Avast WEBforum
Other => General Topics => Topic started by: crococ on May 03, 2007, 12:48:36 AM
-
Bonsoir,
Chaque fois que je termine un scan avec Avast, l'obtiens le message suivant :
C:\Program Files\Alwil Software\Avast4\DATA\moved\NTUSER.DAT.vir [E] Lecture impossible sur le périphérique spécifié (30)
Que signifie exactement ce message ?
A quoi correspond le suffixe "vir" ? (pour virus ???)
A quoi correspond ce fichier ?
Merci par avance pour toute réponse.
-
http://babelfish.altavista.com/ (http://babelfish.altavista.com/)
.../NTUSER.DAT.vir [ E ] impossible Reading
Each time I finish a scan with Avast, obtain it the following message: C:\Program Files\Alwil Software\Avast4\DATA\moved\NTUSER.DAT.vir [ E ] impossible Reading on the specified peripheral (30) What means this message exactly? With what does correspond the suffix "to vir"? (for Huh virus) With what does correspond this file? Thank you by advance for any answer.
At some point avast detected this as infected and you chose to Move/Rename this ntuser.dat file, this moves the file to the C:\Program Files\Alwil Software\Avast4\DATA\moved folder and appends the .vir suffix.
The ntuser.dat file is a registry hive file and is quite important, there are several of them, assigned to all users on the system. I can't understand why this was detected as infected in the first place had you Moved it to the avast Chest (Quarantine) you wouldn't have had this problem as files in there aren't scanned by the normal scan process. You would have also been able to see where it was originally and check that location to see if it had been recreated.
So if it were missing and was essential I think you would have experienced other problems.
You can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and won't be scanned so you will get round the problem. I say to do this because I don't like to suggest that you delete in case it is a required file.
-
The error (30) is strange - means "read fault" (which could indicate a problem with the disk for example, but the strange thing is already the presence of this file in the "moved" folder).
Do you remember avast! detecting the NTUSER.DAT file as infected?
-
Hello !
First thanks for the 2 answers.
Second, I am new with this forum, sorry if I miuse it (not very familiar with forums)!
Third, I will try to continue in english !
Last, I am new with Avast, with little knowledge with Windows.
My PC is a DELL, 1Gb RAM, 100 Gb disk, Pentium4, with a high speed connexion.
The system is Windows XP Pro, SP2, with IE7, all regularly udated.
I used to have Nortan antivirus, but at renewal licence time, I decided to try
another solution.
Now I have Avast free version, along with ZoneAlarm firewall free version from
ZoneLabs, hope this combination is not bad, but this is another topic !
Before doing my first Avast scan, I was faced very quickly to the so
called "DCOM Exploit bloque" problem, that puzzled me somewhat. So I
installed the ZA filewall, the attacks are still present, but they are silently
processed/rejected silently by ZA. BTW : should not have been possible
to have the same result by simply ticking the Avast "no repeat" option ?
At my first Avast scan (without ZA installed yet), I found a number of virus
and other bad things (about 10, as Trojans), all located on unused files,
so I deleted them all at the scan end, instead of moving them in the quarantaine
area, as I should have done to better examine them, because I though the were
no reason to really keep them (rarely used downloaded games files).
Cannot remember the exact sequence events, but as far as can remember,
the NTUSER event did appear after some other scans, perhaps after the 2nd one
(with ZA still not installed).
I made today a search on all the NTUSER files, and they all present a modification
date equal to the age of the machine, except one that looked to be re-craeted by
Windows at user's corresponding first login time after the NTUSER event came up.
Effectively, up tp now, this account looks to work correctly (?)
I made also a "minutieux" scan including all the archived files, and founded 3
more virus named Adware-gen ! I moved all them in the quarantaine area.
Is this operation sufficicient so they are definitively excluded from my PC ?
I also made yesterday a Ad-ware scan, and founded about hundreads of
"critical objects", all were cookies, and wipped them away. Since then,
my PC look to run correctly (it ran very slow before).
Now what to do ? How can I eliminate this NTUSER situation encountered
at the end of each Avast scan ?
I would be very pleased to read any comments/suggestions.
Regards,
-
The safest place for the ntuser.dat.vir file in in the avast chest and it can be added manually. That way it is available should you ever find where it should be and if you need it, it should also stop it being scanned by the avast scan.
