Bonsoir,
Chaque fois que je termine un scan avec Avast, l’obtiens le message suivant :
C:\Program Files\Alwil Software\Avast4\DATA\moved\NTUSER.DAT.vir [E] Lecture impossible sur le périphérique spécifié (30)
Que signifie exactement ce message ?
A quoi correspond le suffixe “vir” ? (pour virus ???)
A quoi correspond ce fichier ?
Merci par avance pour toute réponse.
http://babelfish.altavista.com/
.../NTUSER.DAT.vir [ E ] impossible ReadingEach time I finish a scan with Avast, obtain it the following message: C:\Program Files\Alwil Software\Avast4\DATA\moved\NTUSER.DAT.vir [ E ] impossible Reading on the specified peripheral (30) What means this message exactly? With what does correspond the suffix “to vir”? (for Huh virus) With what does correspond this file? Thank you by advance for any answer.
At some point avast detected this as infected and you chose to Move/Rename this ntuser.dat file, this moves the file to the C:\Program Files\Alwil Software\Avast4\DATA\moved folder and appends the .vir suffix.
The ntuser.dat file is a registry hive file and is quite important, there are several of them, assigned to all users on the system. I can’t understand why this was detected as infected in the first place had you Moved it to the avast Chest (Quarantine) you wouldn’t have had this problem as files in there aren’t scanned by the normal scan process. You would have also been able to see where it was originally and check that location to see if it had been recreated.
So if it were missing and was essential I think you would have experienced other problems.
You can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and won’t be scanned so you will get round the problem. I say to do this because I don’t like to suggest that you delete in case it is a required file.
The error (30) is strange - means “read fault” (which could indicate a problem with the disk for example, but the strange thing is already the presence of this file in the “moved” folder).
Do you remember avast! detecting the NTUSER.DAT file as infected?
Hello !
First thanks for the 2 answers.
Second, I am new with this forum, sorry if I miuse it (not very familiar with forums)!
Third, I will try to continue in english !
Last, I am new with Avast, with little knowledge with Windows.
My PC is a DELL, 1Gb RAM, 100 Gb disk, Pentium4, with a high speed connexion.
The system is Windows XP Pro, SP2, with IE7, all regularly udated.
I used to have Nortan antivirus, but at renewal licence time, I decided to try
another solution.
Now I have Avast free version, along with ZoneAlarm firewall free version from
ZoneLabs, hope this combination is not bad, but this is another topic !
Before doing my first Avast scan, I was faced very quickly to the so
called “DCOM Exploit bloque” problem, that puzzled me somewhat. So I
installed the ZA filewall, the attacks are still present, but they are silently
processed/rejected silently by ZA. BTW : should not have been possible
to have the same result by simply ticking the Avast “no repeat” option ?
At my first Avast scan (without ZA installed yet), I found a number of virus
and other bad things (about 10, as Trojans), all located on unused files,
so I deleted them all at the scan end, instead of moving them in the quarantaine
area, as I should have done to better examine them, because I though the were
no reason to really keep them (rarely used downloaded games files).
Cannot remember the exact sequence events, but as far as can remember,
the NTUSER event did appear after some other scans, perhaps after the 2nd one
(with ZA still not installed).
I made today a search on all the NTUSER files, and they all present a modification
date equal to the age of the machine, except one that looked to be re-craeted by
Windows at user’s corresponding first login time after the NTUSER event came up.
Effectively, up tp now, this account looks to work correctly (?)
I made also a “minutieux” scan including all the archived files, and founded 3
more virus named Adware-gen ! I moved all them in the quarantaine area.
Is this operation sufficicient so they are definitively excluded from my PC ?
I also made yesterday a Ad-ware scan, and founded about hundreads of
“critical objects”, all were cookies, and wipped them away. Since then,
my PC look to run correctly (it ran very slow before).
Now what to do ? How can I eliminate this NTUSER situation encountered
at the end of each Avast scan ?
I would be very pleased to read any comments/suggestions.
