Author Topic: .../NTUSER.DAT.vir [E] Lecture impossible  (Read 25056 times)

0 Members and 1 Guest are viewing this topic.

crococ

  • Guest
.../NTUSER.DAT.vir [E] Lecture impossible
« on: May 03, 2007, 12:48:36 AM »
Bonsoir,

Chaque fois que je termine un scan avec Avast, l'obtiens le message suivant :

C:\Program Files\Alwil Software\Avast4\DATA\moved\NTUSER.DAT.vir [E] Lecture impossible sur le périphérique spécifié (30)

Que signifie exactement ce message ?

A quoi correspond le suffixe "vir" ? (pour virus ???)

A quoi correspond ce fichier ?

Merci par avance pour toute réponse.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #1 on: May 03, 2007, 02:09:43 AM »
http://babelfish.altavista.com/
Quote from: Translation
.../NTUSER.DAT.vir [ E ] impossible Reading

Each time I finish a scan with Avast, obtain it the following message: C:\Program Files\Alwil Software\Avast4\DATA\moved\NTUSER.DAT.vir [ E ] impossible Reading on the specified peripheral (30) What means this message exactly? With what does correspond the suffix "to vir"? (for Huh virus) With what does correspond this file? Thank you by advance for any answer.

At some point avast detected this as infected and you chose to Move/Rename this ntuser.dat file, this moves the file to the C:\Program Files\Alwil Software\Avast4\DATA\moved folder and appends the .vir suffix.

The ntuser.dat file is a registry hive file and is quite important, there are several of them, assigned to all users on the system. I can't understand why this was detected as infected in the first place had you Moved it to the avast Chest (Quarantine) you wouldn't have had this problem as files in there aren't scanned by the normal scan process. You would have also been able to see where it was originally and check that location to see if it had been recreated.

So if it were missing and was essential I think you would have experienced other problems.

You can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and won't be scanned so you will get round the problem. I say to do this because I don't like to suggest that you delete in case it is a required file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #2 on: May 03, 2007, 01:21:00 PM »
The error (30) is strange - means "read fault" (which could indicate a problem with the disk for example, but the strange thing is already the presence of this file in the "moved" folder).
Do you remember avast! detecting the NTUSER.DAT file as infected?

crococ

  • Guest
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #3 on: May 03, 2007, 05:43:21 PM »
Hello !

First thanks for the 2 answers.
Second, I am new with this forum, sorry if I miuse it (not very familiar with forums)!
Third, I will try to continue in english !
Last, I am new with Avast, with little knowledge with Windows.

My PC is a DELL, 1Gb RAM, 100 Gb disk, Pentium4, with a high speed connexion.
The system is Windows XP Pro, SP2, with IE7, all regularly udated.

I used to have Nortan antivirus, but at renewal licence time, I decided to try
another solution.

Now I have Avast free version, along with ZoneAlarm firewall free version from
ZoneLabs, hope this combination is not bad, but this is another topic !

Before doing my first Avast scan, I was faced very quickly to the so
called "DCOM Exploit bloque" problem, that puzzled me somewhat. So I
installed the ZA filewall, the attacks are still present, but they are silently
processed/rejected silently by ZA. BTW : should not have been possible
to have the same result by simply ticking the Avast "no repeat" option ?

At my first Avast scan (without ZA installed yet), I found a number of virus
and other bad things (about 10, as Trojans), all located on unused files,
so I deleted them all at the scan end, instead of moving them in the quarantaine
area, as I should have done to better examine them, because I though the were
no reason to really keep them (rarely used downloaded games files).
Cannot remember the exact sequence events, but as far as can remember,
the NTUSER event did appear after some other scans, perhaps after the 2nd one
(with ZA still not installed).

I made today a search on all the NTUSER files, and they all present a modification
date equal to the age of the machine, except one that looked to be re-craeted by
Windows at user's corresponding first login time after the NTUSER event came up.
Effectively, up tp now, this account looks to work correctly (?)

