TechSpot

HiJackThis Logfile

By gladysclancy
May 30, 2007
  1. Further to reply received from Momock in "Internet Explorer cannot display the Page", I am attaching my HiJackThis Logfile as recommended. Currently I am trying to work through the steps of cleaning my computer and I am now up to step 6. Thankyou for looking at this and I look forward to learning what to do next..
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Download LSPFix from HERE.
    1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
    2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
    3. Check the "I know what I am doing" checkbox.
    4. Select (highlight) all instances of 'nwprovau.dll' in the left column under "Keep".
    5. Click the arrow >> so it goes over to the right column under "Remove".
    6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
    7. Restart your computer

    Thereafter go ahead with rest of the instructions and post the requested logs, including a fresh HijackThis log in your reply.


    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. gladysclancy

    gladysclancy TS Rookie Topic Starter Posts: 16

    Thankyou Momok for your very quick response. Please find attached a new HiJackThis Log after I removed that item. Meanwhile, I have installed AVG Antispyware and will continue trying to coax it to Update, then will send more Logs when I suceed. Best wishes.. gladysclancy

    Please find attached the AVG Antispyware Log which I have just completed.. Thankyou for your continuing assistance.. gladysclancy
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I believe you have completed the scan and found infections, thereafter quarantining them. If you have, then please attach the correct log. It is located in "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\" and the file name should follow the format of "Report-Scan-YYYYMMDD-HHMMSS" (year, month, date, time). Attach the latest copy.

    I also need to see the ComboFix logfile. It is most crucial to whether I can give you an all clear now that your hijackthis log appears clean.


    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. gladysclancy

    gladysclancy TS Rookie Topic Starter Posts: 16

    Hi Momok.. Sorry I sent the wrong AVG log, so I am attaching the correct one this time. I wasn't quite sure what to do when it found those infections, and hope I made the right choice. Haven't got as far as ComboFix yet, but will send it when I can.. Best wishes.. gladysclancy.

    Hi Momok. Just completed Step 10 and please find attached the Logs for Look2Me - Destroyer and a new HiJackThis log as instructed with L2M. Thankyou for being so patient with me and I will continue with step 11 tomorrow. Best wishes.. gladysclancy
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Once you are done with step 11 and 12 (shouldn't take very long) please let me know the results of the antirootkit scan and post the ComboFix log as an attachment. Your hijackthis log already looks clean, and I'll just need the ComboFix log and the anti rootkit scan to confirm if your system is fully clean.


    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. gladysclancy

    gladysclancy TS Rookie Topic Starter Posts: 16

    Hi Momok.. Completed step 11 this morning (it took about 2 hours to scan): -- Results: Congratulations -- there were no installed Rootkits found on your computer. Sounds encouraging.. Now I will move on to step 12 later this afternoon after I have attended to other things.. and will post the ComboFix log as soon as I finish.. Thankyou for guiding me through this.. gladysclancy.
     
  8. momok

    momok TS Rookie Posts: 2,265

    Glad to help, gladysclancy. Just attach your ComboFix log and if its clean I'll provide you some final cleaning instructions.


    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. gladysclancy

    gladysclancy TS Rookie Topic Starter Posts: 16

    Combofix and HJT

    Hi Momok.. Step 12 was quick and took less than 10 mins, but it put an Internet Explorer Icon on my desktop (I didn't have one there before). Went to do the HJT scan and a message asked me if I wanted to make Internet Explorer my Default Browser -- I ticked Yes because that was fine by me. Did the HJT scan. Attempted to send these logs to you and was very disappointed to get "Internet Explorer cannot display the page". The icons at the top had all changed. Found I could not even get Outlook Express to work either. Rebooted the computer. Still no success. Tried for half an hour and just could not get it to "Display the page". Turned the computer off for an hour. Turned it on again, and here I am first try.... I just do hope it will stay this way. Best wishes.. gladysclancy.
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs look clean now. However, you seem to be still experiencing problems on the internet. Could you provide further details on that? Meanwhile, do the following.

    Delete all files in AVG Antispyware Quarantine folder.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. gladysclancy

    gladysclancy TS Rookie Topic Starter Posts: 16

    Hi Momok.. Thankyou for your reply and all the ongoing assistance you have given me. It is good to know my system looks clean and I could never have accomplished this without your help. Just went to the AVG Antispyware Quarantine folder and it was empty. The Stats show Detected Malware 14 (they were tracking cookies if I remember rightly), Files in Quarantine 0, and I seem to remember it Removed them when I did the scan. Then I turned off the System Restore as instructed, and turned it on again. Yes, a lot of good advice in topic 31474 and I will try to follow as much of it as possible after I have studied it some more. Meanwhile, my Internet is running well today -- the only problem was when I first tried to use IE after running that Combofix, so hopefully that has righted itself now. However, I am a bit concerned about having SpyBot on my computer -- I used to use it until I installed one edition of Norton's which detected Spybot on my machine and asked me to remove it because it was not compatible with Norton's, but it allowed me to keep Ad-aware. Do you know if Norton's is now compatible with Spybot? Once again, I really appreciate your help and sincerely thank you.. Best wishes... gladysclancy.
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Frankly speaking, I would never recommend Norton because there are simply other better options. SpyBot Search & Destroy is a gem, with its tea-timer. I would rather get AVG/Avast free antivirus and use a new firewall like Zone Alarm/Kerio/Comodo.

    In any case, please see this thread HERE and you will undoubtedly find a clue to your dilemma: Norton is just giving nonsense warnings.


    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. gladysclancy

    gladysclancy TS Rookie Topic Starter Posts: 16

    Hi Momok -- Thankyou for your reply and yes, it would have been about 2005 that I got that message about SpyBot. Anyway, there does not seem to be a conflict there at present and Norton's will have to stay until my subscription runs out. Besides, my NetGuide magazine reports that Zone Alarm is difficult to learn, so will worry about that later.
    As I reported to you previously, after doing the ComboFix last Friday, I again got the "Internet Explorer cannot display the page", but coaxed it into working. Saturday, no problems. Sunday, the computer went crazy. I edited a few photos, but found the computer was having problems finding them, deleted two, right-clicked on the Rubbish Bin to empty it, the cursor went into "thinking mode" and I waited and waited. The icons disappeared from my desktop, the toolbar disappeared from the bottom, I could not do anything, it just froze, so turned the computer off. Later it started up alright, but I found that all My Pictures folders were just plain yellow with no image on cover, most of my photos were in List view, not Thumbnails, and when I right-clicked on an image I found that AVG Anti-Spyware has been added to the list in each. (I have over 36,000 photos in My Pictures), plus others in My Pictures 2. Luckily they seem to have returned to normal now.
    Monday, got the "Internet Explorer cannot display the page" again -- did the Windows Diagnostic and this is part of what it said:--
    WinSock status info Error attmpting to validate the Winsock base providers: 2
    error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
    info Redirecting user to support call

    Network adapter status info Network connection status: Connected

    Managed to coax it into working that time.
    Tuesday, same problem, so I ran the WinsockxpFix and so far, it has been alright ever since. Hope the problem does not keep re-occurring.
    Thankyou once again for all your assistance... Best wishes.. gladysclancy.
     
  14. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I would recommend you run a scan and post fresh logs of HijackThis, ComboFix and AVG Antispyware just in case.


    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. gladysclancy

    gladysclancy TS Rookie Topic Starter Posts: 16

    Hi Momok.. Thankyou for your reply. I did the HiJackThis scan and noticed that 'nwprovau.dll' has returned. A LSPfix shows it as nwprovau.dll nwlink ipx/spx. net bios .... I left it there because I have no idea how it has returned or where it came from. But I do know that it was not there on Tuesday before I used the Winsockxp.fix because I did a LSP scan first and noted that it was not there. Do you think the Winsockxp.fix is putting it there? At least I am not having problems 'displaying the page at present'.
    Then I did the AVG AntiSpyware scan -- it found one tracking cookie which I deleted. Seems I forgot to rename the Log and it called itself error.txt. Then I did ComboFix, and another HiJackThis for good measure. Thankyou for your continued support.. gladysclancy.

    Hi Momok... Sorry... that error.txt was the wrong file (that was when I was trying to do Updates, then it found there were no updates).. This is the Tracking Cookie that was found and deleted... Best wishes.. gladysclancy.
     
  16. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Download LSPFix from HERE.
    1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
    2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
    3. Check the "I know what I am doing" checkbox.
    4. Select (highlight) all instances of 'nwprovau.dll' in the left column under "Keep".
    5. Click the arrow >> so it goes over to the right column under "Remove".
    6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
    7. Restart your computer

    Also Have HijackThis fix this entry:

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    After that you should be good to go. Let me know if you face any problems thereafter.


    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. gladysclancy

    gladysclancy TS Rookie Topic Starter Posts: 16

    Hi Momok.... Unfortunately, that was not so successful. I removed that 'nwprovau.dll' for the second time, and then I was back to the same old message "Internet Explorer cannot display the page". The Internet had been running well before that. After many attempts, I ran the Windows Diagnostic which again mentioned Winsock 2.
    Eventually got the page displayed and I wanted to send the file windows/network diagnostic/xpnetdiag.xml, but could not attach it here (was told it is an invalid file).
    I have attached the latest HJT file after removing that entry you mentioned. I noticed that the very first entry R1 Internet settings Proxy Server is about "proxy iprimus" -- I used to use a proxy, but my ISP now says not to use the proxy and I have unticked 'use proxy' in my internet options. So wonder if that entry should be removed or not.
    Best wishes and thankyou for your support.. gladysclancy.
     
  18. momok

    momok TS Rookie Posts: 2,265

    Hi,

    In that case have HijackThis fix these entries:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.IPrimus.com.au;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;<local>

    Try running the winsock fix again and let me know the results.

    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. gladysclancy

    gladysclancy TS Rookie Topic Starter Posts: 16

    Hi Momok.... Hopefully this will be a permanent success. I got HJT to fix those two R1 entries and made log 8 attached. Then I tested Internet Explorer and it found the page on the first click.... Then I ran the WinsockxpFix (it did something to the registry keys), and then I ran HJT again to make log 9. Again IE found the page at first attempt... here's hoping that will put an end to my problems, but only time will tell..
    Once again, I sincerely thank you for your patience and kindness in guiding me through all this.. Best wishes.. gladysclancy.
     
  20. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs are clean. Should you face a similar problem do not hesitate to post here and let me know.

    Regards,
    Your friendly momok =)

    This thread is for the use of gladysclancy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...