Virus : pas un virus : RemoteAdmin.Win32.WinVNC
Solved
Robert43
-
Robert43 -
Robert43 -
Hello,
On my daughter's PC, AVK detected the following viruses: not-a-virus: RemoteAdmin.Win32.WinVNC-based.c and
not-a-virus: Adware.Win32.naviPromo.bv AVK is unable to eradicate them. My daughter no longer has access to her emails with Thunderbird but Outlook works.
I ran HijackThis and performed an automatic analysis of the report on the hijackthis.de/fr website, but the analysis apparently found nothing except AOL??
Here is the HijackThis report:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:23:03, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVKService.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVKWCtl.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fichiers communs\G DATA\AVKProxy\AVKProxy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\microsoft office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVK.exe
C:\Documents and Settings\servet mathilde\Bureau\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://french.ircfast.com/index.php?rvs=hompag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Help for the Adobe PDF Reader link - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\microsoft office\Office\OSA.EXE
O4 - Startup: Microsoft Fast Search.lnk = C:\Program Files\microsoft office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O16 - DPF: {1F83CD9E-505E-4F87-BECE-0832A763E36F} (Image Uploader 3.0 Control) - http://www.mypixmania.com/fr/fr/importer/MypixUploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browser preload - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component category cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Fichiers communs\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Program Files\G DATA AntiVirusKit\AVK\AVKService.exe
O23 - Service: AVK Guardian (AVKWCtl) - Unknown owner - C:\Program Files\G DATA AntiVirusKit\AVK\AVKWCtl.exe
O23 - Service: Logical Disk Manager Administration Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Event Log - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CD Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Performance Logs & Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe
O24 - Desktop Component 0: (no name) - http://www.linternaute.com/copains/interview/pierre/florenceetpierre2.jpg
--
End of file - 8370 bytes
Thank you very much for your help
On my daughter's PC, AVK detected the following viruses: not-a-virus: RemoteAdmin.Win32.WinVNC-based.c and
not-a-virus: Adware.Win32.naviPromo.bv AVK is unable to eradicate them. My daughter no longer has access to her emails with Thunderbird but Outlook works.
I ran HijackThis and performed an automatic analysis of the report on the hijackthis.de/fr website, but the analysis apparently found nothing except AOL??
Here is the HijackThis report:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:23:03, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVKService.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVKWCtl.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fichiers communs\G DATA\AVKProxy\AVKProxy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\microsoft office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVK.exe
C:\Documents and Settings\servet mathilde\Bureau\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://french.ircfast.com/index.php?rvs=hompag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Help for the Adobe PDF Reader link - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\microsoft office\Office\OSA.EXE
O4 - Startup: Microsoft Fast Search.lnk = C:\Program Files\microsoft office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O16 - DPF: {1F83CD9E-505E-4F87-BECE-0832A763E36F} (Image Uploader 3.0 Control) - http://www.mypixmania.com/fr/fr/importer/MypixUploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browser preload - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component category cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Fichiers communs\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Program Files\G DATA AntiVirusKit\AVK\AVKService.exe
O23 - Service: AVK Guardian (AVKWCtl) - Unknown owner - C:\Program Files\G DATA AntiVirusKit\AVK\AVKWCtl.exe
O23 - Service: Logical Disk Manager Administration Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Event Log - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CD Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Performance Logs & Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe
O24 - Desktop Component 0: (no name) - http://www.linternaute.com/copains/interview/pierre/florenceetpierre2.jpg
--
End of file - 8370 bytes
Thank you very much for your help
Configuration: Windows XP Firefox 2.0.0.8
12 answers
hello and welcome
the hijackthis.de robot is not 100% reliable, and it is not updated...
navipromo you say?
Click on this link:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe
Click on navilog1.zip to download navilog1
Choose Save
and save it to your desktop.
Then double-click on navilog1.exe to start the installation.
Once the installation is complete, the fix will run automatically.
(If not, double-click on the Navilog1 shortcut on the desktop).
Follow the prompts. In the main menu, choose 1 and validate.
(do not choose 2, 3, or 4 without our advice/agreement)
Wait for the message:
*** Analysis Finished ..... ***
Press a key as requested, the notepad will open.
Copy and paste everything into a reply. Close the notepad.
The report is also saved at the root of the disk (fixnavi.txt)
--
I do not respond to requests via PM
the hijackthis.de robot is not 100% reliable, and it is not updated...
navipromo you say?