I made also a "minutieux" scan including all the archived files, and founded 3
more virus named Adware-gen ! I moved all them in the quarantaine area.
Is this operation sufficicient so they are definitively excluded from my PC ?

I also made yesterday a Ad-ware scan, and founded about hundreads of
"critical objects", all were cookies, and wipped them away. Since then,
my PC look to run correctly (it ran very slow before).

Now what to do ? How can I eliminate this NTUSER situation encountered
at the end of each Avast scan ?

I would be very pleased to read any comments/suggestions.

Regards,

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #4 on: May 03, 2007, 06:19:06 PM »
The safest place for the ntuser.dat.vir file in in the avast chest and it can be added manually. That way it is available should you ever find where it should be and if you need it, it should also stop it being scanned by the avast scan.

1. Right click the avast icon, select Start avast! Antivirus, Menu, Virus Chest.
2. Click on the User Files icon.
3. At the top of the window is a menu list (Program, File, View and Help).
4. Select File, Add, see image.
5. From the pop-up window navigate to the avast4\data\moved\ntuser.dat.vir file and select it, click Open.

This will have added the file to the User Files section of the chest, this doesn't delete the original file, you should do that manually.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

crococ

  • Guest
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #5 on: May 03, 2007, 11:17:42 PM »
Hello,

Just a quick question : doest "virus chest" stands for "zone de quarantaine" ?

Thanks !

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #6 on: May 03, 2007, 11:22:01 PM »
Yes the 'Chest' doesn't translate too well.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

crococ

  • Guest
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #7 on: May 04, 2007, 12:06:37 AM »
Hello,

The word "quarantine" exists, but does not sound good either !

So I selected this entry : quarantaine-> fichiers utilisateurs -> ajouter

At this time the pop-up Window sent me directly to ..Avast/DATA/moved folder
with the NTUSER.DAT.vir file already visible. Selecting this file provides the following message :

"le programme ne peut ajouter le fichier à la zone de quarantaine
        C:/Program Files/Alwil ... /moved/NTUSER.DAT.vir"

---> Description : Erreur de données (contrôle de redondance cyclique)

and the action was refused.

It is somewhat all greek for me, hope not for you ! What can I do ?

Anyway, I tend to believe this file mot probably to be useless, perhaps I can delete
the original anyway ...

Regards,






Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #8 on: May 04, 2007, 12:40:37 AM »
As I have said deletion is a final choice you have none left.

Are you able to open the chest/quarantine, see image ?
Direct access to the chest/quarantine, using explorer find this file, C:\Program Files\Alwil Software\Avast4\ashChest.exe, double click it and this will open the chest/quarantine, in the chest the names night be different but the icons are the same and the order or location will be the same.

Pause the standard shield before trying to add it to the User Files section of the chest/quarantine and see if that allows you to add it. If successful then delete the original in the Moved folder and then enable the standard shield again.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #9 on: May 04, 2007, 12:49:20 AM »
Perhaps I can delete the original anyway ...
If you can login Windows, you can delete the C:\Program Files\Alwil Software\Avast4\DATA\moved\NTUSER.DAT.vir file.
I think you can't delete your own C:\Documents and Settings\ ... your login name ...\ntuser.dat file... it's in use by Windows.
The best things in life are free.

crococ

  • Guest
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #10 on: May 04, 2007, 11:10:11 AM »
[ After my last previous post yesterday evening, I shutdowned my PC.
This morning, an Avast! scan was automatically launched at boot time, here follows
the report : (copy of current DATA/report/aswBoot.txt)

-->
29/04/2007 00:43
Analyse de tous les lecteurs locaux
Fichier C:\Documents and Settings\admin\Mes documents\LemonadeTycoonSetup-dm.exe est infecté par Win32:Adware-gen. [Adw], Supprimé
Fichier C:\Documents and Settings\admin\Mes documents\Monopoly3-dm.exe est infecté par Win32:Adware-gen. [Adw], Supprimé
Fichier C:\Documents and Settings\admin\Mes documents\WormsArmageddon-dm.exe est infecté par Win32:Adware-gen. [Adw], Supprimé

