Here are the descriptions of problems connected with NETDEVIL.12 and Advapi.exe we received earlier:
Problem Summary: Netdevil
Why do you claim to provide manual instructions for removal when all you essentially say is, "get rid of everything on your system that is corrupted by netdevil..."
Bullshit like this makes Americans distrust you. I don't even trust you with my email address.
The support ticket is opened for this person in our HelpDesk and our support team is currently solving the problem described.
Problem Summary: advapi and worse!
Hi, I have the advapi bug problem, but it goes much further than that. I have run all of this past a good friend of mine, semi-retired, one of the top programmers at Seagate -- he has also discussed this with a number of his colleagues -- the collective opinion is that this is one of the most advanced hack infestations they\'ve heard of, giving the appearance of making \"impossible\" modifications to the system. But even before I had gone to them for assistance, it was clear to me that my entire computer has been hijacked. \r\n\r\nEvery file slips by every scan that I\'ve run, including the big guns (Norton, McAfee, ZoneAlarm), the files are all hiding as legitimtate system files. Any file which I delete, whether an apparently legit system file of a likely virus file, is quickly replaced. All of this right after a 5-pass DoD wipe of the hard drive, no internet connection, ALL DSL modem, AC adapters, ethernet cables unplugged. The hack has activated nearly a dozen various WANminiports (showing up under Device Manager\'s hidden devices), most of them on various USB hub connections, and indicating that they\'re sharing, sometimes 3 at a time, the same IRQs and memory addresses. These devices cannot be disabled or uninstalled, the locations of the (virtual) devices and drivers being located a ROOT/ ... (no %...%/..., just ROOT).\r\n\r\nI\'ve found dozens of bogus files in the Windows directory, how they\'re redirecting the bios to their own on a virtual (non-existent) floppy drive B (I\'ve disconnected my actual floppy drive). Descriptions of how they\'re emulating the appearance of the windows bootup and logon process (show this screen with a timeout of x seconds, etc.). I found a log describing their steps in moving the memory address of my graphics driver to perfectly match that of their own devices. They\'ve even installed Bluetooth drivers (I have no such devices). They describe making the necessary registry changes to eliminate the appearances of any hack flags. Also system files describing modifications of USB ports to serve their purposes. Another document describes how they\'re implementing bogus time-stamps.\r\n\r\nI\'ve been running ZoneAlarm at max security since before any of this began, a week or so ago ZA began logging massive attempts by the WMI service attempting to lower its security settings, which were logged as blocked, but the next day ZA had been uninstalled, and the system hasn\'t allowed me to re-install. I set up Windows Firewall as the best available replacement, but then it becomes disabled as the Security System service is shut down. \r\n\r\nBTW, this is the first time I\'ve been back online since ZA was uninstalled.\r\n\r\nNothing which I delete, no security changes, no disabling of system services, stick -- the system is quickly taken over by LOCAL SYSTEM, NT AUTHORITY, etc, and my own administrative privileges are quickly disabled after a clean reinstallation of WindowsXP, either home or professional. They appear to be making use of the pagefile and System Volume Information directories. I know how to use CACLS to gain access to these, delete everything and immediately everwrite the empty disc space with garbage (not sure if that overwriting helps, but I know that just leaving it open space deletes nothing), but subsequent monitoring of those directories shows immediate modification.\r\n\r\nI bought a second, inexpensive Dell (OptiplexGT270) as an internet-dedicated machine, having no connection with my infected system, WindowsXP Pro pre-installed, but as soon as I started it up (had NOT gone online), it was already infected. Discovered later (see below) that the bug had been carried by my Logitech MX1100 mouse!\r\n\r\nI\'ve called several local (this is a major city) computer tech shops for help, but when I describe the problems, in particular how it seems to infected harware, they\'ve not wanted (so far) to do anything which would involve attaching any of their own diagnostic equipment to my system, so no luck yet with them.\r\n\r\nI\'ve gathered a sizeable amount of documentation, logs and system file txt printounts on all of this -- for now I\'ll just attach my HijackThis log from my Dell 410XPS (not much help probably, as again I cannot permanently delete anything even though I\'m offline), and also a systems info analysis of the OptiplexGT270 (jpg\'s of the screen -- as far as relevant info, should be about the same as my main computer) which I run from a boot CD, Windows not running. And I do hope that all of this gets to you without corruption!