1. Right click the avast icon, select Start avast! Antivirus, Menu, Virus Chest.
2. Click on the User Files icon.
3. At the top of the window is a menu list (Program, File, View and Help).
4. Select File, Add, see image.
5. From the pop-up window navigate to the avast4\data\moved\ntuser.dat.vir file and select it, click Open.
This will have added the file to the User Files section of the chest, this doesn't delete the original file, you should do that manually.
-
Hello,
Just a quick question : doest "virus chest" stands for "zone de quarantaine" ?
Thanks !
-
Yes the 'Chest' doesn't translate too well.
-
Hello,
The word "quarantine" exists, but does not sound good either !
So I selected this entry : quarantaine-> fichiers utilisateurs -> ajouter
At this time the pop-up Window sent me directly to ..Avast/DATA/moved folder
with the NTUSER.DAT.vir file already visible. Selecting this file provides the following message :
"le programme ne peut ajouter le fichier à la zone de quarantaine
C:/Program Files/Alwil ... /moved/NTUSER.DAT.vir"
---> Description : Erreur de données (contrôle de redondance cyclique)
and the action was refused.
It is somewhat all greek for me, hope not for you ! What can I do ?
Anyway, I tend to believe this file mot probably to be useless, perhaps I can delete
the original anyway ...
Regards,
-
As I have said deletion is a final choice you have none left.
Are you able to open the chest/quarantine, see image ?
Direct access to the chest/quarantine, using explorer find this file, C:\Program Files\Alwil Software\Avast4\ashChest.exe, double click it and this will open the chest/quarantine, in the chest the names night be different but the icons are the same and the order or location will be the same.
Pause the standard shield before trying to add it to the User Files section of the chest/quarantine and see if that allows you to add it. If successful then delete the original in the Moved folder and then enable the standard shield again.
-
Perhaps I can delete the original anyway ...
If you can login Windows, you can delete the C:\Program Files\Alwil Software\Avast4\DATA\moved\NTUSER.DAT.vir file.
I think you can't delete your own C:\Documents and Settings\ ... your login name ...\ntuser.dat file... it's in use by Windows.
-
[ After my last previous post yesterday evening, I shutdowned my PC.
This morning, an Avast! scan was automatically launched at boot time, here follows
the report : (copy of current DATA/report/aswBoot.txt)
-->
29/04/2007 00:43
Analyse de tous les lecteurs locaux
Fichier C:\Documents and Settings\admin\Mes documents\LemonadeTycoonSetup-dm.exe est infecté par Win32:Adware-gen. [Adw], Supprimé
Fichier C:\Documents and Settings\admin\Mes documents\Monopoly3-dm.exe est infecté par Win32:Adware-gen. [Adw], Supprimé
Fichier C:\Documents and Settings\admin\Mes documents\WormsArmageddon-dm.exe est infecté par Win32:Adware-gen. [Adw], Supprimé
Nombre de dossiers parcourus : 5769
Nombre de fichiers analysés : 125721
Nombre de fichiers infectés : 3
----------------------------------------
04/05/2007 08:37
Analyse de tous les lecteurs locaux
Nombre de dossiers parcourus : 5969
Nombre de fichiers analysés : 131157
Nombre de fichiers infectés : 0
<--
(I replaced my personnal account name by admin)
Why did avast launched this scan this morning? has this something to do
with the ununcessfull yesterday's attemps ? ]
Now, I tried the same thing adding the NTUSER into the chest,
(after direct ashChest.exe invocation, user -> files > add -> open), but
obtained the same results.
Why this file apparently cannot be added to the chest ?
Regards,
-
Why did avast launched this scan this morning? has this something to do
with the ununcessfull yesterday's attemps ?
Maybe you checked the box to run a boot scan without realizing it.
The latest detections look some installers that download with demonstration versions of online games. Please do a complete scan with the free version of SuperAntispyware, putting in quarantine anything it finds. It can be downloaded here
http://www.superantispyware.com/
Then post the log it produces, followed by a HijackThis log:
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
-
[ After my last previous post yesterday evening, I shutdowned my PC.
This morning, an Avast! scan was automatically launched at boot time, here follows
the report : (copy of current DATA/report/aswBoot.txt)
<snip>
Why did avast launched this scan this morning? has this something to do
with the ununcessfull yesterday's attemps ? ]
Now, I tried the same thing adding the NTUSER into the chest,
(after direct ashChest.exe invocation, user -> files > add -> open), but
obtained the same results.
Why this file apparently cannot be added to the chest ?
