trojan.flood & fir.exe? anyone heard of these?

**jaisum** · 17-04-2008

Hello, I seem to have something a trojan called ... trojan.flood that my AVG antispyware 7.5 keeps finding, but cant get rid of. I have also found a strange entry on my hijack this log to... fir.exe & fixweb.exe? I tried looking it up, but found nothing. I'd appreciate any help thanks so much!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\windowsupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\fir.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\PoivY.com\PoivY\PoivY.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\fixweb.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Microsoft Network Associates] C:\WINDOWS\System32\fir.exe
O4 - HKLM\..\Run: [msennger] C:\WINDOWS\System32\fir.exe
O4 - HKLM\..\RunServices: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exe
O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKCU\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Microsoft Network Associates] C:\WINDOWS\System32\fir.exe
O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKUS\S-1-5-21-1004336348-492894223-1343024091-1003\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized (User '?')
O4 - HKUS\S-1-5-21-1004336348-492894223-1343024091-1003\..\Run: [Microsoft Network Associates] C:\WINDOWS\System32\fir.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-492894223-1343024091-1003\..\RunOnce: [Windows has Layer] fixweb.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Windows has Layer] fixweb.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [Windows has Layer] fixweb.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CAB
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

**VopThis** · 18-04-2008

Posting in multiple forums is not appreciated because it can waste a lot of analyst time since many may research in preparation to respond to your issues but you will generally end up only responding to one analyst. Many analysts may delay their response or not even respond when this is discovered - especially when researching a little known problem and only finding few posts including an additional one of yours on the very same set of issues:

http://www.geekstogo.com/forum/troja...e-t195173.html

The use of MSCONFIG may also be hiding (unless you are otherwise certain) many more and additional issues that could have provided more analytical clues.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

Please also provide any new current observations.

**jaisum** · 18-04-2008

I have tried to download it, I can get it on my desktop, but when it comes to opening it to install I keep running into problems. I've had an ftp.exe error come up and then a swreg.exe error come up.

I cant even get on my internet, it's took 15 minutes to load my yahoo page. the screen keeps going white, my icons dissappear too, then reappear. Is there any way to download this program on a friends computer and save it to disk? How could I load it from a disk? Thanks again for your help!

**jaisum** · 19-04-2008

I finally got the SDfix on my computer BUT when I try to run it does nothing. It dissapears. I've also tried to download other programs to help delete viruses, but i cant get any programs i download to open up. I'm also fighting to get my internet up. The computer is stalling alot. Here is my new hijack log. Whats going on with the winsock entry?

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\windowsupdate.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\6239.exe
C:\Program Files\PoivY.com\PoivY\PoivY.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\6239.exe
O4 - HKLM\..\RunServices: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exe
O4 - HKCU\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-21-1004336348-492894223-1343024091-1003\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized (User '?')
O4 - HKUS\S-1-5-21-1004336348-492894223-1343024091-1003\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-492894223-1343024091-1003\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide (User '?')
O4 - HKUS\S-1-5-21-1004336348-492894223-1343024091-1003\..\Run: [] (User '?')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CAB
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

**VopThis** · 19-04-2008

I've also tried to download other programs to help delete viruses, but i cant get any programs i download to open up.

That is what can happen on SERIOUSLY infected PCs. Some active infection component(s) is probably attacking and neutralizing any perceived attempts to clean out what is ailing your PC. Many times that would be why a cleanup attempt has a much better chance if run in SAFE MODE. Your infection likely needs to be addressed by SDFIX but such an infection is often felt to be so potentially invasive (possible identity theft, stolen passwords, account details, etc.) that many would be best advised to consider a clean install.

As more and more items disappear from the HjackThis LOG, I become more concerned that items of interest may still be hidden by using MSCONFIG. Such items probably need to be revealed in case they prove relevant to your current troubles.

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

This is potentially a legit item. Nwprovau.dll - Probably related to Microsoft Client Services for Netware, but usually seen as an 020 entry, not an LSP entry.**:

http://www.castlecops.com/lsp-255.html

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O4 - HKLM\..\Run: [WINDOWS EXPLORER] C:\WINDOWS\6239.exe
O4 - HKLM\..\RunServices: [WINDOWSUPDATE] C:\WINDOWS\System32\windowsupdate.exe

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):
-- OR --
(Use <Windows+F KEYS> and paste the FULL FILENAME Search PATH lines (where available).
Windows KEY is located between the <Ctrl and Alt KEYS>.)

DELETE FILES:

C:\WINDOWS\6239.exe
C:\WINDOWS\System32\windowsupdate.exe

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

**jaisum** · 19-04-2008

Here is my new hijack log. my computer is still running slow and i am still having a n awful time getting into my email or anywhere on the net. i have tried several ltimes to go to safe mode to use the sdfix and it wont do anything. i have redownloaded it and when i cloick on it dissapears. i look for some kind of report log and nothing.

I have tried to fix this file :O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll and it keeps coming up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:19, on 19/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PoivY.com\PoivY\PoivY.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CAB
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

**jaisum** · 19-04-2008

oh, I should also mention that I seem to have this popping up?

generic host SVChost.exe sorceIP 0.0.0.0. Port5000

Do you know why opening an email would knock out the I.E? Have you heard of this before?

Thanks again

**VopThis** · 19-04-2008

Your biggest current security issue is that you do not not have 'Service Pack 2' SP2 for XP installed and may not have all your 'Critical Updates' in place (critical security updates). That will be very difficult to achieve with things as they now are. A reinstall still appears to be your best bet. I would start with a brand new hard drive and leave the existing hard drive untouched.

I have tried to fix this file :O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll and it keeps coming up.

LSPFIX, below, can remove this item if you do not use a 'netware client'. It may then be necessary to talk to your ISP to reinstall and/or properly configure your Internet settings.

i am still having an awful time getting into my email or anywhere on the net.

The easiest way to fix the broken Internet chain is to download and use a freeware utility called LSPFix.exe:
http://cexx.org/lspfix.htm (copy to a floppy or pen drive, if necessary –182K file)

Launch the LSP application, and click the "I know what I'm doing" checkbox.

Highlight all instances of "nwprovau.dll" and move them to the "Remove" side and click finish. Don't remove anything else there.

Do a full power down REBOOT.

Navigate to and delete this file(s) (let me know if they were present):
C:\windows\system32\nwprovau.dll

If still no joy, download and run WinsockXPFix:
http://www.snapfiles.com/reviews/Win...sockxpfix.html
-----> Winsock repair utility designed for Windows XP.

**jaisum** · 20-04-2008

Your biggest current security issue is that you do not not have 'Service Pack 2' SP2 for XP installed and may not have all your 'Critical Updates' in place (critical security updates). That will be very difficult to achieve with things as they now are. A reinstall still appears to be your best bet. I would start with a brand new hard drive and leave the existing hard drive untouched.

You're right about this, I've have been trying to install this from SP2 from microsoft. I've tried it a few times and it will get so far in the installation process then freeze.

I did manage to finally get the LSPfix to work and deleted the file you asked me to.

I'm stil unable to get into my email accounts on yahoo and it takes a few mintues to get my internet up. It's not as bad, but still bad.

If I do a reinstall, would that get rid of the viruses??

How would I do this? Could you walk me through it... because honestly I'm starting to think it may be my best option.

Thanks again!

**VopThis** · 20-04-2008

When Should I Format, How Should I Reinstall:

http://www.dslreports.com/faq/10063

As I stated, I prefer to ensure the old drive remains unaltered at all times (even if a backup drive image is available using such tools as Acronis or Ghost, etc.).

You will need to use your XP Installation disk to install XP cleanly on a newly (re)formatted drive, preferably a new drive, thus securing the safety of any existing prior drive contents. Ensure you have a running antivirus tool before ever accessing the Internet. Then you would want to run all 'critical updates', including SP2, before trying to incorporate your user files from your old installation.

You will likely be able to access your previous drive using a USB external enclosure if your present running characteristics do not favor burning user files to CD or DVD. You might be able to 'slave' the drive as a secondary drive or copy limited contents to a memory stick/pen drive (up to 8GB normally). In all cases, you should run a thorough antivirus scan on the old drive contents that you which to utilize.

If you are uncomfortable with any of the above, it might be better to have a local shop do this for you. If you require more detailed instructions, suggest you post it in the 'XP Forum'.

trojan.flood & fir.exe? anyone heard of these?

trojan.flood & fir.exe? anyone heard of these?

Similar Threads

Ever heard of this?

i heard you guys can help

Anyone heard of this one?

Heard Firefox is better but...