Click on this link:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe
Click on navilog1.zip to download navilog1
Choose Save
and save it to your desktop.
Then double-click on navilog1.exe to start the installation.
Once the installation is complete, the fix will run automatically.
(If not, double-click on the Navilog1 shortcut on the desktop).
Follow the prompts. In the main menu, choose 1 and validate.
(do not choose 2, 3, or 4 without our advice/agreement)
Wait for the message:
*** Analysis Finished ..... ***
Press a key as requested, the notepad will open.
Copy and paste everything into a reply. Close the notepad.
The report is also saved at the root of the disk (fixnavi.txt)
--
I do not respond to requests via PM
Hello,
My response is a bit slow but I don't live on site, so I can't perform the tasks right away.
Search Navipromo version 3.3.1 started on 10/22/2007 at 9:48:29.50
!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis !!!
!!! Do not start the cleaning process without a specialist's advice !!!
Tool run from C:\Program Files\navilog1
Updated on 10/21/2007 at 20:00 by IL-MAFIOSO
Microsoft Windows XP [version 5.1.2600]
Internet Explorer: 6.0.2900.2180
*** Search Installed Programs ***
WebMediaPlayer
*** Search folders in C:\WINDOWS ***
*** Search folders in C:\Program Files ***
C:\Program Files\WebMediaPlayer found!
*** Search folders in C:\Documents and Settings\All Users\Application Data ***
*** Search folders in C:\Documents and Settings\servet mathilde\Application Data ***
*** Search folders in C:\DOCUME~1\ALLUSE~1\MENUDÉ~1\PROGRA~1 ***
*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info: http://www.gmer.net
No files found in:
- C:\WINDOWS\system32
- C:\DOCUME~1\SERVET~1\LOCALS~1\APPLIC~1
*** Search with GenericNaviSearch ***
!!! All these results may reveal legitimate files !!!
!!! Must be verified before any manual deletion !!!
* Search in C:\WINDOWS\system32 *
Suspect files:
* Search in C:\DOCUME~1\SERVET~1\LOCALS~1\APPLIC~1 *
Files found:
sokanp.exe found!
sokanp.dat found!
sokanp_nav.dat found!
sokanp_navps.dat found!
*** Search files ***
C:\DOCUME~1\ALLUSE~1\DESKTOP\WebMediaPlayer.lnk found!
C:\WINDOWS\system32\nvs2.inf found!
C:\WINDOWS\prefetch\WEBMEDIAPLAYER.EXE-216E8E59.pf found!
C:\WINDOWS\prefetch\WEBMEDIAPLAYER_SETUP.EXE-1896E00E.pf found!
*** Search specific keys in the Registry ***
HKEY_CURRENT_USER\Software\Lanconfig found!
*** Additional Search Module ***
(Search specific files)
1) Search known files:
2) Heuristic Search:
C:\DOCUME~1\SERVET~1\LOCALS~1\APPLIC~1\sokanp.dat found!
C:\DOCUME~1\SERVET~1\LOCALS~1\APPLIC~1\sokanp_nav.dat found!
3) Certificate Search:
Egroup Certificate absent!
*** Analysis completed on 10/22/2007 at 9:49:06.96 ***
Thank you very much for your help.
Robert
My response is a bit slow but I don't live on site, so I can't perform the tasks right away.
Search Navipromo version 3.3.1 started on 10/22/2007 at 9:48:29.50
!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis !!!
!!! Do not start the cleaning process without a specialist's advice !!!
Tool run from C:\Program Files\navilog1
Updated on 10/21/2007 at 20:00 by IL-MAFIOSO
Microsoft Windows XP [version 5.1.2600]
Internet Explorer: 6.0.2900.2180
*** Search Installed Programs ***
WebMediaPlayer
*** Search folders in C:\WINDOWS ***
*** Search folders in C:\Program Files ***
C:\Program Files\WebMediaPlayer found!
*** Search folders in C:\Documents and Settings\All Users\Application Data ***
*** Search folders in C:\Documents and Settings\servet mathilde\Application Data ***
*** Search folders in C:\DOCUME~1\ALLUSE~1\MENUDÉ~1\PROGRA~1 ***
*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info: http://www.gmer.net
No files found in:
- C:\WINDOWS\system32
- C:\DOCUME~1\SERVET~1\LOCALS~1\APPLIC~1
*** Search with GenericNaviSearch ***
!!! All these results may reveal legitimate files !!!