Regards,
The safest place for the ntuser.dat.vir file in in the avast chest and it can be added manually. That way it is available should you ever find where it should be and if you need it, it should also stop it being scanned by the avast scan.
This will have added the file to the User Files section of the chest, this doesn’t delete the original file, you should do that manually.
Hello,
Just a quick question : doest “virus chest” stands for “zone de quarantaine” ?
Thanks !
Yes the ‘Chest’ doesn’t translate too well.
Hello,
The word “quarantine” exists, but does not sound good either !
So I selected this entry : quarantaine-> fichiers utilisateurs → ajouter
At this time the pop-up Window sent me directly to …Avast/DATA/moved folder
with the NTUSER.DAT.vir file already visible. Selecting this file provides the following message :
“le programme ne peut ajouter le fichier à la zone de quarantaine
C:/Program Files/Alwil … /moved/NTUSER.DAT.vir”
—> Description : Erreur de données (contrôle de redondance cyclique)
and the action was refused.
It is somewhat all greek for me, hope not for you ! What can I do ?
Anyway, I tend to believe this file mot probably to be useless, perhaps I can delete
the original anyway …
Regards,
As I have said deletion is a final choice you have none left.
Are you able to open the chest/quarantine, see image ?
Direct access to the chest/quarantine, using explorer find this file, C:\Program Files\Alwil Software\Avast4\ashChest.exe, double click it and this will open the chest/quarantine, in the chest the names night be different but the icons are the same and the order or location will be the same.
Pause the standard shield before trying to add it to the User Files section of the chest/quarantine and see if that allows you to add it. If successful then delete the original in the Moved folder and then enable the standard shield again.
If you can login Windows, you can delete the C:\Program Files\Alwil Software\Avast4\DATA\moved\NTUSER.DAT.vir file.
I think you can’t delete your own C:\Documents and Settings\ … your login name …\ntuser.dat file… it’s in use by Windows.
[ After my last previous post yesterday evening, I shutdowned my PC.
This morning, an Avast! scan was automatically launched at boot time, here follows
the report : (copy of current DATA/report/aswBoot.txt)
→
29/04/2007 00:43
Analyse de tous les lecteurs locaux
Fichier C:\Documents and Settings\admin\Mes documents\LemonadeTycoonSetup-dm.exe est infecté par Win32:Adware-gen. [Adw], Supprimé
Fichier C:\Documents and Settings\admin\Mes documents\Monopoly3-dm.exe est infecté par Win32:Adware-gen. [Adw], Supprimé
Fichier C:\Documents and Settings\admin\Mes documents\WormsArmageddon-dm.exe est infecté par Win32:Adware-gen. [Adw], Supprimé
Nombre de dossiers parcourus : 5769
Nombre de fichiers analysés : 125721
Nombre de fichiers infectés : 3
04/05/2007 08:37
Analyse de tous les lecteurs locaux
Nombre de dossiers parcourus : 5969
Nombre de fichiers analysés : 131157
Nombre de fichiers infectés : 0
←
(I replaced my personnal account name by admin)
Why did avast launched this scan this morning? has this something to do
with the ununcessfull yesterday’s attemps ? ]
Now, I tried the same thing adding the NTUSER into the chest,
(after direct ashChest.exe invocation, user → files > add → open), but
obtained the same results.
Why this file apparently cannot be added to the chest ?
Regards,
Maybe you checked the box to run a boot scan without realizing it.
The latest detections look some installers that download with demonstration versions of online games. Please do a complete scan with the free version of SuperAntispyware, putting in quarantine anything it finds. It can be downloaded here
http://www.superantispyware.com/
Then post the log it produces, followed by a HijackThis log:
Click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
First the Win32:Adware-gen. [Adw] malware detection, the -gen indicates generic and as such is trying to detect multiple forms of adware with one signature. I tend to confirm all detections on all security applications are good.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
The only reason a boot-time scan would be done on the next boot would be if you had scheduled it. Either, Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or if an infection was found there may be a selection to perform a boot-time scan.
I have no idea why you can’t add a file from the avast moved folder, did you first pause the Standard Shield before you attempted this ?
