Link to home
Start Free TrialLog in
Avatar of KASPBoodai

asked on

Can not find script file "R:/nar.vbs

Guys whenever i double click on my external 160GB USB drive i get the above error nar.vbs. I guess this is a malware, i have kaspersky running on my system and its not able to detect it. I also executed few anti malware tools which did detect few of them and deleted as well but when the error pops up again. I have lot of data stored on it and have no intentions of formatting it as putting the data back is time consuming.
Are there any tools available for the above malware.
Avatar of SheharyaarSaahil
Flag of United Arab Emirates image

open My Computer>Tools>Folder Options>View and choose Show Hidden Files
and then untick Hide Protected System Files

apply and now right click on your external drive and click open or explore
when it will open/explore it, look for an autorun.inf file and then delete it
you can run a scan on this drive while the hidden and protected files are turned on.
Avatar of KASPBoodai


Well i tried doing that but the settings would not apply even after i clicked on apply. It would revert back to defaults. Any other suggestions.
Avatar of SheharyaarSaahil
Flag of United Arab Emirates image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Download and run this tool and follow the prompts:

If problem persists, also post a Hijackthis log for us to review.
Download Hijackthis:

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
I have already ran the Disinfector tool with no luck. I have attached the logs as per your requirement.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:20 AM, on 7/21/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server\cftpstes.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Ipswitch\WhatsUp\NMWebService.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\Microsoft SQL Server\Mssql$JDELocal\BinnMSSQL$JDELOCAL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Ipswitch\WhatsUp\NMService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Sony Ericsson\Mobile4\Sync Manager\syncindicator.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$WHATSUP\Binn\sqlagent.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [NMTaskTray] C:\PROGRA~1\Ipswitch\WhatsUp\NMTASK~1.EXE /AutoStart
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\sundeep.KASPNET\Desktop\msconfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.kaspsrv
O15 - Trusted IP range:
O15 - Trusted IP range:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} (JDEWebRTFEditU Control) -
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator -
O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O16 - DPF: {E3089160-E8AD-4C5B-B47C-ADDF3DF660DD} (PjAdoInfo4 Class) - http://sysvpc/pwa/_layouts/pwa/objects/
O16 - DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} (JDEExcelAutoU Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32584E5-5992-42F8-8748-3BCE73E90B82}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B97E8CC-5E1D-4031-8116-4785A0354554}: NameServer =,
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain =
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: GlobalSCAPE Secure FTP Server - GlobalSCAPE Texas, LP - C:\Program Files\GlobalSCAPE\Secure FTP Server\cftpstes.exe
O23 - Service: IBM WebSphere Application Server V6 - sundeep-cajitanNode01 (IBMWAS6Service - sundeep-cajitanNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: Ipswitch Web Server$WhatsUp - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - C:\Program Files\Ipswitch\WhatsUp\NMWebService.exe
O23 - Service: Ipswitch WhatsUp Engine - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - C:\Program Files\Ipswitch\WhatsUp\NMService.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
O23 - Service: JD Edwards Client Listener (Listener_NT_Service) - Unknown owner - C:\Program Files\OneWorld Client Listener\OWCListenerLocal.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\winvnc4.exe
End of file - 13223 bytes

Open in new window

I checked the registry for the settings u mentioned and changed the checked value from 2 to 1 but the problem still persist and the settings still revert back on its own.
can you please open your C:\Program Files folder and check the folder's full name which is starting with ONEWOR
is it something you installed yourself on the machine?
and you are using FlashGet intentionally?

you have to fix this line in HJT
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\svchost.exe

and if the file is there, you have to delete it too
but im sure that it's a hidden/protected one

please do the registry changes from safemode
and run a full system scan from there too, after disabling your system restore

post back the results with a fresh hijackthis log
Oneworld and flashget are both genuine softwares and installed intentionally. Svchost.exe seems to me a valid system file. I am sure it wont allow me to delete it.
thanks for explaining about the programs

the valid svchost.exe resides and runs from C:\Windows\System32 folder
the one which is starting and running from C:\Windows folder is not a legit one
plus you will never find Startup entries for the legit process

C:\WINDOWS\System32\svchost.exe  -->  legit

O4 - HKCU\..\Run: [svchost] C:\WINDOWS\svchost.exe --> virus/trojan

please try to follow the instructions from safemode
you cannot delete them in normal mode, becuase the file is running in background there and is in use
in safemode, it will be not running and you should be able to delete
infact you dont have to do that, your anti virus should pick it automatically

if its not, give a shot to Avast Free Home Edition

it removes all such kind of things.
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks a ton rpggamergirl the problem seems to have dissapeared after running the SDFIX tool but i guess the report did not detect any viruses or may be it did its just that i was not able to track any viruses in that report.
Kindly analyze the report and let me know if there were any infections that were removed by this tool.
a)Did you attempt to run SDFix twice?
b) did the scan appeared to hang then continue?
If the answer is both No, then SDfix didn't remove any physical bad files/trojans but only registry entries as the log shows 'no trojan' found.
That would mean that the SDBot 04 entry showing in the hijackthis log before was just a leftover registry entry.
There is no knowing in Hijackthis log whether an 04 entry of the trojan is an orphan or active infection unless it shows in the running processes.
Both the answer is no so i guess its a leftover registry entry anyways the problem has been resolved thanks a lot.
No problem, glad to know that the problem has been resolved.

Guys the problem has occurred again. I feel my flash disk is infected. It keeps generating the same error nar.vbs.
Then, you'll have to start the process all over again.
Run the Flash-disinfector while flash drives are plugged in, the harmless autorun.inf should stop the spread, run combofix again.
You must've used or plugged in an infected usb.
I am not able to see any autorun.inf file in my flash drive and the wierd part is, this is the same flash drive which was previously infected and resolved by sdfix, after that i have not plugged in the disk on any other system.
Check this out and let me know.
>>>I am not able to see any autorun.inf <<<
it's a hidden file, you need to show hidden files and folders if you ant to see it.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
C:\WINDOWS\Downloaded Program Files\jdeexpimp.inf
C:\WINDOWS\Downloaded Program Files\jdeexpimpU.ocx
C:\WINDOWS\Downloaded Program Files\jdewebctls.inf
C:\WINDOWS\Downloaded Program Files\jdewebctlsU.ocx


3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

You can fix these entries in hiajckthis.
O16 -: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} - hxxp://
O16 -: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://

 G:\truecrypt.exe <-- I assume you know or created this file?

Did you check the log, it did find autorun and some other files which it deleted. The problem seems to have resolved i checked the disk on different computers and the error didnt pop up. By the way my pc is running kaspersky but i dont know why it wasnt able to detect these malwares.
Sorry my mistake, I should've known you have kaspersky there.

R:\Autorun.inf  <-- this is the autorun.inf that combofix deleted (in the R drive one)
Kaspersky must've taken care of the SDBot physical file but not the flashdrive infection, hence SDFix didn't find any trojans but resolved the issue as SDFix also takes care of any registry that's been modified by the infection. Yes combofix had deleted other bad files as well.