\r\n\r\nThis has become an urgent problem, as of yesterday ... I could, though it would hurt, trash my complete system and buy all new, but before I had realized that the mouse was able to transmit the bug I had gone to my mother\'s to access the web, and as luck would have it her mouse had not been working, so I thought nothing of bringing mine with me to use. This of course infected her machine, but also her husband\'s through their LAN, despite his having Norton running. He is a Regents Professor at the University, so any data loss for him would be catastrophic. Before my mom\'s computer had reached the desktop during bootup I noticed an inappropriate amount of HD activity on her computer and immediately hit the machine\'s off button, then ran into her husband\'s study shouting for him to turn his computer off immediately, but it was too late for both.\r\n\r\nAs far as backing up at this point, most of my directories are marked to delete on copy, which did occur when I tried, but I found that by zipping them first I could get them off. But this would be quite a task with a TB or so of data! lol Do you think that ghosting a drive would bypass this potential deletion on copy? It would still be infected of course, but would still be a backup of sorts.\r\n\r\nWhen I\'m done here, I\'m going to install an Ubuntu OS -- hopefully this would be beyond their boolean if/then contingencies and I might be able to implement some more effective solutions.\r\n\r\nI\'ll just remind once again, all of this has been verified by my very qualified friend and his associates at Seagate. Thanks for *any* help!!\r\n\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\n\r\nLogfile of Trend Micro HijackThis v2.0.2\r\nScan saved at 12:54:51 PM, on 4/17/2010\r\nPlatform: Windows XP SP2 (WinNT 5.01.2600)\r\nMSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)\r\nBoot mode: Normal\r\n\r\nRunning processes:\r\nC:\\WINDOWS\\System32\\smss.exe\r\nC:\\WINDOWS\\system32\\winlogon.exe\r\nC:\\WINDOWS\\system32\\services.exe\r\nC:\\WINDOWS\\system32\\lsass.exe\r\nC:\\WINDOWS\\system32\\nvsvc32.exe\r\nC:\\WINDOWS\\system32\\svchost.exe\r\nC:\\WINDOWS\\System32\\svchost.exe\r\nC:\\WINDOWS\\system32\\spoolsv.exe\r\nC:\\Program Files\\Avira\\AntiVir Desktop\\sched.exe\r\nC:\\Program Files\\Avira\\AntiVir Desktop\\avguard.exe\r\nC:\\WINDOWS\\Explorer.EXE\r\nC:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\r\nC:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe\r\nC:\\WINDOWS\\system32\\RUNDLL32.EXE\r\nC:\\WINDOWS\\stsystra.exe\r\nC:\\Program Files\\CursorXP\\CursorXP.exe\r\nC:\\Program Files\\SarbyxTrayClock\\trayclock.exe\r\nC:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe\r\nC:\\PROGRA~1\\SHORTK~1\\shklite.exe\r\nC:\\Program Files\\Styler\\Styler.exe\r\nC:\\Program Files\\Taskbar Activate\\TaskbarActivate.exe\r\nC:\\Program Files\\Common Files\\Logishrd\\KHAL2\\KHALMNPR.EXE\r\nC:\\WINDOWS\\system32\\svchost.exe\r\nC:\\Program Files\\Mozilla Firefox\\firefox.exe\r\nC:\\WINDOWS\\system32\\wuauclt.exe\r\nC:\\Documents and Settings\\All Users\\Application Data\\BarDiscover\\bardiscover121.exe\r\nC:\\Program Files\\BarDiscover\\bardiscover.exe\r\nC:\\Program Files\\Java\\jre1.5.0_06\\bin\\jucheck.exe\r\nC:\\Program Files\\IrfanView\\i_view32.exe\r\nC:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe\r\n\r\nO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\\Program Files\\Java\\jre1.5.0_06\\bin\\ssv.dll\r\nO3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\\Program Files\\Styler\\TB\\StylerTB.dll\r\nO4 - HKLM\\..\\Run: [SunJavaUpdateSched] C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\r\nO4 - HKLM\\..\\Run: [avgnt] \"C:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe\" /min\r\nO4 - HKLM\\..\\Run: [nwiz] nwiz.exe /installquiet\r\nO4 - HKLM\\..\\Run: [NvMediaCenter] RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit\r\nO4 - HKLM\\..\\Run: [NvCplDaemon] RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup\r\nO4 - HKLM\\..\\Run: [LogonStudio] \"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM\r\nO4 - HKLM\\..\\Run: [BootSkin Startup Jobs] \"C:\\Program Files\\Stardock\\WinCustomize\\BootSkin\\BootSkin.exe\" /StartupJobs\r\nO4 - HKLM\\..\\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE\r\nO4 - HKLM\\..\\Run: [SigmatelSysTrayApp] stsystra.exe\r\nO4 - HKLM\\..\\Run: [KernelFaultCheck] %systemroot%\\system32\\dumprep 0 -k\r\nO4 - HKCU\\..\\Run: [CursorXP] C:\\Program Files\\CursorXP\\CursorXP.exe\r\nO4 - HKCU\\..\\Run: [SarbyxTrayClock] C:\\Program Files\\SarbyxTrayClock\\trayclock.exe\r\nO4 - Startup: Logitech . Product Registration.lnk = C:\\Program Files\\Common Files\\LogiShrd\\eReg\\SetPoint\\eReg.exe\r\nO4 - Startup: Styler.lnk = ?\r\nO4 - Startup: Taskbar Activate.lnk = C:\\Program Files\\Taskbar Activate\\TaskbarActivate.exe\r\nO4 - Global Startup: Logitech SetPoint.lnk = C:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe\r\nO4 - Global Startup: ShortKeys Lite.lnk = ?