y6'/S MPS
NC &`Ɇ.RÖM3uzh[we\M\0s\CrV\n&J4r\v޼/|F=W/dV5OFލ6,\FE" أ
@x"Pba+JM<Z^4j(;! >(*; DRSDS!TACۣZ#-"z:\|#js\VSR)5\\rީֈ.pdbm('v! ' $dA 1
OdQ5d!(#g`XGFn Ff91a |+iN e-v 7 ?}s4̀  ?4K?{lkJ7ȉXJT +5͖ hx W rs)뾪cSi d#p asm9r5M eSS 7P 2$uO KCKcGl?`'   J
lCC !9

lPǵN:B5? jR U + mX .ЍuoA iSaR cC' ccݳWbi:M_8h_lk8oy-T W4n wD intyw 4}a <T6SlG7HSD4A*mpu6PQnv"ponm*ari
֥A?Tk.Ual~Yͨ޲S4 EFTimiI#j ThIdlU$6Rs-H7dJEx\k5whfOngJtN~B";"PohmTblc
&]B'GQP>LaԄ7Yc[email protected] Yz-s nYrj7{l
8Ak0WHg UFCU循nlEkMaٌRe 0 t3";u04/
xT gD?=0A">Key 1K7B.6
nf8$4k 誀ѴxRlg.dWcOb0Bkf$S__p
awZ_fAvA_hd_sZ\tg]rg ( s9cmBn8<XgcXcpia_{f퓷y_=lonwcs-nnarw[email protected]@Z
d5)fnf_(M!؛0AZ@n ~p,Ytf/ L hzT.p\{l8C!T?ɾkkI. #9HUONofE k'F8}51m
0HDzS A#ڲ l7xSRT b'L$^
3RY砹Djs3:V{\{A'#ސG!s| 'E@
(ޘ3,9M  {c  VU0+
RDCQC KxzʒX0MaV}\JX_jf
@P5 [TrXb6# ZMX)
;FD6^JShOhdDN,sg$w߃tPci 3-K#H"CPEL G,-& 6뎢
@ d`;{w 42zɴB.DWn. X& `.9U(*'ź @.&4ڔ4'On> O
TJ<-  ` @ PWFGur usu s1Ƀr
Fttuuu Ausu s /vBGIucwL^ G,<w?u_f)ٍ  t<_0$ Pd% Gt܉WHUh% tp% l%  PTjSWՍ `(XPTPSWXaD$j 9u2    8  x  (  h    P    h 4    f p  
      g      0      @  
 X 1           X4 V  D 4 V S _ V E R S I O N _ I N F O       ?      S t r i n g F i l e I n f o   0 4 0 9 0 4 b 0 0   C o m p a n y N a m e N i r S o f t 6   F i l e D e s c r i p t i o n N i r C m d *   F i l e V e r s i o n 2 . 0 5 .   I n t e r n a l N a m e N i r C m d h "  L e g a l C o p y r i g h t C o p y r i g h t 2 0 0 3 - 2 0 0 8 N i r S o f e r >  O r i g i n a l F i l e n a m e N i r C m d . e x e .   P r o d u c t N a m e N i r C m d .   P r o d u c t V e r s i o n 2 . 0 5 D  V a r F i l e I n f o $  T r a n s l a t i o n  <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
</assembly>PA 5 d5 5 x5 5 5 5 5 5 5 5 5 5 5 6 5
6 6 (6 86 F6 T6 `6 f6 t6 6 6 KERNEL32.DLL ADVAPI32.dll GDI32.dll msvcrt.dll ole32.dll SHELL32.dll USER32.dll WINMM.dll LoadLibraryA GetProcAddress VirtualProtect ExitProcess RegCloseKey SetBkMode exit CoInitialize ShellExecuteA GetDC mixerOpen

Let me know if i need to post new hijackthis..since combofix is also not working and hence computer not getting clean...

Thanks for all the help.

Edited by Andy_Hi, 24 April 2008 - 11:18 AM.

  • 0



    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Let's try one more thing.
I would like to double check on the file associations again.
Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
Then try to run Combofix again.
don't post the notepad if it produces one.
Just let me know if it works.
If it works then let combofix run.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I used Daft....I fixed all the red entries...then again did scan..it showed the entries. Again i fixed them.

After that i used combofix, but again corrputed file is coming in notepad.

(I used daft again after using combofix and for the first time it shows all associations are ok but when i do scan again for 2nd or 3rd time, it again shows red entries)
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Here is the daft log if you find it useful:

DAFT Log saved on 2008-04-24 22:54:13
.bat - txtfile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.bat - txtfile - shell\edit\command - unable to read value
.cmd - txtfile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.cmd - txtfile - shell\edit\command - unable to read value
.com - txtfile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.reg - txtfile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.reg - txtfile - shell\edit\command - unable to read value
.vbs - exefile - shell\open\command - "%1" %*
.vbs - exefile - shell\edit\command - unable to read value
  • 0



    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That is why nothing will run the infection is corrupting all values needed for Windows to run the tools we need to run.