First the Win32:Adware-gen. [Adw] malware detection, the -gen indicates generic and as such is trying to detect multiple forms of adware with one signature. I tend to confirm all detections on all security applications are good.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
The only reason a boot-time scan would be done on the next boot would be if you had scheduled it. Either, Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or if an infection was found there may be a selection to perform a boot-time scan.
I have no idea why you can't add a file from the avast moved folder, did you first pause the Standard Shield before you attempted this ?
If not then avast will first scan the file and the same error will happen.
It may be as you said before you have come to the point of deletion as no issues have resulted in it having been moved there.
-
Hello,
I may have inadvertendly selected a scan at boot time, as
I remember havin been walking around this option 2 days ago.
In my attemps to add the NTUSER.vir file into the Avast chest,
I have set the Standard chield to the pause status, as I remember
to have noticed the pop-up window telling me so.
Here follow the SUPERAntivirus and HJT logs as attached txt.
Hope they correct, aren't too big and they will be helpfull.
Regards,
-
These logs are an unusual mixture of Latin and Asian characters. Since you seem to speak French natively I wonder if there is also an Asian speaking user of your computer?
Anyway, the SuperAntiSpyware log looks like only cookies. Nothing to worry about there.
This is the HJT log with the Asian characters removed (for my benefit since I speak only English)
Logfile of HijackThis v1.99.1
Platform: Windows XP SP2 (WinNT 5.01.2600)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/fileassoc.asp?LangID=040c&Ext=pdf
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - Startup: maTélé.lnk = ?
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-ch\msntabres.dll.mui/229?6269598a2fe14206bb3aa29aa8367b55
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://encyclo.voila.fr/JS/tdserver.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
(continued on page 2 - sorry)
-
O18 - Protocol: bw+0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: offline-8876480 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
-
You have a remnant of an old Symantec installation that could be causing problems.
Open HijackThis again and click to Do A System Scan Only. When complete put a check next to this line
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
and click Fix Checked
Reboot and open HijackThis again. Click the button labled Open the Misc Tools section, then click the button labled Delete an NT Service.
In the empty field type the line in the quote box (or copy and paste it in) and click OK
Symantec Core LC
Then navigate to the C:\Program Files\Fichiers communs\Symantec Shared\ folder. Delete its contents, remove the folder and any other traces of Symantec/Norton antivirus programs you find.
Other than that I see no problems in the logs.
-
Hello,
Thanks for your answer !
No, I have no known "Asian" individual that can access my PC, only
myself and my family, that represents a group of 4 persons max !
You are right, I am french language native, only this language and
english are exclusively used here. Solely swedish may have been
used from time to time on my PC.
So all what looks "Asian" (whatever it is) looks very suspicious to me !
We do not have in any manner explicit "Asian" connexions with anybody !
(Can they be specific language stuff [dictionnaries] provided by Microsoft
at SP2 update time ?).
In which manner can you say it looks like "asian" ? Cannot imagine that !
Can I get rid of all this stuff ? And how can I do it ?
By doing a quick visual comparison of what you resent me in your reply
with what I sent you yesterday, I notice on that some lines on my HJT
copy some duplicates ...
Exemple :
C:\WINDOWS\system32\svchost.exe
...
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
There may be more !
Is this normal ?
During various avast runs, I noticed that was still remaining
a Symantec folder. I the time I wanted to terminate with
Norton Antivirus, I downloaded the Symantec/Norton ununstall
tool, and I just in the meantime have remove that folder !
Just to say, why was not this folder removed by that product.
(Hope doing so was no harm).
Can you give me a quick answer/comment before I proceed with
what you suggest with HJT ?
Many thanks.
-
Quick correction : there is only one occurence of
the following :
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
Sorry !
-
Hello,
I confirm there is no "asian" user here, but we had some
limited exchanges by e-mail only with far away located persons.
This morning, I made a standard Avast scan, the result produced
a long list of files (245) for which a received the following message :
Impossible de scanner, L'archive est protégée par mot de passe.
All these files look to refer to the SUPERAntispyware, Lavasoft
Ad-Adware products.
Is this normal ? Should I desinstall all these products ?
Thanks,
-
Impossible de scanner, L'archive est protégée par mot de passe.
All these files look to refer to the SUPERAntispyware, Lavasoft Ad-Adware products.
Is this normal ? Should I desinstall all these products ?
avast can't scan files that are password protected, it doesn't know the password.