!!! Must be verified before any manual deletion !!!
* Search in C:\WINDOWS\system32 *
Suspect files:
* Search in C:\DOCUME~1\SERVET~1\LOCALS~1\APPLIC~1 *
Files found:
sokanp.exe found!
sokanp.dat found!
sokanp_nav.dat found!
sokanp_navps.dat found!
*** Search files ***
C:\DOCUME~1\ALLUSE~1\DESKTOP\WebMediaPlayer.lnk found!
C:\WINDOWS\system32\nvs2.inf found!
C:\WINDOWS\prefetch\WEBMEDIAPLAYER.EXE-216E8E59.pf found!
C:\WINDOWS\prefetch\WEBMEDIAPLAYER_SETUP.EXE-1896E00E.pf found!
*** Search specific keys in the Registry ***
HKEY_CURRENT_USER\Software\Lanconfig found!
*** Additional Search Module ***
(Search specific files)
1) Search known files:
2) Heuristic Search:
C:\DOCUME~1\SERVET~1\LOCALS~1\APPLIC~1\sokanp.dat found!
C:\DOCUME~1\SERVET~1\LOCALS~1\APPLIC~1\sokanp_nav.dat found!
3) Certificate Search:
Egroup Certificate absent!
*** Analysis completed on 10/22/2007 at 9:49:06.96 ***
Thank you very much for your help.
Robert
Double click on the Navilog1 shortcut on the desktop and follow the instructions.
In the main menu, choose 2 and validate.
The fix will inform you that it will then restart your PC.
Close all open windows and save your open personal documents.
Press any key as requested.
(if your PC doesn't restart automatically, do it yourself)
When your PC restarts, choose your usual session.
Wait for the message:
*** Cleaning Finished ..... ***
The Notepad will open.
Save the report so you can find it again.
Close Notepad. Your desktop will reappear.
PS: If your desktop does not reappear, press CTRL+ALT+DELETE to open the task manager.
Then go to the "processes" tab. Click on "File" in the top left and choose "Run".
Type explorer and validate. This will make your desktop appear.
Start > Control Panel > Internet Options
Click on the Content tab then the Certificates tab and if you find this, especially in trusted publishers:
electronic-group - egroup - Montorgueil - VIP - "Sunny Day Design Ltd"
> Delete them
post the obtained report and a hijack this report
--
I do not respond to requests by PM.
In the main menu, choose 2 and validate.
The fix will inform you that it will then restart your PC.
Close all open windows and save your open personal documents.
Press any key as requested.
(if your PC doesn't restart automatically, do it yourself)
When your PC restarts, choose your usual session.
Wait for the message:
*** Cleaning Finished ..... ***
The Notepad will open.
Save the report so you can find it again.
Close Notepad. Your desktop will reappear.
PS: If your desktop does not reappear, press CTRL+ALT+DELETE to open the task manager.
Then go to the "processes" tab. Click on "File" in the top left and choose "Run".
Type explorer and validate. This will make your desktop appear.
Start > Control Panel > Internet Options
Click on the Content tab then the Certificates tab and if you find this, especially in trusted publishers:
electronic-group - egroup - Montorgueil - VIP - "Sunny Day Design Ltd"
> Delete them
post the obtained report and a hijack this report
--
I do not respond to requests by PM.
Hello,
The law of the buttered toast had struck: screen failure. It is now repaired.
The Cleaned message appears correctly, but the notepad does not open and there is no report.
The certificate mentioned in your post is not present.
Here is the hijack this report:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:35:43, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVKService.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVKWCtl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\G DATA\AVKProxy\AVKProxy.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\microsoft office\Office\OSA.EXE
C:\Documents and Settings\servet mathilde\Bureau\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://french.ircfast.com/index.php?rvs=hompag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\microsoft office\Office\OSA.EXE
O4 - Startup: Microsoft Fast Find.lnk = C:\Program Files\microsoft office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O16 - DPF: {1F83CD9E-505E-4F87-BECE-0832A763E36F} (Image Uploader 3.0 Control) - http://www.mypixmania.com/fr/fr/importer/MypixUploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui Preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Category Cache Demon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Fichiers communs\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Program Files\G DATA AntiVirusKit\AVK\AVKService.exe
O23 - Service: AVK Guardian (AVKWCtl) - Unknown owner - C:\Program Files\G DATA AntiVirusKit\AVK\AVKWCtl.exe
O23 - Service: Logical Disk Manager Administration Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CD Burning COM Service IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe
O24 - Desktop Component 0: (no name) - http://www.linternaute.com/copains/interview/pierre/florenceetpierre2.jpg
--
End of file - 8268 bytes
The virus seems to still be present, here is the message given by AVK:
Infection: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
File: A0098701.exe
Folder: C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP121
Procedure: svchost.exe
Thank you very much for your help.
