1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Sys32 virus?

Discussion in 'Virus & Other Malware Removal' started by anthb314, Mar 30, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. anthb314

    anthb314 Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    12
    My computer has been running extremely poorly lately. When I close the lid to the laptop, it will often get stuck in standby - when I open the screen there will be a black screen and I will move the mouse around for 5-10 mins but eventually will have to restart the computer. Also, the restarts take a long time roughly 10-20 mins.

    Also, removeIT pro has showing that I am infected with Sys32.npqmp071705000014 and Sys32.ssupdate which I can't seem to get rid of - they keep coming back and I think the virus has hijacked the program because it is not allowing it to run in safe mode.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:30:04 PM, on 3/30/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)
    Boot mode: Normal

    Running processes:
    C:\Windows\System32\spool\drivers\x64\3\E_FATIBIA.EXE
    C:\Program Files (x86)\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tony\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files (x86)\HP\Smart Web Printing\hpswp_framework.dll
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O4 - HKLM\..\Run: [QlbCtrl] "%ProgramFiles(x86)%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
    O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe"
    O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe"
    O4 - HKLM\..\Run: [WAWifiMessage] "C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files (x86)\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
    O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
    O4 - HKCU\..\Run: [EPSON Stylus CX6000 Series] "C:\Windows\system32\spool\DRIVERS\x64\3\E_FATIBIA.EXE" /FU "C:\Windows\TEMP\E_S6F14.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [RemoveIT Pro v7Ent] C:\Program Files (x86)\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-978840001-799207872-4228062032-1001\..\Run: [Sidebar] "%ProgramFiles(x86)%\Windows Sidebar\Sidebar.exe" /detectMem (User 'postgres')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files (x86)\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/free- ... er_v10.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
    O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
    O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
    O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (http://www.webroot.com) - C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

    --
    End of file - 11248 bytes


    Thanks :D
     
  2. anthb314

    anthb314 Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    12
    24 hr bump
     
  3. anthb314

    anthb314 Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    12
    2 day bump
     
  4. anthb314

    anthb314 Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    12
    can anyone help me please? I would really appreciate it. Thanks!
     
  5. SweetTech

    SweetTech

    Joined:
    Dec 31, 1969
    Messages:
    1,016
    Hello and welcome to the forums! My name is SweetTech, it's a pleasure to meet you. :)

    I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

    If you have already received help elsewhere please inform me so that this topic can be closed.

    If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

    • Logs from malware removal programs (DDS is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
    • Please make sure to carefully read any instruction that I give you.
      Reading too lightly will cause you to miss important steps, which could have destructive effects.
    • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
    • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
    • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
    • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
    • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
    • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
      Because of this, you must reply within five days
      . I will post a reminder should you seem to fail to do this, however, if you fail to reply within two days then,
      unless I have been notified of your absence in advance, the topic shall be closed!
    • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
      Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

    ____________________________________________________

    Running OTS
    To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

    Download OTS to your Desktop

    • Close ALL OTHER PROGRAMS.
    • Double-click on OTS.exe to start the program.
    • Check the box that says Scan All Users
    • Under Additional Scans click the "Extras" button
    • In the custom scans section copy and paste in the following

      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      mv61xx.sys
      nvraid.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

    Please attach the log in your next post.

    To attach a file, do the following:
    • Click Add Reply
    • Under the reply panel is the Attachments Panel
    • Browse for the attachment file you want to upload, then click the green Upload button
    • Once it has uploaded, click the Manage Current Attachments drop down box
    • Click on [​IMG] to insert the attachment into your post



    NEXT:



    Please make sure you include the following items in your next post:
    1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
    2. The log that was produced after running the OTS scan.
    3. An update on how your computer is currently running.​
    It would be helpful if you could answer each question in the order asked, as well as numbering your answers.
     
  6. anthb314

    anthb314 Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    12
    Thank you!!!

    (1) No questions for now.

    (2) The OTS Log has been attached as instructed.

