Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Network Location Awareness - Svchost.exe (file Is Missing) Help


  • Please log in to reply
12 replies to this topic

#1 dimchopicha2003

dimchopicha2003

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 23 November 2006 - 10:41 PM

Hi
I am sure my pc is spyware free. I have installed this nasty prog "XP Smoker 5.2" to "boost" :eek: the performance of my pc. Well it changed many settings in my winxp and many registry keys. I then decided to unistall it and when done soon after that I've lost my internet connection. spyware doctor, adaware, avg anti-spyware, spybot, some registry cleaning programs didnt fix the problem. Then used "WinSockXPFix 1.2" to reset lsp, host files, tcp settings and it done the trick I could connect to the internet again but this is still in my log...

Logfile of HijackThis v1.99.1
Scan saved at 05:11:24, on 24.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis1991.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93417DB5-9ACC-41FD-B7FE-D1A4FEF2D2AA}: NameServer = 172.20.0.1,213.240.241.252
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

When I try to start the NLA service (it is stopped and set to manual) i get an error.
Any suggestions how to fix this?

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:00 PM

Posted 24 November 2006 - 03:54 PM

Hi dimchopicha2003, :thumbsup:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :flowers:

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:00 PM

Posted 25 November 2006 - 07:44 AM

Hi dimchopicha2003, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

I am sure my pc is spyware free.


I am afraid not. In order to find out more about possible spyware go to your Hijackthis folder present in your Program Files and rename Hijackthis.exe to Analyse.exe and than reboot.
After reboot, run Analyse.exe (which is hijackthis of course) and post the log it creates in your next reply.

#4 dimchopicha2003

dimchopicha2003
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 25 November 2006 - 12:24 PM

i renamed hijackthis.exe to hijackthis1991.exe because i read somewhere that some spyware detect it and bypass it - if this is what you think,
but anyway ill do what you asked me.

#5 dimchopicha2003

dimchopicha2003
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 26 November 2006 - 06:48 PM

Logfile of HijackThis v1.99.1
Scan saved at 01:41:48, on 27.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HijackThis\Analize.exe

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93417DB5-9ACC-41FD-B7FE-D1A4FEF2D2AA}: NameServer = 172.20.0.1,213.240.241.252
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:00 PM

Posted 29 November 2006 - 11:54 AM

Hi dimchopicha2003, :thumbsup:

Becuase of unforseen circomstances it takes longer than expected. :flowers:

Be assured that I will be back to you.

Thanks for your patience. :huh:

#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:00 PM

Posted 01 December 2006 - 08:00 AM

Hi dimchopicha2003, :thumbsup:

Again, very, very sorry for the long wait.

1. Run HijackThis, click Scan and checkmark the following entries:

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

2. In order to solve your NLA problem:

Go to Start > Run, type cmd.exe and copy/paste the text in the quote box into the open box:

sc qc NLA & sc qcfailure


and click OK.

Please copy/paste the output in your next reply along with a fresh HijackThis log.

#8 dimchopicha2003

dimchopicha2003
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 01 December 2006 - 02:50 PM

Hi,
cmd log

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>sc qc NLA & sc qcfailure
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: NLA
		TYPE			   : 20  WIN32_SHARE_PROCESS
		START_TYPE		 : 3   DEMAND_START
		ERROR_CONTROL	  : 1   NORMAL
		BINARY_PATH_NAME   : \SystemRoot\C:\WINDOWS\system32\svchost.exe -k nets
vcs
		LOAD_ORDER_GROUP   :
		TAG				: 0
		DISPLAY_NAME	   : Network Location Awareness (NLA)
		DEPENDENCIES	   : Tcpip
						   : Afd
		SERVICE_START_NAME : LocalSystem
*** Unrecognized Command ***
DESCRIPTION:
		SC is a command line program used for communicating with the
		NT Service Controller and services.
USAGE:
		sc <server> [command] [service name] <option1> <option2>...

		The option <server> has the form "\\ServerName"
		Further help on commands can be obtained by typing: "sc [command]"
		Commands:
		  query-----------Queries the status for a service, or
						  enumerates the status for types of services.
		  queryex---------Queries the extended status for a service, or
						  enumerates the status for types of services.
		  start-----------Starts a service.
		  pause-----------Sends a PAUSE control request to a service.
		  interrogate-----Sends an INTERROGATE control request to a service.
		  continue--------Sends a CONTINUE control request to a service.
		  stop------------Sends a STOP request to a service.
		  config----------Changes the configuration of a service (persistant).
		  description-----Changes the description of a service.
		  failure---------Changes the actions taken by a service upon failure.
		  qc--------------Queries the configuration information for a service.
		  qdescription----Queries the description for a service.
		  qfailure--------Queries the actions taken by a service upon failure.
		  delete----------Deletes a service (from the registry).
		  create----------Creates a service. (adds it to the registry).
		  control---------Sends a control to a service.
		  sdshow----------Displays a service's security descriptor.
		  sdset-----------Sets a service's security descriptor.
		  GetDisplayName--Gets the DisplayName for a service.
		  GetKeyName------Gets the ServiceKeyName for a service.
		  EnumDepend------Enumerates Service Dependencies.