The law of the buttered toast had struck: screen failure. It is now repaired.
The Cleaned message appears correctly, but the notepad does not open and there is no report.
The certificate mentioned in your post is not present.
Here is the hijack this report:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:35:43, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVKService.exe
C:\Program Files\G DATA AntiVirusKit\AVK\AVKWCtl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\G DATA\AVKProxy\AVKProxy.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\microsoft office\Office\OSA.EXE
C:\Documents and Settings\servet mathilde\Bureau\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://french.ircfast.com/index.php?rvs=hompag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\G DATA AntiVirusKit\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\microsoft office\Office\OSA.EXE
O4 - Startup: Microsoft Fast Find.lnk = C:\Program Files\microsoft office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O16 - DPF: {1F83CD9E-505E-4F87-BECE-0832A763E36F} (Image Uploader 3.0 Control) - http://www.mypixmania.com/fr/fr/importer/MypixUploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui Preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Category Cache Demon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Fichiers communs\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Program Files\G DATA AntiVirusKit\AVK\AVKService.exe
O23 - Service: AVK Guardian (AVKWCtl) - Unknown owner - C:\Program Files\G DATA AntiVirusKit\AVK\AVKWCtl.exe
O23 - Service: Logical Disk Manager Administration Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CD Burning COM Service IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe
O24 - Desktop Component 0: (no name) - http://www.linternaute.com/copains/interview/pierre/florenceetpierre2.jpg
--
End of file - 8268 bytes
The virus seems to still be present, here is the message given by AVK:
Infection: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
File: A0098701.exe
Folder: C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP121
Procedure: svchost.exe
Thank you very much for your help.
In your system restoration...it's not a big deal, we'll delete it at the end of the cleanup.
Do this
Download clean.zip from Malekal
http://www.malekal.com/download/clean.zip
Extract it on your desktop (right click / extract all), you should get a clean folder.
Open the clean folder on your desktop, and double-click on clean.cmd, a black window will appear for a moment, leave it open.
Choose option 1 and wait
Post the obtained report
--
I do not respond to PM requests.
Do this
Download clean.zip from Malekal
http://www.malekal.com/download/clean.zip
Extract it on your desktop (right click / extract all), you should get a clean folder.
Open the clean folder on your desktop, and double-click on clean.cmd, a black window will appear for a moment, leave it open.
Choose option 1 and wait
Post the obtained report
--
I do not respond to PM requests.
Hello,
By clicking on the link you gave me, I can load the file, but Winzip cannot open it. I receive the following message:
not a valid archive.
I tried on another PC and it's the same. Moreover, AVK indicates that clean.zip and Navilog have viruses. AVK also found this new virus:
not-a-virus:RiskTool.Win32.PsKill.k Detected since AVK version: AVK 16.2137, Date 12-11-2005
I’m starting to worry because the virus seems to be spreading.
By clicking on the link you gave me, I can load the file, but Winzip cannot open it. I receive the following message:
not a valid archive.
I tried on another PC and it's the same. Moreover, AVK indicates that clean.zip and Navilog have viruses. AVK also found this new virus:
not-a-virus:RiskTool.Win32.PsKill.k Detected since AVK version: AVK 16.2137, Date 12-11-2005
I’m starting to worry because the virus seems to be spreading.
ni navilog nor clean malekal do not contain viruses..
Pskill is part of clean..
if you can't launch clean malekal, do this
Perform an online scan with
https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr
NOTE: the scan should be done with Internet Explorer
In the new window that appears click on I accept
You will be asked to download ActiveX controls, accept.
Let it do the updates and when it's done, click Next
In the Choose scan target menu, select Workstation.
The scan will begin.
