The file nwprovau.dll is a legitimate file installed by Client Service for NetWare. Its usually installed for the IPX/SPX protocol that is rarely used anymore. This is why it doesn't show up in EVERY hijackthis log file. However, the question remains: is the file needed if Client Service for Netware is not running on the computer? In my testing, the entry in the Hijackthis log is not needed if you are not using Netware and the IPX/SPX protocol is not installed on your computer. Since most networks now have standardized on using the TCP/IP protocol, this shouldn't be a problem if its removed.
Although there is a Windows Service Patch - MS06-066: Vulnerability in the Client Service could allow remote code execution that does update the file on Windows computers, the entry in hijackthis does not need to be there unless Client for Netware is installed. I understand this runs contrary to what many computer support sites state. Most other sites will say leave the entry alone since its a valid Windows file. I just don't like extra items loaded that don't need to be there.
A Hijackthis log will show NWPROVAU.DLL in this way
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
t will generally be shown under Key # 4 with the following information.
Can I Remove NWPROVAU.DLL From the Hijackthis log?
Unfortunately, you cannot remove this entry by using Hijackthis, you must download LSPFix and use it to remove the NWPROVAU protocol. To do this, follow these directions.
1) Click on the following link to download LSPFix to your desktop.
or click on this link to download the exe file directly
2) Once the exe file is on your desktop, double-click on it to open
3) In the left hand column, you should see the NWPROVAU.DLL file listed. Send it to the right-hand column labeled Remove
NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
4) Once the file has been transferred to the Remove column, click Finish at the bottom of the screen. You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry. Close the LSPFix program now.
5) Run Hijackthis and the entry for NWPROVAU.DLL should now be gone from the list.