There are many legitimate reasons why a file was password protected. For instance, the ones you're talking about. Lavasoft stores its data in a password-protected ZIP archives (to prevent other similar tools from messing up with them). It's really nothing to worry about - it's normal.
In AdAware and S&D, when you fix/remove things it keeps backup/recovery information so you can restore anything that was mistakenly fixed/removed, etc. After a reasonable time your system has suffered no adverse effects, you can get rid of the older recovery/backup points.
This should reduce the number of protected files.
-
In which manner can you say it looks like "asian" ? Cannot imagine that !
When I download and open your logs I see this
(http://img513.imageshack.us/img513/6199/frenchasianse1.png) (http://imageshack.us)
These alternating lines of characters continue throughout both logs. Chinese to English Babel Fish translations make no sense. Do these characters appear in the logs you saved on your computer?
... I notice on that some lines on my HJT
copy some duplicates ...
Exemple :
C:\WINDOWS\system32\svchost.exe
Yes, it is normal to have multiple instances of svchost.exe running at the same time. Often it may be as many as 5 or 6.
During various avast runs, I noticed that was still remaining
a Symantec folder. I the time I wanted to terminate with
Norton Antivirus, I downloaded the Symantec/Norton ununstall
tool, and I just in the meantime have remove that folder !
Just to say, why was not this folder removed by that product.
(Hope doing so was no harm).
Norton is shortsighted - they never seem to think anyone would ever choose a different product and so have no reliable way to remove their program. Removing the folder first should cause no problems but I would still unregister the service.
-
Hello,
I made a new HJT scan, and paste directly in this current post
the first few lines from the "Bloc-notes" pop-up file it generated.
-->
Logfile of HijackThis v1.99.1
Scan saved at 18:40:02, on 05/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\maTélé\maTélé.exe
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Fichiers communs\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cablecom.ch/fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/fileassoc.asp?LangID=040c&Ext=pdf
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Camfrog Toolbar - {AF2A1C5A-1AED-4E92-8BA8-D708EB79537E} - C:\Program Files\Camfrog\CamfrogBar\CamfrogBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
<--
Are these odd symbols still there ?
Thanks for the other replys. I will fix the Symantec problem now ...
Regards,
-
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
This Indicates you have elements of Norton Internet Security Suite
http://www.liutilities.com/products/wintaskspro/processlibrary/symlcsvc/ (http://www.liutilities.com/products/wintaskspro/processlibrary/symlcsvc/)
C:\Program Files\maTélé\maTélé.exe
There are no hits in a google search for this 'with or without the language accents' so do you know what it is (it wil probably apper as an 04 entry also, unknown as your log isn't complete) ?
If not you should check the file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive.
-
I assumed it was this
http://www.tsr.ch/tsr/index.html?siteSect=511000
(http://img338.imageshack.us/img338/2977/mateledm4.png) (http://imageshack.us)
But it would be good to confirm.
Are these odd symbols still there ?
No, they are not there for me now. Just something corrupted in the download I suppose.
-
Hello,
My mistake, only my fault ! I pasted the HJT logfile throught an Word text editor
before linking it as an attachment in my previous post, without realizing the CTNL
characters would send to you, invisible for me, all this extra dustbin info !
(I was a bit confused by the characters number limitation, so I wanted to save
temporaly all the info).
(Perhaps asian editors use europeen char as CNTRL ?)
As a final HJT logfile check, I have attached a complete new version of it.
(saved via the Windows notepad process, hope it will work this time !)
My Tété is a service provided by the official Swiss Television Organization, so it
can be trusted. BTW, ZA asked me to permit it.
To zap the Sym/NORTON remaining entries,what exactly shall I do ?
(I suppose : do a System Scan, tick the Sym entries (the last-but entry),
press scan and/or fix checked ?)
What the "Other stuff " meant for ?
Many thanks for your help.
-
The log file you attached is 0KB, empty.
Rather than attach a file that those trying to help have to open, simply paste the contents of the log file directly into the Post no need for an intermediate step of using a word processor, etc. split it over two posts 'if' it is too large.
Fixing the entry in HJT would remove the registry entry, manually check for the file and if present remove it.
-
To zap the Sym/NORTON remaining entries,what exactly shall I do ?
(I suppose : do a System Scan, tick the Sym entries (the last-but entry),
press scan and/or fix checked ?)
