yess we did the complete norton removal and for some reason AVAST wiped out inet explorer so we removed that ...completely and installed AVG free for now and mozilla firefox so he can stay away from IE for the time being....shortly he will view ur readme of what progs to use and then post the logs....untill just now he cudnt get online at allwell he cud get online to diablo but not IE but that seems to be fixed atm...i have him running the ewido scan right now and then imma send him here.
512 mb RAM, 20GB HD.
P.S. he has the 2.0.0 version of HijackThis btw.
the EWIDO scan found this file too: wnscpsv.exe which is a nasty!
also a run of Spyware Doctor hard locked on nwprovau.dll which we already know is corrupt and if found something called security scan....
we successfully removed wnscpsv.exe before running Spyware Doctor.....currently we are letting Spyware Doctor run at start up as nwprovau.dll is a necessary windows file and cannot be removed by normal means. However we did manage to replace nwprovau.dll in both the dllcache folder AND the sytem32 folder with a valid copy....BUT it grew back, corrupted. I assume w/e "security scan" that Spyware Doctor found before it locked up at 97% is the cause of this. If running Spyware Doctor at startup does not solve this issue...then I will have my friend run all the programs and post all the logs, as I've done all I know how to do. HJT v2.0.0 continually shows nwprovau.dll in RED on HIS comp but does not even appear in a HJT scan on mine. On HIS comp HJT cannot remove it for obvious reasons. I'm trying to solve this simply because its a learning experience for me and I know you guys are busy...very busy. It's beginning to seem that we are going to have to add to your workload...we will know for sure in about a half hour. Lastly I know you are completely correct about NOT using HJT to remove entries. But take MY word for one thing...we have removed nothing Windows related with HJT and will NOT do so.
WE got IE working again and replaced AVAST with AVG as AVAST is apparently what stopped IE. He also NOW has the latest Mozilla Firefox installed also. While I realize that the above methods we have used is NOT the proper method of removing a trojan...it sure is fun trying.
P.S. For any new people do NOT try to remove this nwprovau.dll file as it will disable both Windows Explorer and your desktop....the ONLY reason I am messing with it on HIS comp is that I have a non corrupt copy of it and have sent him a non corrupt copy. I repeat do NOT mess with nwprovau.dll or you will bork your' windows install!
Reply With Quote