\r\nO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.5.0_06\\bin\\ssv.dll\r\nO9 - Extra \'Tools\' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.5.0_06\\bin\\ssv.dll\r\nO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe\r\nO9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe\r\nO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\\Program Files\\Avira\\AntiVir Desktop\\sched.exe\r\nO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\\Program Files\\Avira\\AntiVir Desktop\\avguard.exe\r\nO23 - Service: BarDiscover Service - Unknown owner - C:\\Documents and Settings\\All Users\\Application Data\\BarDiscover\\bardiscover121.exe\r\nO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\\Program Files\\Common Files\\InstallShield\\Driver\\11\\Intel 32\\IDriverT.exe\r\nO23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\\Program Files\\Common Files\\LogiShrd\\Bluetooth\\LBTServ.exe\r\nO23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\\WINDOWS\\system32\\nvsvc32.exe\r\n\r\n--\r\nEnd of file - 4374 bytes\r\n
The problem of Michael Pankratz was resolved by our support team.
Problem Summary: Login failures for Logon Process: Advapi on domain controller
Login failures for Logon Process: Advapi on domain controller. Sample log below.\r\n\r\n< Date & Time> %NICWIN-4-Security_534_Security: Security,rn=14086433 cid=0x00000002 eid=0x00000216,,534,Security,NT AUTHORITY/SYSTEM,Failure Audit,DC-01,Logon/Logoff,,Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: Domain: Logon Type: 2 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: DC-01 Caller User Name: DC-01$ Caller Domain: VSNL Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4540 Transited Services: - Source Network Address: - Source Port: - \r\n\r\nI see this log every 15 minutes... how should i start??
We examined this request and answered Indra by email.
Problem Summary: i cant start setup game halo for windows
needs avdapi32
Reply of our support team was forwarded to marcelo via email.
Problem Summary: advapi / netdevil trojan
Hi,
think I\'m being hit with this trojan. Even when I put to standby, it will still kick the laptop out of standby after 5 min. I checked that all the network interfaces has already turned off power management. Appreciate your help!
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/5/2009
Time: 6:52:42 AM
User: NT AUTHORITY\\NETWORK SERVICE
Computer: SG-L-TSGOH
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/5/2009
Time: 6:52:42 AM
User: NT AUTHORITY\\NETWORK SERVICE
Computer: SG-L-TSGOH
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
We worked out the solution of descirbed problem and sent our suggestions to Chris.
Problem Summary: Advapi.exe
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/1/2009
Time: 3:02:00 PM
User: NT AUTHORITY\\SYSTEM
Computer: BLDHKWEB03
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: azkhan
Domain: BANGLALINK
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: BLDHKWEB03
Caller User Name: BLDHKWEB03$
Caller Domain: BANGLALINK
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1120
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
shafiquzzaman received email with possible solutions of his problem.
Problem Summary: NETDEVIL.12 and Advapi issues
My PC has the NETDEVIL.12 VIRUS
Several possible methods of solving the problem mentioned by John were sent to the provided email address.
Problem Summary: Problem Virus
Good afternoon, my name is Said Orlando García Corral, now we have the trend micro office scan VSE version 8.0 SP1 (32-bit), 5943 virus pattern, we are detecting machines at many of our inappropriate behavior, are filling the event viewer logs, and just as user accounts are domain blocking, are looking for in the network ID of the error that is generated in the event viewer and it is a virus problem which is called netdevil, the process running called advapi we leave the train with micro net Security Suite.
Our support team answered the request of Orlando Corral by email.
Problem Summary: advapi SP2 problem detected by pctools Spyware Doctor
SP2 stops with advapi error;Win XP Home Edition
Paul, please check your email for our answer.
Problem Summary: advapi SP2 problem detected by pctools Spyware Doctor
SP2 stops with advapi error;Win XP Home Edition
Paul, we sent the solution of this problem to your mailbox.
Problem Summary: AD account kept locking up
Ad account for no reason would lockup.(2 days) Everything was checked mapped drives, wireless, printers mapped all...not until adaware from Lavasoft was run that the issue went away. AD server showed 10 retries from workstation in question but no one tried 10 times. Login was tried once and account showed locked. Could this be Netdevil.12 or is there somethiing else out there.
We have other accounts exp. the same issue. Please reply.
Our support team contacted Javier with the solution of the problem described.
