URL: Mal warning pop ups

system · January 11, 2015, 9:54pm

I’ve been getting a number of warning pop ups from avast about harmful processes attempting to run on my laptop through adobe. First it was the vsb3k domain and now it’s the nsxv1 domain. It blocks them each time and I don’t get redirected anywhere else or get the annoying ads that tend to come with it, but I do think my laptop is slower as a result of the virus still being in there. I tried running a boot scan, but it turned up nothing. I’m not entirely sure what to do first in fixing this issue, so any help would be greatly appreciated.

system · January 12, 2015, 12:46am

I’ve added the appropriate logs. I hope they help.
I did get one of the pop ups while running a MBAM scan, but all the threats detected got put into quarantine. I’m still waiting to see if I will get another warning though.

essexboy · January 12, 2015, 3:26pm

Could you let me know how the computer is after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\...\Run: [****<*>] => %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe <===== ATTENTION (Value Name with invalid characters) HKLM\...\Run: [****<*>] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SONYAPO <===== ATTENTION (Value Name with invalid characters) HKLM\...\Run: [******<*>] => C:\Windows\system32\igfxpers.exe [ 11-01-2015 19:32:47] () <===== ATTENTION (Value Name with invalid characters) HKLM\...\Run: [******<*>] => C:\Windows\system32\igfxtray.exe [ 11-01-2015 19:32:47] () <===== ATTENTION (Value Name with invalid characters) HKLM\...\Run: [******<*>] => C:\Windows\system32\hkcmd.exe [ 11-01-2015 19:32:47] () <===== ATTENTION (Value Name with invalid characters) HKLM\...\Run: [******<*>] => "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" <===== ATTENTION (Value Name with invalid characters) HKLM\...\Run: [******<*>] => "C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe" <===== ATTENTION (Value Name with invalid characters) HKLM-x32\...\Run: [] => [X] HKU\S-1-5-19\...\Run: [Þ**<*>] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-19\...\RunOnce: [****<*>] => C:\Windows\System32\mctadmin.exe [429056 2012-03-14] () <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-20\...\Run: [Þ**<*>] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-20\...\RunOnce: [****<*>] => C:\Windows\System32\mctadmin.exe [429056 2012-03-14] () <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-3868624928-45602065-142374578-1000\...\Run: [Þ**<*>] => C:\Program Files\Windows Sidebar\sidebar.exe /autoRun <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-3868624928-45602065-142374578-1000\...\Run: [******<*>] => "C:\Users\Nic Nic 1\AppData\Local\Google\Update\GoogleUpdate.exe" /c <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\...\Run: [Þ**<*>] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\...\RunOnce: [****<*>] => C:\Windows\System32\mctadmin.exe [429056 2012-03-14] () <===== ATTENTION (Value Name with invalid characters) SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-3868624928-45602065-142374578-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-3868624928-45602065-142374578-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO-x32: No Name -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKLM-x32 - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File Toolbar: HKU\.DEFAULT -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-11-10] FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.3.0.12\coFFPlgn FF Extension: No Name - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.3.0.12\coFFPlgn [2014-07-08] FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.3.0.12\IPSFF FF Extension: No Name - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.3.0.12\IPSFF [2014-05-24] CHR Plugin: (Norton Confidential) - C:\Users\Nic Nic 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.4.6_0\npcoplgn.dll No File CHR Plugin: (Java Deployment Toolkit 7.0.10.8) - C:\Program Files (x86)\Java\jre7\bin\new_plugin\npdeployJava1.dll No File CHR Plugin: (Java(TM) Platform SE 7 U1) - C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll No File CHR Plugin: (Google Update) - C:\Users\Nic Nic 1\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton 360\Engine\21.3.0.12\Exts\Chrome.crx [Not Found] S3 NAVENG; C:\Program Files (x86)\Norton 360\NortonData\21.3.0.12\Definitions\VirusDefs\20140708.016\ENG64.SYS [126040 2014-06-04] (Symantec Corporation) S3 NAVEX15; C:\Program Files (x86)\Norton 360\NortonData\21.3.0.12\Definitions\VirusDefs\20140708.016\EX64.SYS [2099288 2014-06-04] (Symantec Corporation) S3 SRTSP; C:\Windows\System32\Drivers\N360x64\1503000.00C\SRTSP64.SYS [875736 2014-02-12] (Symantec Corporation) R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1503000.00C\SRTSPX64.SYS [36952 2013-10-30] (Symantec Corporation) R0 SymDS; C:\Windows\System32\drivers\N360x64\1503000.00C\SYMDS64.SYS [493656 2013-10-30] (Symantec Corporation) R0 SymEFA; C:\Windows\System32\drivers\N360x64\1503000.00C\SYMEFA64.SYS [1148120 2014-03-03] (Symantec Corporation) R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-05-23] (Symantec Corporation) S1 SymIRON; C:\Windows\system32\drivers\N360x64\1503000.00C\Ironx64.SYS [264280 2013-10-30] (Symantec Corporation) S1 SymNetS; C:\Windows\System32\Drivers\N360x64\1503000.00C\SYMNETS.SYS [593112 2014-02-17] (Symantec Corporation) 2014-12-13 07:30 - 2014-12-13 07:30 - 00000000 __SHD () C:\Users\Nic Nic 1\AppData\Local\EmieBrowserModeList CustomCLSID: HKU\S-1-5-21-3868624928-45602065-142374578-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Nic Nic 1\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3868624928-45602065-142374578-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Nic Nic 1\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3868624928-45602065-142374578-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Nic Nic 1\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3868624928-45602065-142374578-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Nic Nic 1\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File Task: {4F7A5AE5-7C03-4BDF-8061-217EB6D84827} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files (x86)\Ask.com\UpdateTask.exe [2013-04-01] () <==== ATTENTION C:\Users\Nic Nic 1\AppData\LocalLow\Adobe\Tsfxktouw EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · January 13, 2015, 10:21pm

I ran both scans and attached the logs.
So far, I haven’t seen any warnings, but it hasn’t been long since I followed your instructions.

essexboy · January 13, 2015, 10:25pm

Monitor it please and if all is well tomorrow let me know and I will tidy up

system · January 16, 2015, 6:15am

Just wanted to say that I haven’t seen any warning pop ups since using my laptop again. Thank you for all of your help, it runs quicker than it used to now.

essexboy · January 16, 2015, 1:15pm

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

URL: Mal warning pop ups

Announcements