Come back with the scan report obtained
--
I do not respond to requests via PM
Pskill is part of clean..
if you can't launch clean malekal, do this
Perform an online scan with
https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr
NOTE: the scan should be done with Internet Explorer
In the new window that appears click on I accept
You will be asked to download ActiveX controls, accept.
Let it do the updates and when it's done, click Next
In the Choose scan target menu, select Workstation.
The scan will begin.
Come back with the scan report obtained
--
I do not respond to requests via PM
Hello,
I'm sorry for the delay, but since I don't live close to my daughter, I can't perform the operations immediately.
Here is the KASPERSKY report:
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, October 30, 2007 2:50:38 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.83.0
Last update of the Kaspersky antivirus database: 30/10/2007
Records in the Kaspersky antivirus database: 421124
Analysis parameters
Scan with the following antivirus database standard
Scan archives true
Scan email bases true
Target of the scan Workstation
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Analysis statistics
Total objects analyzed 74467
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the analysis 01:28:01
Name of the infected object Name of the virus Last action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat The object is locked ignored
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat The object is locked ignored
C:\Documents and Settings\LocalService\Cookies\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\NTUSER.DAT The object is locked ignored
C:\Documents and Settings\LocalService\ntuser.dat.LOG The object is locked ignored
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat The object is locked ignored
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG The object is locked ignored
C:\Documents and Settings\NetworkService\NTUSER.DAT The object is locked ignored
C:\Documents and Settings\NetworkService\ntuser.dat.LOG The object is locked ignored
C:\Documents and Settings\servet mathilde\Cookies\index.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG The object is locked ignored
C:\Documents and Settings\servet mathilde\Local Settings\History\History.IE5\index.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\Local Settings\Temporary Internet Files\Content.IE5\index.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\ntuser.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\ntuser.dat.LOG The object is locked ignored
C:\System Volume Information\MountPointManagerRemoteDatabase The object is locked ignored
C:\System Volume Information\tracking.log The object is locked ignored
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP96\A0105070.ini The object is locked ignored
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP96\change.log The object is locked ignored
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP121\A0098701.exe The object is locked ignored
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP121\A0098703.exe The object is locked ignored
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP128\A0108743.exe The object is locked ignored
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP130\change.log The object is locked ignored
C:\WINDOWS\Debug\PASSWD.LOG The object is locked ignored
C:\WINDOWS\SchedLgU.Txt The object is locked ignored
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log The object is locked ignored
C:\WINDOWS\Sti_Trace.log The object is locked ignored
C:\WINDOWS\system32\config\AppEvent.Evt The object is locked ignored
C:\WINDOWS\system32\config\DEFAULT The object is locked ignored
C:\WINDOWS\system32\config\default.LOG The object is locked ignored
C:\WINDOWS\system32\config\SAM The object is locked ignored
C:\WINDOWS\system32\config\SAM.LOG The object is locked ignored
C:\WINDOWS\system32\config\SecEvent.Evt The object is locked ignored
C:\WINDOWS\system32\config\SECURITY The object is locked ignored
C:\WINDOWS\system32\config\SECURITY.LOG The object is locked ignored
C:\WINDOWS\system32\config\SOFTWARE The object is locked ignored
C:\WINDOWS\system32\config\software.LOG The object is locked ignored
C:\WINDOWS\system32\config\SysEvent.Evt The object is locked ignored
C:\WINDOWS\system32\config\SYSTEM The object is locked ignored
C:\WINDOWS\system32\config\system.LOG The object is locked ignored
C:\WINDOWS\system32\h323log.txt The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP The object is locked ignored
C:\WINDOWS\Temp\AVP1032.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP1033.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP948.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP949.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP94C.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP94D.tmp The object is locked ignored
C:\WINDOWS\wiadebug.log The object is locked ignored
C:\WINDOWS\wiaservc.log The object is locked ignored
C:\WINDOWS\WindowsUpdate.log The object is locked ignored
J:\System Volume Information\MountPointManagerRemoteDatabase The object is locked ignored
Scan completed.
I'm sorry for the delay, but since I don't live close to my daughter, I can't perform the operations immediately.