Open HijackThis again and click to Do A System Scan Only. When complete put a check next to this line
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
and click Fix Checked
Reboot and open HijackThis again. Click the button labled Open the Misc Tools section, then click the button labled Delete an NT Service.
In the empty field type the line in the quote box (or copy and paste it in) and click OK
Symantec Core LC
Then navigate to the C:\Program Files\Fichiers communs\Symantec Shared\ folder. Delete its contents, remove the folder and any other traces of Symantec/Norton antivirus programs you find.
Fixing an 023 entry in HijackThis sets the service to disabled but doesn't remove it. You need to do the above steps to completely get rid of it.
-
Hello,
Cant really explain what appened ! Stumped am I ! Sorry !
Here follows the log (several posts ...)
-->
Logfile of HijackThis v1.99.1
Scan saved at 20:08:06, on 07/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\maTélé\maTélé.exe
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Fichiers communs\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cablecom.ch/fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?
LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?
LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://shell.windows.com/fileassoc/fileassoc.asp?LangID=040c&Ext=pdf
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!
\Companion\Installs\cpn2\yt.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1
\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!
\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers
communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: Camfrog Toolbar - {AF2A1C5A-1AED-4E92-8BA8-D708EB79537E} - C:\Program
Files\Camfrog\CamfrogBar\CamfrogBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows
Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Camfrog Toolbar - {AF2A1C5A-1AED-4E92-8BA8-D708EB79537E} - C:\Program
Files\Camfrog\CamfrogBar\CamfrogBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live
Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
<--
(last O3 entry)
-
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Fichiers
communs\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480
\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Camfrog] "C:\Program Files\Camfrog\Camfrog Video Chat\CamfrogNet.exe" 0 C:\Program
Files\Camfrog\Camfrog Video Chat\Camfrog Video Chat.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: maTélé.lnk = ?
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0
\Reader\AdobeCollabSync.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0
\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480
\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google
Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live
Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows
Live Toolbar\Components\fr-ch\msntabres.dll.mui/229?6269598a2fe14206bb3aa29aa8367b55
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows
Live Toolbar\Components\fr-ch\msntabres.dll.mui/230?6269598a2fe14206bb3aa29aa8367b55
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file
missing)
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!
\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1
\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%
\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
(last O9)
-
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!
\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1
\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%
\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) -
http://encyclo.voila.fr/JS/tdserver.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-
secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!
\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-
secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://207.188.7.150/02bbd81305c12205fd05/netzip/RdxIE601_fr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://212.98.46.120/activex/AxisCamControl.ocx
O18 - Protocol: bw+0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
(last bw90)
-
O18 - Protocol: bwa0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
-
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: offline-8876480 - {7FA2F73C-A33A-41CA-88B5-F633BBB93A86} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Planificateur LiveUpdate automatique - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Assistant Retrospect (Retrospect Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
<--
There are a number of lines with "file missing" . Is this harmfull ?
Thanks for your patience.
-
The lines with missing files are not necessarily harmful but some are unnecessary.
These lines can definitely be fixed in HijackThis by placing a check next to them and clicking Fix Checked.
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
These lines are a quirk in the way HijackThis interacts with avast!. The files actually are present as can be seen in the list of running processes. Leave these alone
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
I suspect the same with these lines as I don't recall ever seeing the files not missing
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
And this service can be unregistered in the same way, with Delete an NT Service, as you did earlier
O23 - Service: Planificateur LiveUpdate automatique - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
But the real question is have the alerts on ntuser.dat ended?
-
Hello,
I did with Hijackthis what you suggested :
There is no more track of the O2 and O3 offending files:
Also the Symantec footpath looks to have diseappered,
except 2 DPF entries, can I "check" them also ?
(I attached the Hijackthis log, picked directly from the
C:/Program Files/Hijackthis folder, hope it will works).
Also, since the time I have direcly deleted the NTUSER.DAT
file from the Avast4/DATA/moved folder, it doest not seem
to be any drawback after this : my PC runs apparently normally.
One thing : in the Avast chest box remain some infected files,
can I delete them direclty ?
The only curious symtoms I can observe quite often is that my IE
generates an error report without visible reason. Also this can come
out when I am entering a command (nslookup for instance) in the
"demarrer->executer" program : starting to type the first or two chars
of this command produces such a report (even if IE is not running). Wondering if this can related in some way with my infected files that
I ran in the past. Perhaps have you an idea on how this ?
(So is why I using Firefox now, and looking in how I can completely re-install my IE).
