nvexpl.exe - Trojan?

[AnimOrC]

I noticed a small process that was requesting internet access. It's path is C:\WINDOWS\system32\nvexpl.exe and it's size is 484kB.

It has been perfectly isolated, so there's no harm done to my installation, but I'm just curious about what it could be.

I have done some analysis on it and figured out that it is trying to provide something over HTTP to a US IP-address which is 66.45.237.xxx (I suppose IP-addresses are not allowed)

Not sure if these images will be of any help, but I post them anyway. They are screendumps from Process Manager.
The process itself is using these threads:

And the stack-list for the nvexpl.exe-thread looks like this:

Looking in Windows Task Manager, the process is listed as using 6 MB memory and 2.5 MB virtual memory
It has written 0 bytes to the disc and read 351 bytes.

I have run scans with Ad-Aware, Spybot - S&D, BitDefender AV, Rootkit Revealer, all updated, but none of them finds anything wrong about this file.

Don't know what a HiJackThis log could do, but sure, I'll post it too:

Logfile of HijackThis v1.99.1
Scan saved at 21:48:32, on 2005-11-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\apache\Apache2\bin\Apache.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\srxTitan.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\apache\Apache2\bin\Apache.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\YnHub_Anbu\YnHub.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\AnimUPP\iroffer\iroffer.exe
C:\AnimUPP\iroffer\iroffer.exe
C:\WINDOWS\system32\nvexpl.exe
C:\Program Files\Run\Run!.exe
C:\Program Files\Gene6 FTP Server\G6FTPTray.exe
C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
C:\AnimUPP\mirc_upp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\uTorrent\utorrent-1.2.1-beta2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NoteTab Pro\NotePro.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\WINDOWS\system32\notepad.exe
C:\Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.animorc.com/[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\WINDOWS\system32\Bhoekort.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AznaBot] "C:\AnimUPP\iroffer\iroffer.exe" -b C:\AnimUPP\iroffer\aznabot.config
O4 - HKCU\..\Run: [NanaBot] "C:\AnimUPP\iroffer\iroffer.exe" -b C:\AnimUPP\iroffer\nanabot.config
O4 - HKCU\..\Run: [YnHub] "C:\Program Files\YnHub_Anbu\YnHub.exe"
O4 - HKCU\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKCU\..\Run: [ioFTPd] "C:\Program Files\ioFTPD\system\ioftpd.exe"
O4 - HKCU\..\Run: [nvexpl.exe] C:\WINDOWS\system32\nvexpl.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Run!.lnk = C:\Program Files\Run\Run!.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run!.lnk = C:\Program Files\Run\Run!.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{67EF389A-C8CE-4498-A640-794D0D874C12}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAF6F2E3-FF4F-4279-A955-53A5B8DDC483}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:  sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Apache2 - Unknown owner - C:\apache\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - Unknown owner - C:\WINDOWS\system32\srxTitan.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

 

[Osiris]

I would say its fine. This is what i found

netapi32.dll is a module that contains the Windows NET API used by applications to access a Microsoft network.

 

[vidall]

KillSpy is the only anti-spyware solution you need - it combines all important features in one program:
Spyware scan and removal - detects and removes spyware, Trojan horses and other malicious programs installed on your PC.Real-Time Shield - provides online protection from various harmful scripts and programs while you browse the Internet.Secure Disc - allows you to create highly secure virtual discs to store your most important and confidential data. http://Killspy.me.ly