    (3) The computer is still restarting poorly. It takes at least 5-10 minutes and the fan comes on very loudly - it sounds like the system is stressed. However, I have only had one instance when I close the laptop lid and the computer doesn't come back from standby in the past week.

    Thanks Again!
     

    Attached Files:

    • OTS.Txt
      File size:
      211.6 KB
      Views:
      2
  7. SweetTech

    SweetTech

    Joined:
    Dec 31, 1969
    Messages:
    1,016
    Questions:

    Can you please tell me what is going on with your security programs? I am seeing a ton of security programs installed on your computer. What Anti-Virus program do you indend on sticking with?


    Do you know what this folder is for?

    C:\Users\Tony\Documents\Virus
    C:\6622a270e744b9fb6dc8c19f5c3c45


    NEXT:



    Peer to Peer Program
    While reviewing your logs I noticed that you currently have Peer to Peer program(s) installed on your computer.

    You currently have the following P2P programs installed:

    • BitTorrent
    • uTorrent
    Most of the infections that we see today are through P2P file sharing. It's highly recommened that you remove the programs mentioned above. It's impossible to trust the source of what is being downloaded from them and a file may or may not be what it appears to be.

    Should you decide to keep these programs installed on your computer PLEASE do not use these programs while we are getting your P.C. cleaned up.

    How to Uninstall the P2P Programs:

    For Vista Users:

    • Click on Start > Control Panel and double click on Programs and Features.
    • Locate BitTorrent and click on the Uninstall button to uninstall it.
    • Repeat for uTorrent.
    • Close Control Panel when done.


    PLEASE NOTE: When your uninstalling the P2P Program(s) some questions are worded in various ways to try and deceive you and keep you from uninstalling their Program.



    NEXT:



    Running OTS Fix
    Start OTS Copy/Paste the information inside the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

    Code:
    [Kill All Processes]
    [Unregister Dlls]
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    YN -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    < Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
    YN -> "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    < Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-978840001-799207872-4228062032-1000\] > -> HKEY_USERS\S-1-5-21-978840001-799207872-4228062032-1000\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    < CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    YN -> \\"NoActiveDesktop" -> [1]
    < Drives with AutoRun files > -> 
    NY -> D:\AUTOMODE  -> D:\AUTOMODE [ NTFS ]
    < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    YN -> \{916e4f36-020d-11df-8a23-001e68a5fbb8}\shell\\"" -> [AutoRun]
    [Registry - Additional Scans - Safe List]
    < 64bit-Protocol Filters [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\
    YN -> text/xml:{807553E5-5146-11D5-A672-00B0D022E945} [HKLM] -> Reg Error: Key error.[Reg Error: Key error.]
    < 64bit-Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
    YN -> msdaipp: [HKLM] -> No CLSID value
    YN -> msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} [HKLM] -> Reg Error: Key error.[Reg Error: Key error.]
    YN -> msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} [HKLM] -> Reg Error: Key error.[Reg Error: Key error.]
    YN -> ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} [HKLM] -> Reg Error: Key error.[Reg Error: Key error.]
    YN -> mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} [HKLM] -> Reg Error: Key error.[Reg Error: Key error.]
    [Files/Folders - Created Within 30 Days]
    NY ->  5 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp
    NY ->  2 C:\Windows\*.tmp files -> C:\Windows\*.tmp
    NY ->  1 C:\Users\Tony\Documents\*.tmp files -> C:\Users\Tony\Documents\*.tmp
    [Files/Folders - Modified Within 30 Days]
    NY ->  edacded0.dat -> C:\Windows\SysNative\edacded0.dat
    NY ->  bcdadac7.xml -> C:\Windows\SysNative\bcdadac7.xml
    [Alternate Data Streams]
    NY -> @Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:089A7B08
    [Empty Temp Folders]
    [EMPTYFLASH]
    [Reboot]
    
    The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

    If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.



