infection with hjt log

By swker98
Jul 31, 2006
Topic Status:
Not open for further replies.
  1. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    ill do that as soon as the spy bot search is done

    spybot is picking up some stuff, hopsuflly jsut the ramimans
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Ok, no problem.

    Please let me know how the system is running and whether or not the internet is working correctly.

    Regards Howard :)
  3. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    the intenet isnt working right

    but im not sure if it ever did
    this is a friedns comp that i got to fix and give back

    its a laptop

    there are like 3 programs that take extra time and that i have o hit end task in order for windows to shut down

    hjt is saying that it cannot fix the entry and recomeds the tool that you told me to use
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Maybe the laptop is in need of a complete format an reinstall.

    Without being able to access the net properly, it`s difficult to update and run antivirus/spyware tools etc.

    I don`t really know what else to suggest.

    What are the programmes you have to end before you can shut down?

    Regards Howard :)

    This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    the computer has been a little bit faster and now the shutdown problem is gone

    the only problem the is still here is the cwlsp.dll


    edit: is there anywhere i can get the latest avg and adaware update because i still cnnt get on the net

    im startig to think its the computers NIC and my routrer arnt comiuncating right


    also the thing that sometimes popes up is
    windowsformparkingwindow that takes about 1 minute for it to end so windows will shut down
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Give this a try.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


    Go to add remove programmes in the control panel and uninstall anything to do with(if there).

    Contentwatch

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    CwWLEvent
    CwCpSvc20

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    cwsvc.exe
    cwcptray.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\gui\cwcptray.exe

    O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cwlsp.dll' missing

    O20 - Winlogon Notify: CwWLEvent - C:\Program Files\ContentWatch\Internet Protection\common\cwplc001.dll

    O23 - Service: ContentProtect (CwCpSvc20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\ContentWatch

    Reboot into normal mode and turn system restore back on.


    Regards Howard :)
  7. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    the only thing i can see is contentwatch2.1 in add and remove
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    That`s the one.

    Uninstall it as per the instructions I gave in my last post.

    Regards Howard :)
  9. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    sorry it was a typo

    its called ADPROTECT2.1 i dont know if this is part of the infection

    but i did delete adwatch folder and fixed al the logs exept the 10 log whitch cannot be fixed

    ill have a log in 5 imnutes
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Addprotect is a completely different programme and should not be uninstalled.

    Regards Howard :)
  11. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    last log, its getting late here
    what time is it by you
     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Could you not find contentwatch in add remove programmes?

    I was going back through this thread and noticed you mentioned something about only having access to one account. Is this the system administrator account? I must have missed it the first time.

    If not, there`s not a lot of point in carrying on, because administrator privileges are needed to install/uninstall certain things.

    Regards Howard :)
  13. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    it has never stoped me when uninstalled some other crap so i guss it is


    its cleaner then it was

    thanks so mcuh howards for all of your hours of help
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    No problem mate. It`s just a pity you didn`t have access to the admin account. It`s even more of a pity, I didn`t notice sooner.

    It`s 7:55 am here and I`m getting very tired lol.

    Regards Howard :)
  15. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    well ill have the laptop back in a few weeks, when i giver it to them ill ask them to update all of the spyware and ainti virus apps so that theyll work more efictyl

    thanks howards and ill post in this thered when the laptop comes back
  16. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    ok, i got the laptop back,

    there complaing of no internet,

    do you think this is because of the infections on there?

    also they connot rember the Administative password, wtich i know is a major problem

    i wll post a log
    soon








    edit: here is the log
  17. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    i still notice
    alot of natices in the log

    im puzzled at this point
  18. Spike

    Spike Newcomer, in training Posts: 2,371

    These are the only entries I can discern from your log. The rest seem to check out. The 010 is a good candidate for the source or a symptom of your problem. Clearly you've removed this piece of spyware, but It appears to have broken Winsock. Obviously, this needs to be repaired. The entries are below. This or this may assist you in repairing Winsock ...

    O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cwlsp.dll' missing

    O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
    O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    All 016 (as always :) )

    O23 - Service: ContentProtect (CwCpSvc20) - Unknown owner - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe (file missing)
    O23 - Service: Windows Genuine Advantage Validation (wgav) - Unknown owner - C:\WINNT\system32\wgav.exe (file missing)
  19. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    ive tryed that winslock utlity asnd it doesnt seme to work

    im not sure how they got this laptop infected so bad because its a firend of mines

    ill try what you said, thanks
  20. Spike

    Spike Newcomer, in training Posts: 2,371

    I have updated my post with links to two pages containing a winsock fixing utility. You might also consider checking whether the DLL is still listed in the stack with LSPfix, but don't fix anything other than this dll, for obvious reasons you may already know ;)
  21. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    its finilly gone now, i will proceed to fixing the HJT then ill see if i can connect

    thanks again spike
  22. Spike

    Spike Newcomer, in training Posts: 2,371

    Note that I've included a file I shouldn't have by accident. - NPDocBox.dll

    It's actually an adobe acrobat plugin. If you remove it though, it's easily installed. The other is a "live picture viewer" plugin. It's also safe, but may not be required. Again, it's easily re-installed.

    Hope it's all fixed up, and you're welcome :)
  23. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    newest log hopfuly it will be the last
  24. Spike

    Spike Newcomer, in training Posts: 2,371

  25. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    i got internet always because im on my main computer not the firedns laptop

    and yes the instenet works

    what should i do with the file because it is there
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.