If not then avast will first scan the file and the same error will happen.
It may be as you said before you have come to the point of deletion as no issues have resulted in it having been moved there.
Hello,
I may have inadvertendly selected a scan at boot time, as
I remember havin been walking around this option 2 days ago.
In my attemps to add the NTUSER.vir file into the Avast chest,
I have set the Standard chield to the pause status, as I remember
to have noticed the pop-up window telling me so.
Here follow the SUPERAntivirus and HJT logs as attached txt.
Hope they correct, aren’t too big and they will be helpfull.
Regards,
These logs are an unusual mixture of Latin and Asian characters. Since you seem to speak French natively I wonder if there is also an Asian speaking user of your computer?
Anyway, the SuperAntiSpyware log looks like only cookies. Nothing to worry about there.
This is the HJT log with the Asian characters removed (for my benefit since I speak only English)
Logfile of HijackThis v1.99.1
Platform: Windows XP SP2 (WinNT 5.01.2600)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/fileassoc.asp?LangID=040c&Ext=pdf
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Aide pour le lien d’Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM..\Run: [LogitechQuickCamRibbon] “C:\Program Files\Logitech\QuickCam10\QuickCam10.exe” /hide
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [DW4] “C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe”
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU..\Run: [Pando] “C:\Program Files\Pando Networks\Pando\Pando.exe” /Minimized
O4 - Startup: maTélé.lnk = ?
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d’arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-ch\msntabres.dll.mui/229?6269598a2fe14206bb3aa29aa8367b55
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://encyclo.voila.fr/JS/tdserver.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
(continued on page 2 - sorry)
O18 - Protocol: bw+0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: offline-8876480 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
You have a remnant of an old Symantec installation that could be causing problems.
Open HijackThis again and click to Do A System Scan Only. When complete put a check next to this line
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
and click Fix Checked
Reboot and open HijackThis again. Click the button labled Open the Misc Tools section, then click the button labled Delete an NT Service.
In the empty field type the line in the quote box (or copy and paste it in) and click OK
Symantec Core LC
Then navigate to the C:\Program Files\Fichiers communs\Symantec Shared\ folder. Delete its contents, remove the folder and any other traces of Symantec/Norton antivirus programs you find.
Other than that I see no problems in the logs.
Hello,
Thanks for your answer !
No, I have no known “Asian” individual that can access my PC, only
myself and my family, that represents a group of 4 persons max !
You are right, I am french language native, only this language and
english are exclusively used here. Solely swedish may have been
used from time to time on my PC.
So all what looks “Asian” (whatever it is) looks very suspicious to me !
We do not have in any manner explicit “Asian” connexions with anybody !
(Can they be specific language stuff [dictionnaries] provided by Microsoft
at SP2 update time ?).
In which manner can you say it looks like “asian” ? Cannot imagine that !
Can I get rid of all this stuff ? And how can I do it ?
By doing a quick visual comparison of what you resent me in your reply
with what I sent you yesterday, I notice on that some lines on my HJT
copy some duplicates …
Exemple :
C:\WINDOWS\system32\svchost.exe
…
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
There may be more !
Is this normal ?
During various avast runs, I noticed that was still remaining
a Symantec folder. I the time I wanted to terminate with
Norton Antivirus, I downloaded the Symantec/Norton ununstall
tool, and I just in the meantime have remove that folder !
Just to say, why was not this folder removed by that product.
(Hope doing so was no harm).
Can you give me a quick answer/comment before I proceed with
what you suggest with HJT ?
Many thanks.
Quick correction : there is only one occurence of
the following :
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
Sorry !
Hello,
I confirm there is no “asian” user here, but we had some
limited exchanges by e-mail only with far away located persons.
This morning, I made a standard Avast scan, the result produced
a long list of files (245) for which a received the following message :
Impossible de scanner, L’archive est protégée par mot de passe.
All these files look to refer to the SUPERAntispyware, Lavasoft
Ad-Adware products.
Is this normal ? Should I desinstall all these products ?
Thanks,