Here is the KASPERSKY report:
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, October 30, 2007 2:50:38 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.83.0
Last update of the Kaspersky antivirus database: 30/10/2007
Records in the Kaspersky antivirus database: 421124
Analysis parameters
Scan with the following antivirus database standard
Scan archives true
Scan email bases true
Target of the scan Workstation
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Analysis statistics
Total objects analyzed 74467
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the analysis 01:28:01
Name of the infected object Name of the virus Last action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat The object is locked ignored
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat The object is locked ignored
C:\Documents and Settings\LocalService\Cookies\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat The object is locked ignored
C:\Documents and Settings\LocalService\NTUSER.DAT The object is locked ignored
C:\Documents and Settings\LocalService\ntuser.dat.LOG The object is locked ignored
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat The object is locked ignored
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG The object is locked ignored
C:\Documents and Settings\NetworkService\NTUSER.DAT The object is locked ignored
C:\Documents and Settings\NetworkService\ntuser.dat.LOG The object is locked ignored
C:\Documents and Settings\servet mathilde\Cookies\index.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG The object is locked ignored
C:\Documents and Settings\servet mathilde\Local Settings\History\History.IE5\index.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\Local Settings\Temporary Internet Files\Content.IE5\index.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\ntuser.dat The object is locked ignored
C:\Documents and Settings\servet mathilde\ntuser.dat.LOG The object is locked ignored
C:\System Volume Information\MountPointManagerRemoteDatabase The object is locked ignored
C:\System Volume Information\tracking.log The object is locked ignored
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP96\A0105070.ini The object is locked ignored
C:\System Volume Information\_restore{25852D5B-26E7-43F7-8BC8-B391CA633734}\RP96\change.log The object is locked ignored
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP121\A0098701.exe The object is locked ignored
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP121\A0098703.exe The object is locked ignored
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP128\A0108743.exe The object is locked ignored
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP130\change.log The object is locked ignored
C:\WINDOWS\Debug\PASSWD.LOG The object is locked ignored
C:\WINDOWS\SchedLgU.Txt The object is locked ignored
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log The object is locked ignored
C:\WINDOWS\Sti_Trace.log The object is locked ignored
C:\WINDOWS\system32\config\AppEvent.Evt The object is locked ignored
C:\WINDOWS\system32\config\DEFAULT The object is locked ignored
C:\WINDOWS\system32\config\default.LOG The object is locked ignored
C:\WINDOWS\system32\config\SAM The object is locked ignored
C:\WINDOWS\system32\config\SAM.LOG The object is locked ignored
C:\WINDOWS\system32\config\SecEvent.Evt The object is locked ignored
C:\WINDOWS\system32\config\SECURITY The object is locked ignored
C:\WINDOWS\system32\config\SECURITY.LOG The object is locked ignored
C:\WINDOWS\system32\config\SOFTWARE The object is locked ignored
C:\WINDOWS\system32\config\software.LOG The object is locked ignored
C:\WINDOWS\system32\config\SysEvent.Evt The object is locked ignored
C:\WINDOWS\system32\config\SYSTEM The object is locked ignored
C:\WINDOWS\system32\config\system.LOG The object is locked ignored
C:\WINDOWS\system32\h323log.txt The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA The object is locked ignored
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP The object is locked ignored
C:\WINDOWS\Temp\AVP1032.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP1033.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP948.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP949.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP94C.tmp The object is locked ignored
C:\WINDOWS\Temp\AVP94D.tmp The object is locked ignored
C:\WINDOWS\wiadebug.log The object is locked ignored
C:\WINDOWS\wiaservc.log The object is locked ignored
C:\WINDOWS\WindowsUpdate.log The object is locked ignored
J:\System Volume Information\MountPointManagerRemoteDatabase The object is locked ignored
Scan completed.
Good evening,
The problem unfortunately persists and signs.
Here is the message that keeps coming up, always the same, about every half hour:
Infection: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
File: A0098701.exe
Folder: C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP121
Process: svchost.exe
The problem unfortunately persists and signs.
Here is the message that keeps coming up, always the same, about every half hour:
Infection: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
File: A0098701.exe
Folder: C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP121
Process: svchost.exe
Now you have this to complete and you should no longer have any alerts
1/
Remove all tools used:
HijackThis, Navilog, smitfraudfix which are specific for infections and will no longer be of use!
Also delete all obtained reports!
However, you can keep Ccleaner and AVG antispyware, regularly updated, as they will be useful; Ccleaner for the daily cleaning of your PC, and AVG Antispyware for the search of potential infections...
2/
System Restore
Disable your restore
Right-click on My Computer/Properties/check the box to disable system restore, apply, OK
Restart your PC
Reactivate your restore
Right-click on My Computer/Properties/unchecked the box to disable system restore, apply, OK
Restart your PC
3/
Cleaning and Defragmentation of your Disks
Cleaning
Right-click on "My Computer" ==>"Open" ==>"Right-click on Drive C" ==>"Properties" ==>"General" tab
Click on the "Disk Cleanup" button, OK
Do this for each of your disks
Error checks
Right-click on "My Computer" ==>"Open" ==>"Right-click on Drive C" ==>"Properties" ==>"Tools" tab
"Check now", a box opens, check the boxes
auto fix file system errors...
scan for and attempt recovery of bad sectors...
Start, OK
Do this for each of your disks
then still in the same tab you choose
Defragmentation
"Defragment now", OK
A box opens, select the disk to defragment, and click on "Analyze", then after the analysis, "Defragment". OK
Do this for each of your disks
==>
You were infected, and I think through the various maneuvers given, you understood that you were poorly protected...
I advise you to read carefully what follows and to follow the recommended advice
==>
You will find on this link the various security updates to perform, depending on the software you have.
https://forum.pcastuces.com/sujet.asp?f=25&s=25842
==>
The protection of your PC
Security is very important but does not replace the user; careful surfing, avoiding cracks, "hot" sites, already helps avoid many issues, P2P is also a source of infections...
Beyond the proper updates of the operating system, now, to surf quietly and without worries on "the Net", you must protect yourself as much as possible!
For this, you need:
1. resident: It is resident on your PC, meaning it runs as soon as your system starts.
/- a good antivirus, free or paid, regularly updated, that protects you in real time!
/- a firewall other than the one provided by Windows, like Zone Alarm or Kerio, which also protects you in real time!
/- an effective anti-spyware, like Spybot Search and Destroy, with its resident protection, Tea Timer, activated!!
Scan your PC approximately every week with it after updating, and you also have its real-time protection that safeguards you.
2. to regularly scan your PC
/- an effective anti-trojan, like AVG antispyware. At the end of a trial period of the software, a paid version is offered that you are not obliged to buy. It loses its "resident" function and you must do updates manually. However, it remains very useful for regularly scanning your PC and cleaning it of potential infections.
3. software like Spyware Blaster that prevents the installation of harmful ActiveX.
You need to regularly update it to register dangerous ActiveX in its database, and thus be protected against them, as its role is to prevent their installation.
4. a good browser like Firefox or Opera to replace IE, which you only keep for performing Windows updates!
You will find in this tutorial, "Securing Your PC by Philae," everything you need in terms of free and efficient software
https://forum.pcastuces.com/default.asp
in this one, yourgaz explains the risks of P2P
https://forum.zebulon.fr/topic/85544-pr%C3%A9vention-le-p2p-et-ses-cons%C3%A9quences/
in this one, the risks of cracks
https://forum.zebulon.fr/topic/93281-pr%C3%A9vention-le-crack-dans-toute-sa-splendeur/
We want to help with increasing effectiveness and fight against malware so that everyone can surf peacefully!
With a little prevention, it is possible to be safe from threats!
Please spread the word around you!
Please, if there are infected users around you, send them to us on this forum!
A good protection allows for safety! The annoying thing is that protection is only as good as its weakest link, and therefore nothing should be forgotten!
==>
Report your infection to condemn the authors.
Create a message to move things forward on Malware-Complaints, we need to be as many as possible, so report your infection:
- See the forum rules: https://malwarecomplaints.info/
- After registering using the button at the top named "Register"
If you are over 13, choose: "I Agree to these terms and am over or exactly 13 years of age"
If you are younger, click on: "I Agree to these terms and am under 13 years of age"
You then have a list by type of infection (Look2Me, Smitfraud, SpywareQuake etc..).
*** Your infection: navipromo,
> https://malwarecomplaints.info/
If the malware you had does not appear on the list, or if you do not know what infected you, create a message in the Other Infections topic, following the forum rules (age, city, department etc..)
good continuation
--
I do not respond to MP requests
1/
Remove all tools used:
HijackThis, Navilog, smitfraudfix which are specific for infections and will no longer be of use!
Also delete all obtained reports!
