also @ TechSpot: Dell announces trio of all-in-one desktops, challenges 27-inch iMac

TechSpot
Collaborate in the cloud with Office, Exchange, SharePoint, and Lync.
Microsoft Office 365. Pay-as-you-go starting at $8/user/month. Begin your free trial now.

Advertisements and dissappearence of start bar/desktop items

Discussion in 'Virus and Malware Removal' started by Brotherhood619, Apr 12, 2008.

Thread Status:
Not open for further replies.

  1. Brotherhood619 Newcomer, in training

    This problem seems to have started last night when norton blocked a trojan horse virus, the next day i found my computer was sluggish (more than normal) and i kept getting advertiesments popping up. Then more to my surprise the start bar dissapeared and when i minimized the windows there was no desktop items (i left this for about 10 minitues thinking it was just a glitch. i have tried using both nortons system restore and windows system restore but for some reason niether can go back further than 7 hours (normally they can go back about a day or two)

    I have included a .log file from hijack this if someone could check it over it would be most helpfull.

    thanks again
    brotherhood619
    Brotherhood619, Apr 12, 2008
    #1

  2. Bobbye Helper on the Fringe

    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O10 - Broken Internet access because of LSP provider

    These are Winsock Hijackers. You can use LSPFix from Cess,org:
    http://www.cexx.org/lspfix.htm

    Or Spybot Search & Destroy:
    http://www.safer-networking.org/en/index.html

    The 'unknown' files in the LSP stack will not be fixed by HijackThis for safety issues.

    O17 - HKLM\System\CCS\Services\Tcpip\ is a lop.com Domain hijacker. If the Domain is not from your ISP or company network, have HijackThis fix it.

    There may be others. This is a head start.
    Bobbye, Apr 13, 2008
    #2

  3. kritius Newcomer, in training

    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

    this is genuine.
    kritius, Apr 14, 2008
    #3

  4. Bobbye Helper on the Fringe

    kritius, thank you again. Is there any other entry in the log that links this to the Novell NetWare, making if valid, or do we just go by the nwprovau.dll?
    Bobbye, Apr 14, 2008
    #4

  5. Blind Dragon Newcomer, in training

    Blind Dragon, Apr 14, 2008
    #5

  6. Bobbye Helper on the Fringe

    Actually, I saw that Blind Dragon. I was just wondering how you distinguish the "010". The "010" entries are described as 'Winsock Hijackers' and I only wondered how to determine the legitimate entries over the other. I guess is just going by the .dll file,

    Found the CastleCops "020" listing. Thank you. This log only has one "020" entry and I can't ID it: urqNHWqp.dll
    Bobbye, Apr 14, 2008
    #6

  7. Blind Dragon Newcomer, in training

    I meant 010 entries
    Blind Dragon, Apr 14, 2008
    #7

  8. kritius Newcomer, in training

    This is the best way of determining,

    http://www.castlecops.com/LSPs.html

    The O20 entry is a randomly generated file and can more than likely be fixed and deleted.

    EDIT, same link woops.
    kritius, Apr 14, 2008
    #8

  9. Bobbye Helper on the Fringe

    Thanks both of you. I now have access to the full CastleCops database.
    Bobbye, Apr 15, 2008
    #9
Thread Status:
Not open for further replies.