    NEXT:



    Malwarebytes' Anti-Malware

    I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:


    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates
    • After the update have been completed, Select the Scanner tab.
    • Select Perform quick scan, then click on Scan
    • Leave the default options as it is and click on Start Scan
    • When done, you will be prompted. Click OK, then click on Show Results
    • Checked (ticked) all items and click on Remove Selected
    • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

    Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



    NEXT:


    Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

    1. Click Accept, when prompted to download and install the program files and database of malware definitions.

    2. To optimize scanning time and produce a more sensible report for review:

    • Close any open programs
    • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

    3. Click Run at the Security prompt.

    The program will then begin downloading and installing and will also update the database.
    Please be patient as this can take quite a long time to download.

    • Once the update is complete, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

      • [*]Spyware, adware, dialers, and other riskware
        [*]Archives
        [*]E-mail databases
    • Click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
    • Click View report... at the bottom.
    • Click the Save report... button.

      [​IMG]
    • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply


    NEXT:



    Please make sure you include the following items in your next post:
    1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
    2. An answer to the questions that I asked to you under the questions section.
    3. The log that was produced after running the OTS fix.
    4. The log that was produced after running the updated MalwareBytes' Anti-Malware scan.
    5. The log that was produced after running the Kaspersky Online scanner.
    6. An update on how your computer is currently running.​
    It would be helpful if you could answer each question in the order asked, as well as numbering your answers.
     
  8. anthb314

    anthb314 Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    12
    (1) Questions - Has the Sys32.npqmp071705000014 file found by RemoveIT Pro been removed?

    "Do you know what this folder is for?

    C:\Users\Tony\Documents\Virus"

    That folder is the one that I save all my logs from various anti-virus programs in.

    "C:\6622a270e744b9fb6dc8c19f5c3c45"

    This is my OTS log.

    (2) Yes I know I have a lot of security programs. I have tried a lot of them and some find new things even after running scans with other programs. I guess I am just paranoid :eek:

    The ones I would like to keep are Trend Micro (because I paid for it and it has a good firewall), Malwarebytes (even though it has never found anything after my first scan, this is a pretty highly rated program), Remove IT Pro (usually finds things that the other programs miss), CCleaner to clear out web browsers, and WinPatrol because it does a good job at detecting changes to the start up programs.

    I could probably do without jv16 power tools, adaware, super anti spiware, and sophos anti-rootkit.

    Does this sound okay to you?

    (3) The log that was produced after running the OTS fix has been uploaded as an attachment called OTS_Fix.txt

    (4) The log that was produced after running the updated MalwareBytes' Anti-Malware scan has been uploaded as an attachment called mbam-log-2010-04-04_(21-20-11).txt

    (5) The log that was produced after running the Kaspersky Online scanner has been uploaded as an attachment called KasReport.txt

    (6) The computer seems to be running a bit better. Restarts seem a bit quicker.

    Thanks!
     

    Attached Files:

  9. SweetTech

    SweetTech

    Joined:
    Dec 31, 1969
    Messages:
    1,016
    Yes, that does seem like a better plan. Having too many security programs can cause them to clash with each other. Go ahead and uninstall those now please.


    Run a new OTS scan and include the log that is produced in your next reply.
     
  10. anthb314

    anthb314 Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    12
    Attached is my new OTS log.
     

    Attached Files:

  11. SweetTech

    SweetTech

    Joined:
    Dec 31, 1969
    Messages:
    1,016
    Running OTS Fix
    Start OTS Copy/Paste the information inside the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