So let's try this.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Step 1: Download the eScan Antivirus Toolkit Here. Save it to the Desktop, it is roughly 10MB in size. Before running the program we need to update the signature files first in Step 2.

Step 2: Updating the eScan Antivirus Toolkit with the latest files:
1.) Double-click on the mwav.exe file saved to the Desktop; it will extract the program files to a new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky.)
2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file. Double-clicking on the kavupd.exe file opens the Windows command prompt (DOS screen) and updates the program with all the latest signature files.
3.) After the update is complete, the bottom of the command prompt will read "Press any key to continue", press any key to close the screen. Close eScan for now. You need to also close all Windows Explorer windows (or "My Computer" windows) to allow a refresh.
4.) *Important* : in order to complete the update process, you must now do the following: - Using Windows Explorer (or "My Computer"), go to C:\Downloads and "Copy" all files present in that folder - "Paste" the files in C:\Kaspersky - Allow the overwriting of existing files, when prompted - Close Windows Explorer Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 3: Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Step 4: From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.
2.) Double-click on the mwavscan.com file; this will open the eScan program.
3.) With the eScan interface on your Desktop, make sure that these boxes under Scan Option are checked : Memory, Registry, Startup Folders, System Folders, Services.
4.) Check the Drive box, this will enable the All Local Drives radio button below it. Make sure it is activated.
5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
6.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed. Do not Exit the tool just yet.
7.) Open a new NotePad file (click on "Start" >> "All Programs" >>"Accessories" >> "NotePad"), then Copy/Paste the content of the Virus Log Information window into that file, and save it. eScan also creates a full log inside the C:\Kaspersky folder (named mwav.log), but it is huge and cannot be posted on a forum. Please post the content of the log you have saved (into NotePad) in your next reply, once all steps are completed. Reboot your computer into normal Windows.

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Unfortunately, i did everything as you advised. In tep 4 (safe mode), there was no file mwavscan.com.

There is a file mwavscan and it is notebook file. When i open it has same corrupted message which i posted it before.

Whats next?

Thanks for your guidance.

Edited by Andy_Hi, 24 April 2008 - 02:10 PM.

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Kahdah, i did search on ahsan virus and found out this link:


The post number 3 by khushi-jadoo suggest trend micro has released some update regarding ahsan virus. Without your suggestion, i will not move a inch. So please suggest will trend micro be helpful in removing ahsan pest.
  • 0




    GeekU Teacher

  • Retired Staff
  • 15,822 posts
(Note: in the below instructions you are asked to boot into Safe Mode.
Right before running the sysclean.com file you are asked to run I would like for you to run the daft program again and fix everything in red.
Then quicky double click the sysclean.com button to begin the program.
This tool is from Trend Micro with their definitions.)

Right Click the Desktop and Select New--> Folder--> Name it SysClean
  • Download the Sysclean Package to the folder you made.
  • Next,download the Virus Pattern Files (Official Pattern Release) to your desktop from Here
  • Right Click and Select Extract All to unzip the folder.
  • Now,from the unzipped folder,move lpt$vpn.XXX file to the SysClean folder.
  • Restart in SAFE MODE(Tap F8 when restarting)
  • Open the SysClean Folder and doubleclick sysclean.com
  • Be sure Automatically clean or delete detected files is checked.
  • Click the Scan button to begin,please be patient,it will take a little bit to finish.
  • Once complete,verify the log from the scan (SYSCLEAN.LOG) is in the SysClean folder and restart back to Normal Mode.
  • Copy&Paste those results in the next reply.

Tutorial from Trend
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Kahdah, that also didnt worked. The VPN files after downloading are not opening in zip format.

Ultimately i gave up :) . I have done a system restore to a previous point and now things are looking good. I am posting a fresh Hijack log after doing system restore. Can you take this fresh Hijack log as a base and suggest me if anything has to be done to make PC faster and more safer.

Thanks for your expert guidance :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:55 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F12B402-E088-430F-B143-BA4B1A943408} (RdPunIocCtrl Class) - http://immail.rediff...eX/rdpunioc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123052138125
O16 - DPF: {8CF97DE6-EB52-42A8-8076-FB75B528E0A0} (Project1.PaceControl) - https://www.5paisa.com/lstControl.ocx
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D4821C9-1C2A-4BEA-AB89-25DAE3E654BC}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{408353C1-8320-43A1-AD72-0BF8BD2881A6}: NameServer =
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

End of file - 9128 bytes
  • 0



    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Everything looks as it should be now.

I feel that as long as you have an up to date antivirus and a Firewall then you are good to go.
Although I am not a fan of Norton it will work.

If you want to install a firewall then here is a free one to use.

Zone Alarm.

This link will explain how to use firewalls to better understand them, Firewall tutorial

If there are any tools left over that we used go ahead and delete them.
Also delete these folders if present:
C:\_ot move it.
You have minimal processes running so basically maybe upgrade your ram to help speed things up.
I would like for you to run a virus scan online to see if anything is still present.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Start Scanning at the bottom of the page.
  • Install the Active X controls when prompted.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy & Paste the entire report in your next reply.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP