Infection with hjt log
- Thread starter swker98
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
swker98 said:
Ok, no problem.
Please let me know how the system is running and whether or not the internet is working correctly.
Regards Howard
the intenet isnt working right
but im not sure if it ever did
this is a friedns comp that i got to fix and give back
its a laptop
there are like 3 programs that take extra time and that i have o hit end task in order for windows to shut down
hjt is saying that it cannot fix the entry and recomeds the tool that you told me to use
but im not sure if it ever did
this is a friedns comp that i got to fix and give back
its a laptop
there are like 3 programs that take extra time and that i have o hit end task in order for windows to shut down
hjt is saying that it cannot fix the entry and recomeds the tool that you told me to use
howard_hopkinso
Posts: 21,238 +17
Maybe the laptop is in need of a complete format an reinstall.
Without being able to access the net properly, it`s difficult to update and run antivirus/spyware tools etc.
I don`t really know what else to suggest.
What are the programmes you have to end before you can shut down?
Regards Howard
This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Without being able to access the net properly, it`s difficult to update and run antivirus/spyware tools etc.
I don`t really know what else to suggest.
What are the programmes you have to end before you can shut down?
Regards Howard
This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
the computer has been a little bit faster and now the shutdown problem is gone
the only problem the is still here is the cwlsp.dll
edit: is there anywhere i can get the latest avg and adaware update because i still cnnt get on the net
im startig to think its the computers NIC and my routrer arnt comiuncating right
also the thing that sometimes popes up is
windowsformparkingwindow that takes about 1 minute for it to end so windows will shut down
the only problem the is still here is the cwlsp.dll
edit: is there anywhere i can get the latest avg and adaware update because i still cnnt get on the net
im startig to think its the computers NIC and my routrer arnt comiuncating right
also the thing that sometimes popes up is
windowsformparkingwindow that takes about 1 minute for it to end so windows will shut down
howard_hopkinso
Posts: 21,238 +17
Give this a try.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Go to add remove programmes in the control panel and uninstall anything to do with(if there).
Contentwatch
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
CwWLEvent
CwCpSvc20
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
cwsvc.exe
cwcptray.exe
Close task manager.
Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\gui\cwcptray.exe
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cwlsp.dll' missing
O20 - Winlogon Notify: CwWLEvent - C:\Program Files\ContentWatch\Internet Protection\common\cwplc001.dll
O23 - Service: ContentProtect (CwCpSvc20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\ContentWatch
Reboot into normal mode and turn system restore back on.
Regards Howard
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Go to add remove programmes in the control panel and uninstall anything to do with(if there).
Contentwatch
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
CwWLEvent
CwCpSvc20
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
cwsvc.exe
cwcptray.exe
Close task manager.
Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\gui\cwcptray.exe
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cwlsp.dll' missing
O20 - Winlogon Notify: CwWLEvent - C:\Program Files\ContentWatch\Internet Protection\common\cwplc001.dll
O23 - Service: ContentProtect (CwCpSvc20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\ContentWatch
Reboot into normal mode and turn system restore back on.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
swker98 said:
That`s the one.
Uninstall it as per the instructions I gave in my last post.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
swker98 said:
Addprotect is a completely different programme and should not be uninstalled.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Could you not find contentwatch in add remove programmes?
I was going back through this thread and noticed you mentioned something about only having access to one account. Is this the system administrator account? I must have missed it the first time.
If not, there`s not a lot of point in carrying on, because administrator privileges are needed to install/uninstall certain things.
Regards Howard
I was going back through this thread and noticed you mentioned something about only having access to one account. Is this the system administrator account? I must have missed it the first time.
If not, there`s not a lot of point in carrying on, because administrator privileges are needed to install/uninstall certain things.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
No problem mate. It`s just a pity you didn`t have access to the admin account. It`s even more of a pity, I didn`t notice sooner.
It`s 7:55 am here and I`m getting very tired lol.
Regards Howard
It`s 7:55 am here and I`m getting very tired lol.
Regards Howard
These are the only entries I can discern from your log. The rest seem to check out. The 010 is a good candidate for the source or a symptom of your problem. Clearly you've removed this piece of spyware, but It appears to have broken Winsock. Obviously, this needs to be repaired. The entries are below. This or this may assist you in repairing Winsock ...
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cwlsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
All 016 (as always )
O23 - Service: ContentProtect (CwCpSvc20) - Unknown owner - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe (file missing)
O23 - Service: Windows Genuine Advantage Validation (wgav) - Unknown owner - C:\WINNT\system32\wgav.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cwlsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
All 016 (as always
)O23 - Service: ContentProtect (CwCpSvc20) - Unknown owner - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe (file missing)
O23 - Service: Windows Genuine Advantage Validation (wgav) - Unknown owner - C:\WINNT\system32\wgav.exe (file missing)
Note that I've included a file I shouldn't have by accident. - NPDocBox.dll
It's actually an adobe acrobat plugin. If you remove it though, it's easily installed. The other is a "live picture viewer" plugin. It's also safe, but may not be required. Again, it's easily re-installed.
Hope it's all fixed up, and you're welcome
It's actually an adobe acrobat plugin. If you remove it though, it's easily installed. The other is a "live picture viewer" plugin. It's also safe, but may not be required. Again, it's easily re-installed.
Hope it's all fixed up, and you're welcome
somewhat curiously, the 023 Wgav.exe service isn't being removed, and is still listed as file missing...
Could you please check for the presence of %systemroot%\Debug\DCPROMO.LOG
(reasoning for this here - the bit you want is in english, it's ok. lol... http://de.trendmicro-europe.com/ent...p?LYstr=VMAINDATA&vNav=3&VName=BKDR_IRCBOT.IL)
BTW, I assume you've got internet now?
Could you please check for the presence of %systemroot%\Debug\DCPROMO.LOG
(reasoning for this here - the bit you want is in english, it's ok. lol... http://de.trendmicro-europe.com/ent...p?LYstr=VMAINDATA&vNav=3&VName=BKDR_IRCBOT.IL)
BTW, I assume you've got internet now?
- Status
Similar threads