Except this, all looks to work fine. Nevertheless, I will try the VirusTotal
and the Jotti scanners you suggested and ask you if something is not
clear.
Otherwise, I think we can close this thread. Thanks for you help !
-
Also, since the time I have direcly deleted the NTUSER.DAT
file from the Avast4/DATA/moved folder, it doest not seem
to be any drawback after this : my PC runs apparently normally.
Good.
One thing : in the Avast chest box remain some infected files,
can I delete them direclty ?
File into Chest (Quarentine) are safe to stay there. There is no rush to delete anything from the Chest, a protected area where it can do no harm. Anything that you send to the Chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the Chest, scan them again (right clicking the file inside the Chest) and if they are still detected as viruses, delete them.
This is a precaution because:
a) system files (necessary to boot and use the computer)
b) false positives (clean files that was wrong detected as being infected) could happen from time to time and it's safer not to delete the file, but send them to Chest for further analysis. ;)
You need to open the avast chest, start as if going to run an on-demand scan, click the menu and select virus chest, Infected Files, here you will find those files you sent to the chest. They can be rescanned from within the chest and deleted, etc.
(So is why I using Firefox now, and looking in how I can completely re-install my IE).
If you download the setup file from Microsoft site you can 'repair' (overinstall) your installation.
-
... looks to have diseappered,
except 2 DPF entries, can I "check" them also ?
Sure - those can be fixed.
Also, since the time I have direcly deleted the NTUSER.DAT
file from the Avast4/DATA/moved folder, it doest not seem
to be any drawback after this : my PC runs apparently normally.
If you have multiple user accounts there might be a user who finds he's lost his settings.
Except this, all looks to work fine.
8)
-
Hello,
Well, in the meantime, this afternoon, I viewed the Avast journals, and I join
all these logs (info, avertissement, conseil, error) in 4 separate attached files
(I used the right edit square with the green arrow to export all these logs on
the "bureau", from where I inserted them in this post).
Those concerning the E:/ entry are clear to me : I tried to scan a DVD
peripheral with no disk on it. Can you explain the others ? May they be a
result of the Hijackthis "check" I made today ?
Would Avast be able to scan a memory key that I would plug into a USB2 port ?
I appreciate the possibility to have a note from Avast telling me the mails I
receive and send are safe : but these pop-ups do no confirm me that attached
documents are scanned as well : I suppose they are, right ?
Many thanks for your support.
-
Well your first logs shows that you had an adware infection, and the second shows program and definition updates. The third logs errors that I'm not familiar with. Maybe Tech or DavidR could comment on these.
Would Avast be able to scan a memory key that I would plug into a USB2 port ?
Yes, it can. And it is being recommended that you turn auto-play off for these drives because of some malware currently making the rounds.
-
Well the 00000015 error which I believe is a windows error = "The system cannot find the drive specified. " Since this is drive E: I'm guessing it is a CD/DVD drive and there was no media in the drive, however, it isn't something I would be too concerned about unless it is a regular occurrence 'or' it isn't an optical drive ?
The error 23 is a little more strange I don't know if this is an avast error but more likely a windows one also 23 = "Data error (cyclic redundancy check)," see below Whilst I would usually associate a CRC error with a corrupt file I can't see the relationship with moving a file to the chest. Unfortunately there isn't any means of checking what was being moved to the chest
Cyclic Redundancy Check or CRC error.
Cause:
This error message could be generated by any of the below reasons.
1. During the transmission of the file it became corrupt or bad
2. The file was sent inappropriately
3. The device being opened from is bad or contains errors
4. The file itself is bad or the program attempting to open the file is bad.
-
Hello,
OK, many thanks for the answers !
I believe the error 23 has occured at the time I made several attemps to move
the .../moved/NTUSER.DAT.vir file into the chest ... with no success (I had this
CRC message, but I have no effective proof, because I was not looking on the
Avast error log file at that time, and cannot remember that event's exact time.
Next time I do some special ops with Avast, I will have a closer view on these
logs... Perhaps should I have sent this .vir file to you so you could examine it,
rather having removed it definitively.
Effectively, some user's settings were changed, I managed to recreate that
account. Fortunately, apparently, no file were lost !
I suggest we close this thread now, as my PC looks to work correctly since
the time I have Avast installed, and myself more accustomized to it.
Thanks again for your expert support, and sorry for my blunders !
-
Your welcome, glad that everything is OK now.