However, you can keep Ccleaner and AVG antispyware, regularly updated, as they will be useful; Ccleaner for the daily cleaning of your PC, and AVG Antispyware for the search of potential infections...
2/
System Restore
Disable your restore
Right-click on My Computer/Properties/check the box to disable system restore, apply, OK
Restart your PC
Reactivate your restore
Right-click on My Computer/Properties/unchecked the box to disable system restore, apply, OK
Restart your PC
3/
Cleaning and Defragmentation of your Disks
Cleaning
Right-click on "My Computer" ==>"Open" ==>"Right-click on Drive C" ==>"Properties" ==>"General" tab
Click on the "Disk Cleanup" button, OK
Do this for each of your disks
Error checks
Right-click on "My Computer" ==>"Open" ==>"Right-click on Drive C" ==>"Properties" ==>"Tools" tab
"Check now", a box opens, check the boxes
auto fix file system errors...
scan for and attempt recovery of bad sectors...
Start, OK
Do this for each of your disks
then still in the same tab you choose
Defragmentation
"Defragment now", OK
A box opens, select the disk to defragment, and click on "Analyze", then after the analysis, "Defragment". OK
Do this for each of your disks
==>
You were infected, and I think through the various maneuvers given, you understood that you were poorly protected...
I advise you to read carefully what follows and to follow the recommended advice
==>
You will find on this link the various security updates to perform, depending on the software you have.
https://forum.pcastuces.com/sujet.asp?f=25&s=25842
==>
The protection of your PC
Security is very important but does not replace the user; careful surfing, avoiding cracks, "hot" sites, already helps avoid many issues, P2P is also a source of infections...
Beyond the proper updates of the operating system, now, to surf quietly and without worries on "the Net", you must protect yourself as much as possible!
For this, you need:
1. resident: It is resident on your PC, meaning it runs as soon as your system starts.
/- a good antivirus, free or paid, regularly updated, that protects you in real time!
/- a firewall other than the one provided by Windows, like Zone Alarm or Kerio, which also protects you in real time!
/- an effective anti-spyware, like Spybot Search and Destroy, with its resident protection, Tea Timer, activated!!
Scan your PC approximately every week with it after updating, and you also have its real-time protection that safeguards you.
2. to regularly scan your PC
/- an effective anti-trojan, like AVG antispyware. At the end of a trial period of the software, a paid version is offered that you are not obliged to buy. It loses its "resident" function and you must do updates manually. However, it remains very useful for regularly scanning your PC and cleaning it of potential infections.
3. software like Spyware Blaster that prevents the installation of harmful ActiveX.
You need to regularly update it to register dangerous ActiveX in its database, and thus be protected against them, as its role is to prevent their installation.
4. a good browser like Firefox or Opera to replace IE, which you only keep for performing Windows updates!
You will find in this tutorial, "Securing Your PC by Philae," everything you need in terms of free and efficient software
https://forum.pcastuces.com/default.asp
in this one, yourgaz explains the risks of P2P
https://forum.zebulon.fr/topic/85544-pr%C3%A9vention-le-p2p-et-ses-cons%C3%A9quences/
in this one, the risks of cracks
https://forum.zebulon.fr/topic/93281-pr%C3%A9vention-le-crack-dans-toute-sa-splendeur/
We want to help with increasing effectiveness and fight against malware so that everyone can surf peacefully!
With a little prevention, it is possible to be safe from threats!
Please spread the word around you!
Please, if there are infected users around you, send them to us on this forum!
A good protection allows for safety! The annoying thing is that protection is only as good as its weakest link, and therefore nothing should be forgotten!
==>
Report your infection to condemn the authors.
Create a message to move things forward on Malware-Complaints, we need to be as many as possible, so report your infection:
- See the forum rules: https://malwarecomplaints.info/
- After registering using the button at the top named "Register"
If you are over 13, choose: "I Agree to these terms and am over or exactly 13 years of age"
If you are younger, click on: "I Agree to these terms and am under 13 years of age"
You then have a list by type of infection (Look2Me, Smitfraud, SpywareQuake etc..).
*** Your infection: navipromo,
> https://malwarecomplaints.info/
If the malware you had does not appear on the list, or if you do not know what infected you, create a message in the Other Infections topic, following the forum rules (age, city, department etc..)
good continuation
--
I do not respond to MP requests