    Code:
    [Kill All Processes]
    [Unregister Dlls]
    [Processes - Safe List]
    YN -> e_fatibia.exe -> C:\Windows\SysWow64\spool\drivers\x64\3\E_FATIBIA.EXE
    [Registry - Safe List]
    < 64bit-Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "HP Health Check Scheduler" -> [[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "QlbCtrl" -> ["%ProgramFiles(x86)%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start]
    < Run [HKEY_USERS\S-1-5-21-978840001-799207872-4228062032-1000\] > -> HKEY_USERS\S-1-5-21-978840001-799207872-4228062032-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "EPSON Stylus CX6000 Series" -> C:\Windows\SysWow64\spool\DRIVERS\x64\3\E_FATIBIA.EXE ["C:\Windows\system32\spool\DRIVERS\x64\3\E_FATIBIA.EXE" /FU "C:\Windows\TEMP\E_S6F14.tmp" /EF "HKCU"]
    < Run [HKEY_USERS\S-1-5-21-978840001-799207872-4228062032-1001\] > -> HKEY_USERS\S-1-5-21-978840001-799207872-4228062032-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "Sidebar" -> ["%ProgramFiles(x86)%\Windows Sidebar\Sidebar.exe" /detectMem]
    [Files/Folders - Created Within 30 Days]
    NY ->  5 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp
    [Empty Temp Folders]
    [Reboot]
    The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

    If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.


    NEXT:



    Java Outdated
    Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:[/color][/b] Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 19 (JDK or JRE)".
    • Click the "Download JRE" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
    • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    • When the Java Setup - Welcome window opens, click the Install > button.
    • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
    -- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
    -- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


    Note:
    The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
    To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
    Click Ok and reboot your computer.


    NEXT



    Clean Java Cache & Temporary Files

    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button.
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked
        • Applications and AppletsTrace and Log Files
      • Click OK on Delete Temporary Files Window

        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.



    NEXT:



    Update Adobe Reader
    Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
    • Go to Start > Control Panel > Add/Remove Programs
    • Remove ALL instances of Adobe Reader
    • Re-boot your computer as required.
    • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
    Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.


    NEXT:



    Update FireFox
    While in Firefox go to the Help menu.
    Locate Check for Updates.
    Allow Firefox to install the latest update. Which is 3.6.3



    NEXT:



    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

    To turn off Windows Vista System Restore:


    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK
    9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.


    To turn on Windows Vista System Restore:

    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Place a checkmark in the box for any drive you wish to enable System Restore on
    7. Click OK



    NEXT:



    OTS Clean-Up

    • Make sure you have an Internet Connection.
    • Double-click OTS.exe to run it. (Vista users, please right click on OTS.exe and select "Run as an Administrator")
    • Click on the CleanUp! button
    • A list of tool components used in the Cleanup of malware will be downloaded.
    • If your Firewall or Real Time protection attempts to block OTS to reach the Internet, please allow the application to do so.
    • Click Yes to begin the Cleanup process and remove these components, including this application.
    • You should be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



    NEXT:



    All Clean Speech

    ==>
    Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <==
    Below I have included a number of recommendations for how to protect your computer against malware infections.

    • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
      Strong passwords: How to create and use them
      then consider a password keeper, to keep all your passwords safe.
    • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
      This will ensure your computer has always the latest security updates available installed on your computer.
    • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
    • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
    • Make Internet Explorer more secure
      • Click Start > Run
      • Type Inetcpl.cpl & click OK
      • Click on the Security tab
      • Click Reset all zones to default level
      • Make sure the Internet Zone is selected & Click Custom level
      • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
      • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
    • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
    • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
      • Green to go
      • Yellow for caution
      • Red to stop
      WOT has an addon available for both Firefox and IE
    • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here
      • If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
        • NoScript - for blocking ads and other potential website attacks
    • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
    • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
    • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

    Thank you for your patience, and performing all of the procedures requested.

    Please respond one last time so we can consider the thread resolved and close it, thank-you.
     
  12. anthb314

    anthb314 Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    12
    Thank you so much!!!! :) I really appreciate it!!!!
     
  13. SweetTech

    SweetTech

    Joined:
    Dec 31, 1969
    Messages:
    1,016
    Do you have any further questions for me or can I go ahead and close this thread up as solved?
     
  14. anthb314

    anthb314 Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    12
    Nope everything is running smoothly. Already marked it as solved -- thanks again!
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/913646

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice