Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Saturday, October 11, 2008

winsock LSP (c:\windows\system32\nwprovau.dll)

Source
If you have used Hijackthis to track down a virus, spyware, or malware, you may have seen the file nwprovau.dll in your hijackthis log with the statement - "unknown file in winsock lsp".
The file nwprovau.dll is a legitimate file installed by Client Service for NetWare. Its usually installed for the IPX/SPX protocol that is rarely used anymore. This is why it doesn't show up in EVERY hijackthis log file. However, the question remains: is the file needed if Client Service for Netware is not running on the computer? In my testing, the entry in the Hijackthis log is not needed if you are not using Netware and the IPX/SPX protocol is not installed on your computer. Since most networks now have standardized on using the TCP/IP protocol, this shouldn't be a problem if its removed.

Although there is a Windows Service Patch - MS06-066: Vulnerability in the Client Service could allow remote code execution that does update the file on Windows computers, the entry in hijackthis does not need to be there unless Client for Netware is installed. I understand this runs contrary to what many computer support sites state. Most other sites will say leave the entry alone since its a valid Windows file. I just don't like extra items loaded that don't need to be there.
A Hijackthis log will show NWPROVAU.DLL in this way
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

In the Windows registry, the nwprovau.dll file will show up in the following registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
t will generally be shown under Key # 4 with the following information.

NWPROVAU.DLL information in registry
Can I Remove NWPROVAU.DLL From the Hijackthis log?
The answer to this question will depend on what you are doing. If your computer is connected to a Netware network, you should leave the file and entry intact. If, however, you find this log entry on a standalone computer or a personal computer that is NOT using Netware then you can for all practical purposes remove the file.
Unfortunately, you cannot remove this entry by using Hijackthis, you must download LSPFix and use it to remove the NWPROVAU protocol. To do this, follow these directions.
1) Click on the following link to download LSPFix to your desktop.
http://www.cexx.org/lspfix.htm
or click on this link to download the exe file directly
http://www.cexx.org/LSPFix.exe
2) Once the exe file is on your desktop, double-click on it to open
3) In the left hand column, you should see the NWPROVAU.DLL file listed. Send it to the right-hand column labeled Remove
NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
4) Once the file has been transferred to the Remove column, click Finish at the bottom of the screen. You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry. Close the LSPFix program now.
5) Run Hijackthis and the entry for NWPROVAU.DLL should now be gone from the list.

No comments: