infection with hjt log

ok, i got the laptop back,

there complaing of no internet,

do you think this is because of the infections on there?

also they connot rember the Administative password, wtich i know is a major problem

i wll post a log
soon








edit: here is the log

i still notice
alot of natices in the log

im puzzled at this point

These are the only entries I can discern from your log. The rest seem to check out. The 010 is a good candidate for the source or a symptom of your problem. Clearly you've removed this piece of spyware, but It appears to have broken Winsock. Obviously, this needs to be repaired. The entries are below. This or this may assist you in repairing Winsock ...

O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cwlsp.dll' missing

O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

All 016 (as always )

O23 - Service: ContentProtect (CwCpSvc20) - Unknown owner - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe (file missing)
O23 - Service: Windows Genuine Advantage Validation (wgav) - Unknown owner - C:\WINNT\system32\wgav.exe (file missing)

ive tryed that winslock utlity asnd it doesnt seme to work

im not sure how they got this laptop infected so bad because its a firend of mines

ill try what you said, thanks

I have updated my post with links to two pages containing a winsock fixing utility. You might also consider checking whether the DLL is still listed in the stack with LSPfix, but don't fix anything other than this dll, for obvious reasons you may already know

its finilly gone now, i will proceed to fixing the HJT then ill see if i can connect

thanks again spike

Note that I've included a file I shouldn't have by accident. - NPDocBox.dll

It's actually an adobe acrobat plugin. If you remove it though, it's easily installed. The other is a "live picture viewer" plugin. It's also safe, but may not be required. Again, it's easily re-installed.

Hope it's all fixed up, and you're welcome

newest log hopfuly it will be the last

somewhat curiously, the 023 Wgav.exe service isn't being removed, and is still listed as file missing...

Could you please check for the presence of %systemroot%\Debug\DCPROMO.LOG

(reasoning for this here - the bit you want is in english, it's ok. lol... http://de.trendmicro-europe.com/ent...p?LYstr=VMAINDATA&vNav=3&VName=BKDR_IRCBOT.IL)

BTW, I assume you've got internet now?

i got internet always because im on my main computer not the firedns laptop

and yes the instenet works

what should i do with the file because it is there

I assume you mean the .log file I mentioned? If so, it can't hurt. I assume that this means that DCPROMO.LOG was present in /winnt/debug? yes?

Perhaps try running AIMfix to get rid of this. I must admit though, I don't know for sure that it will remove it.

I'm assuming of course that you've already tried to fix it once.

i have found the file in the debug foler, what should i do with it, the thing u posted to read made it sound like a bad peace of a worm
what exactly do i have, avg turns up no worm or infection

You don't have to do anything with the log file. Your finding it simply tells me that you have had that worm (and that I've identified it correctly), even if you no longer have it. It has been at least partially neutralised through removal though, which is why AV scans aren't detecting it. The fact that fixing it in HJT doesn't get rid of the entry though suggests that there are still one or two remnants of it in the system.

It's called BKDR_IRCBOT.IL (by Trend Micro anyway), and is usually spread through AIM. It actually works in tandem with a nasty you've already removed.

I posted a link in my previous post to a tool called AIMfix. One of the worms this claims to remove is the worm that you have had on that system. Please run the tool, scan with HJT, repair the 023 wgav.exe entry, and scan again to see if it's gone.

As half of the worm has already been removed though, I can't say for sure whether the tool will in fact fix this, but it's worth a shot

(and yes, that worm is a little nasty.)

i cant find that wvag file

could you post the ful lextention that it looks in HJT

and the aim scanner turned up nothing

thanks

The entry that seems not to be dissapearing from the HJT log is...

O23 - Service: Windows Genuine Advantage Validation (wgav) - Unknown owner - C:\WINNT\system32\wgav.exe (file missing)

It says that the file is missing, but the entry remains after (I assume) you tried to fix it on your last scan wit the rest?

it's wgav.exe, not wvag.

yea

that isnt a Windows Genuine tool?

or is it discuided as one?

ill post a new log soon, ive also got firefox and avg for them

hopfulluy this will be the last time this happinods

heres the hopfuly last log

That explains that then - you hadn't removed it. lol.

No, that's not the WGA tool. The wga tool uses wgatray.exe, wgalogon.dll, legitcheckcontrol.dll, and data.dat

It doesn't have a file named wgav.exe. This file is a worm.


I'm happy to say now that you've fixed that entry though that your log is clean.

Congrats, and no problem

Im ususally prety good with this stuff, i have to say this is problby the wost ive had to handel, and i coulnt have done it withpoout u guys at techspot, hopfully ill learn alot of this stuff,


Thanks again Spike and Howards

oops!

O23 - Service: ContentProtect (CwCpSvc20) - Unknown owner - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe (file missing)

Now it's clean It was only a file missing though. No nasty there to speak of.