Nombre de dossiers parcourus : 5769
Nombre de fichiers analysés : 125721
Nombre de fichiers infectés : 3

----------------------------------------
04/05/2007 08:37
Analyse de tous les lecteurs locaux

Nombre de dossiers parcourus : 5969
Nombre de fichiers analysés : 131157
Nombre de fichiers infectés : 0
<--

(I replaced my personnal account name by admin)

Why did avast launched this scan this morning? has this something to do
with the ununcessfull yesterday's attemps ? ]

Now, I tried the same thing adding the NTUSER into the chest,
(after direct ashChest.exe invocation, user -> files > add -> open), but
obtained the same results.

Why this file apparently cannot be added to the chest ?

Regards,


mauserme

  • Guest
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #11 on: May 04, 2007, 02:26:28 PM »
Why did avast launched this scan this morning? has this something to do
with the ununcessfull yesterday's attemps ?
Maybe you checked the box to run a boot scan without realizing it. 

The latest detections look some installers that download with demonstration versions of online games.  Please do a complete scan with the free version of SuperAntispyware, putting in quarantine anything it finds.  It can be downloaded here

http://www.superantispyware.com/

Then post the log it produces, followed by a HijackThis log:

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #12 on: May 04, 2007, 02:41:40 PM »
[ After my last previous post yesterday evening, I shutdowned my PC.
This morning, an Avast! scan was automatically launched at boot time, here follows
the report : (copy of current DATA/report/aswBoot.txt)
<snip>
Why did avast launched this scan this morning? has this something to do
with the ununcessfull yesterday's attemps ? ]

Now, I tried the same thing adding the NTUSER into the chest,
(after direct ashChest.exe invocation, user -> files > add -> open), but
obtained the same results.

Why this file apparently cannot be added to the chest ?

First the Win32:Adware-gen. [Adw] malware detection, the -gen indicates generic and as such is trying to detect multiple forms of adware with one signature. I tend to confirm all detections on all security applications are good.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

The only reason a boot-time scan would be done on the next boot would be if you had scheduled it. Either, Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or if an infection was found there may be a selection to perform a boot-time scan.

I have no idea why you can't add a file from the avast moved folder, did you first pause the Standard Shield before you attempted this ?
If not then avast will first scan the file and the same error will happen.

It may be as you said before you have come to the point of deletion as no issues have resulted in it having been moved there.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

crococ

  • Guest
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #13 on: May 04, 2007, 07:50:09 PM »
Hello,

I may have inadvertendly selected a scan at boot time, as
I remember havin been walking around this option 2 days ago.

In my attemps to add the NTUSER.vir file into the Avast chest,
I have set the Standard chield to the pause status, as I remember
to have noticed the pop-up window telling me so.

Here follow the  SUPERAntivirus and HJT logs as attached txt.

Hope they correct, aren't too big and they will be helpfull.

Regards,

mauserme

  • Guest
Re: .../NTUSER.DAT.vir [E] Lecture impossible
« Reply #14 on: May 05, 2007, 02:06:46 AM »
These logs are an unusual mixture of Latin and Asian characters.  Since you seem to speak French natively I wonder if there is also an Asian speaking user of your computer?

Anyway, the SuperAntiSpyware log looks like only cookies.  Nothing to worry about there.

This is the HJT log with the Asian characters removed (for my benefit since I speak only English)

Logfile of HijackThis v1.99.1
Platform: Windows XP SP2 (WinNT 5.01.2600)

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/fileassoc.asp?LangID=040c&Ext=pdf
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - Startup: maTélé.lnk = ?
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-ch\msntabres.dll.mui/229?6269598a2fe14206bb3aa29aa8367b55
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://encyclo.voila.fr/JS/tdserver.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

(continued on page 2 - sorry)