		The following commands don't require a service name:
		sc <server> <command> <option>
		  boot------------(ok | bad) Indicates whether the last boot should
						  be saved as the last-known-good boot configuration
		  Lock------------Locks the Service Database
		  QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:
		sc start MyService

Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]: y
QUERY and QUERYEX OPTIONS :
		If the query command is followed by a service name, the status
		for that service is returned.  Further options do not apply in
		this case.  If the query command is followed by nothing or one of
		the options listed below, the services are enumerated.
	type=	Type of services to enumerate (driver, service, all)
			 (default = service)
	state=   State of services to enumerate (inactive, all)
			 (default = active)
	bufsize= The size (in bytes) of the enumeration buffer
			 (default = 4096)
	ri=	  The resume index number at which to begin the enumeration
			 (default = 0)
	group=   Service group to enumerate
			 (default = all groups)
SYNTAX EXAMPLES
sc query				- Enumerates status for active services & drivers
sc query messenger	  - Displays status for the messenger service
sc queryex messenger	- Displays extended status for the messenger service
sc query type= driver   - Enumerates only active drivers
sc query type= service  - Enumerates only Win32 services
sc query state= all	 - Enumerates all services & drivers
sc query bufsize= 50	- Enumerates with a 50 byte buffer.
sc query ri= 14		 - Enumerates with resume index = 14
sc queryex group= ""	- Enumerates active services not in a group
sc query type= service type= interact - Enumerates all interactive services
sc query type= driver group= NDIS	 - Enumerates all NDIS drivers


C:\>
It looks like the command gives an error.


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 21:42:28, on 01.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\Apvxdwin.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\Analize.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93417DB5-9ACC-41FD-B7FE-D1A4FEF2D2AA}: NameServer = 172.20.0.1,213.240.241.252
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

I installed panda antivirus and 3ds max in the meantime.

Thanks.

#9 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:00 PM

Posted 02 December 2006 - 06:00 AM

Hi dimchopicha2003, :huh:

It looks like the command gives an error.


Yes it did and it's my fault. :thumbsup: Can you please do it again but with these instructions:

Go to Start > Run, type cmd.exe and copy/paste the text in the quote box into the open box:

sc qc NLA & sc qfailure


Click OK and post the output here.

Sorry and thanks. :flowers:

#10 dimchopicha2003

dimchopicha2003
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 02 December 2006 - 01:30 PM

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>sc qc NLA & sc qfailure
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: NLA
		TYPE			   : 20  WIN32_SHARE_PROCESS
		START_TYPE		 : 3   DEMAND_START
		ERROR_CONTROL	  : 1   NORMAL
		BINARY_PATH_NAME   : \SystemRoot\C:\WINDOWS\system32\svchost.exe -k nets
vcs
		LOAD_ORDER_GROUP   :
		TAG				: 0
		DISPLAY_NAME	   : Network Location Awareness (NLA)
		DEPENDENCIES	   : Tcpip
						   : Afd
		SERVICE_START_NAME : LocalSystem
DESCRIPTION:
		Retrieves the actions performed on service failure.
USAGE:
		sc <server> qfailure [service name] <bufferSize>

C:\>

np I will do everything just to fix it

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:00 PM

Posted 05 December 2006 - 06:30 AM

Hi dimchopicha2003, :flowers:

np I will do everything just to fix it


And we will do anything needed to help you with that. Sorry it takes so much time. :thumbsup:

Launch Notepad, and copy/paste the box below into a new text file. Save it as Fix.bat and save it on your Desktop.

SC CONFIG NLA binPath= "C:\WINDOWS\system32\svchost.exe -k netsvcs" > Output.txt
notepad Output.txt


Locate Fix.bat on your Desktop and double-click on it. It will open Notepad with some text in it.

Please reboot and post the text here along with a fresh HijackThis log and let me know how this went.

#12 dimchopicha2003

dimchopicha2003
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 06 December 2006 - 08:46 PM

Hi,
output.txt
[SC] ChangeServiceConfig SUCCESS

hjt log
Logfile of HijackThis v1.99.1
Scan saved at 03:34:22, on 07.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\HijackThis\Analize.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\avtask.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93417DB5-9ACC-41FD-B7FE-D1A4FEF2D2AA}: NameServer = 172.20.0.1,213.240.241.252
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

I have installed internet explorer 7 and windows media player 11 in the meantime.
This line:
O11 - Options group: [INTERNATIONAL] International*
is from internet explorer, right?
Should I keep it?
The nla service error is gone. Thanks alot guys. :thumbsup: :huh: You rock :flowers:
The service is started and it is set to manual now.

Again Thank You.

Regards Dim.

#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:00 PM

Posted 07 December 2006 - 06:25 AM

Hi dimchopicha2003, :flowers:

1.

The nla service error is gone. The service is started and it is set to manual now.


That's good to hear. If you want it set to autostart do the following:

Go to Start > Run and copy/paste the text in the quote box into the open box:

sc config NLA start= auto


and click OK.

After a reboot the service is set to autostart.

2.

O11 - Options group: [INTERNATIONAL] International*
is from internet explorer, right?
Should I keep it?


To begin with: yes you may keep it.

The entry is related to Internet Explorer 7 and permits navigation to Internationalized Domain Names (IDN) composed of Unicode characters from all of the world's languages. You may read more about here!

3.

Thanks alot guys. thumbup.gif thumbup2.gif You rock clapping.gif


You're very welcome. Sorry it took so long for me to get back to you but: all is well that ends well.

That said you're almost ready to go.

4. Remove previous restore points and set a new one to purge any malware that may have been backed up:

Click Start>Help and Support>Undo changes to your computer with System Restore
Click Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

This will remove all previous restore points except the newly created one.

5. In order to prevent future infections follow these recommendations:

a. Visit Windows Update on a regular basis to stay current with critical updates.

b. Install and run the following free programs:

* Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here!

* Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found
here! Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly.
If you do not update regularly they will not be able to catch any of the new variants that may come out.

c. I recommend you to read Tony Klein's excellent article: So how did I get infected in the first place?

d. If you want to fight back the Malware Writers, please take a look here!

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BleepingComputer Forums, we also help people with other computer problems! Do not forget to tell your friends about us!

Good luck! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users