Advice on Hijackthis logs

By BillAllen55
Oct 8, 2008
  1. I'm still in the process of learning all about Techspot. I've never asked a questions using the 'insert' option. I would appreciate someone looking at my hijackthis! log and giving me suggestions. If this is incorrectly done please bare with me.

    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    Winsock Hijacker

    Every time I've seen this its been a bad thing
    This is a quote from an auto scan program that advises this line is of concern. When going to the recommended website to fix the winsock LSP file it advises that it is unable to fix this what is being called a 'broken link'. This is the concern I have and would appreciate explanation as to first of all if it 'is' an issue (understanding that my cable internet connection is working fine.) or if it is something I need not concern myself with.
  2. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    1. "who" sent you to "what" site to get that fixed?

    2. Identifying (by name only. can't say yes/no is legit) Nwprovau.dll is part of MS support client service for Netware

    3. Do you use Netware at all?

    /************ EDIT *******************/
    And as i see you a running XP SP3 you might also check and see if it compares to the one on my machine
    Version 5.1.2600.5512
    Hash Calcs:
    MD5 06e587f41466569f32beaac7260e8aec
    SHA1 0424dc94f9c7ac9db2210cbdbb4b610d57b6ccf4
  3. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    Will explain.

    First, off the file noted nwprovau.dll is the name of a legit Windows file. It's used in Networking to support Netware products and Netware protocols. (Do you use any Netware products you know of?)

    But can't trust it by name alone as malware often picks the same filename to blend in. But since you can't have two files in same directory with same name, the malware version will sit somewhere else.

    But you indicated c:\windows\system32\nwprovau.dll. That's the real Windows directory and filename. But still not enough to know for sure.

    You might try comparing number of bytes in a file or file version info, and that might be supportive information... but that information can be easily spoofed by malware.

    So what next? Well, one way is check adn compare file hash checks.

    Since these files are basiclly just a bunch of numbers (they, represent instructions, and computersoftare, and documentation, but at the core they're all just a bunch of numbers)
    Hash checks are math algorithms designed to read in any file purley to process the numbers its made up of and then return a checksum value. idea being the math computation algorithm produces checksums such that two files which are NOT identical have something like 1 in a billion or trillion odds of producing the same checksum.

    So we can end part1 with my noting you and i are both running XP SP3.. so for a first check you can compare the version number (which is helpful but not conclusive) and the checksum (would would be conclusive if a match) comparing that file to the one i have sitting on my computer. Use the MD5 check sum as its most widely used for this task.

    Let me know what it shows or if any question
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...