Author Topic: Harrassing pop-up : onlinesecuritymetere.in  (Read 12284 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #15 on: May 07, 2015, 11:00:52 AM »
I did the scan and cleaning, but I'm still getting the pop-ups.
Here are the logs.

mbar-log :

Malwarebytes Anti-Rootkit BETA 1.09.1.1004
www.malwarebytes.org

Database version:
  main:    v2015.05.06.04
  rootkit: v2015.04.21.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17728
Nizar :: NIZAR-PC [administrator]

5/6/2015 10:29:01 PM
mbar-log-2015-05-06 (22-29-01).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 450202
Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\ProgramData\Microsoft\Secure\Icons\temp\tmp120C.exe (Trojan.Krypt) -> Delete on reboot. [d894bed258324de958154dbe18eab44c]
C:\ProgramData\Microsoft\Secure\Icons\temp\tmp4A67.exe (Trojan.Agent.FSAVXGen) -> Delete on reboot. [c2aa8e021f6b77bf80656446ec1507f9]
C:\ProgramData\Microsoft\Secure\Icons\temp\tmp53E9.exe (Trojan.Agent.DED) -> Delete on reboot. [98d45b3593f7c76f187fa45715eced13]

Physical Sectors Detected: 0
(No malicious items detected)

(end)


-------------------------------------------
-------------------------------------------
-------------------------------------------

System-log :

Malwarebytes Anti-Rootkit BETA 1.09.1.1004

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17728

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, X:\ DRIVE_FIXED
CPU speed: 3.202000 GHz
Memory total: 12823044096, free: 9158299648

Downloaded database version: v2015.05.06.04
Downloaded database version: v2015.04.21.01
Downloaded database version: v2015.05.06.01
=======================================
Initializing...
------------ Kernel report ------------
     05/06/2015 22:28:46
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\iaStorA.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\asahci64.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\DRIVERS\iaStorF.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\aswVmm.sys
\SystemRoot\System32\Drivers\aswRvrt.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\aswSnx.sys
\SystemRoot\system32\drivers\aswSP.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\aswRdr2.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\SysWow64\drivers\AsIO.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\drivers\ctaud2k.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\ctoss2k.sys
\SystemRoot\system32\drivers\ctprxy2k.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\DRIVERS\e1c62x64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\asmtxhci.sys
\SystemRoot\system32\DRIVERS\1394ohci.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\dtscsibus.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\drivers\ha20x22k.sys
\SystemRoot\system32\drivers\emupia2k.sys
\SystemRoot\system32\drivers\ctsfm2k.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\drivers\CTHWIUT.SYS
\SystemRoot\System32\drivers\CT20XUT.SYS
\SystemRoot\System32\drivers\CTEXFIFX.SYS
\SystemRoot\system32\drivers\nvhda64v.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\DRIVERS\asmthub3.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\Drivers\dump_iaStorA.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\aswMonFlt.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\athurx.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\system32\drivers\aswStm.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\??\C:\Windows\system32\drivers\acedrv11.sys
\SystemRoot\system32\drivers\aswHwid.sys
\SystemRoot\system32\drivers\npf.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\nsi.dll
\Windows\System32\iertutil.dll
\Windows\System32\user32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\shell32.dll
\Windows\System32\difxapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\msvcrt.dll
\Windows\System32\sechost.dll
\Windows\System32\msctf.dll
\Windows\System32\shlwapi.dll
\Windows\System32\ole32.dll
\Windows\System32\normaliz.dll
\Windows\System32\usp10.dll
\Windows\System32\clbcatq.dll
\Windows\System32\gdi32.dll
\Windows\System32\psapi.dll
\Windows\System32\advapi32.dll
\Windows\System32\lpk.dll
\Windows\System32\ws2_32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\oleaut32.dll
\Windows\System32\setupapi.dll
\Windows\System32\urlmon.dll
\Windows\System32\kernel32.dll
\Windows\System32\wininet.dll
\Windows\System32\Wldap32.dll
\Windows\System32\imm32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\devobj.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\comctl32.dll
\Windows\System32\userenv.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\msasn1.dll
\Windows\System32\profapi.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2015.05.06.04
  rootkit: v2015.04.21.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800ac59790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800ac592c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800ac59790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800ab8ac50, DeviceName: Unknown, DriverName: \Driver\iaStorF\
DevicePointer: 0xfffffa800a8fb040, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa800a8a26f0, DeviceName: \Device\00000077\, DriverName: \Driver\iaStorA\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 62C0FF3C

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 468652032

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 240057409536 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa800ac5f790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800ac5f2c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800ac5f790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800ab8bc50, DeviceName: Unknown, DriverName: \Driver\iaStorF\
DevicePointer: 0xfffffa800a8f8060, DeviceName: \Device\00000078\, DriverName: \Driver\iaStorA\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 13EDEF9C

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 1331200000

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1331202048  Numsec = 622317568

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xfffffa8012c2a060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8012c28b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8012c2a060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8012b6ab80, DeviceName: Unknown, DriverName: \Driver\iaStorF\
DevicePointer: 0xfffffa8012c24b60, DeviceName: \Device\0000009b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Infected: C:\ProgramData\Microsoft\Secure\Icons\temp\tmp120C.exe --> [Trojan.Krypt]
Infected: C:\ProgramData\Microsoft\Secure\Icons\temp\tmp4A67.exe --> [Trojan.Agent.FSAVXGen]
Infected: C:\ProgramData\Microsoft\Secure\Icons\temp\tmp53E9.exe --> [Trojan.Agent.DED]
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C0A52BF0372227CBDF49E2BBB5E658D1A0AFA169.bin.VE1" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-C0A52BF0372227CBDF49E2BBB5E658D1A0AFA169.bin.VF" is compressed (flags = 1)
File "C:\ProgramData\AVAST Software\Avast\log\AvastSvc.log" is compressed (flags = 1)
File "C:\ProgramData\AVAST Software\Avast\log\AvastUI.log" is compressed (flags = 1)
File "C:\ProgramData\AVAST Software\Avast\log\CommChannel.Protocol.log" is compressed (flags = 1)
File "C:\ProgramData\AVAST Software\Avast\log\Instup.log" is compressed (flags = 1)
File "C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Update.log" is compressed (flags = 1)
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished


REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #16 on: May 08, 2015, 06:17:14 AM »
Please post a fresh FRST scan log.

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #17 on: May 08, 2015, 10:57:34 PM »
I really wonder why it worked with other people already from steps before.
Do you think killing the explorer.exe process before running the scans and fixed could make a difference ?

The FRST Scan log as well as the Addition.txt are in the attachment (copy/paste doesn't go 'cause the message exceeds the characters limit).

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #18 on: May 11, 2015, 03:20:53 PM »
Explorer.exe should not have caused this. Follow the step outlined below and we shall move on from there.
  • Step #4 Run ComboFix
    Download ComboFix by sUBs from one of the suitable locations listed below and save it to your Desktop.
    Download Link #1
    Download Link #2
    Donwload Link #3

    Warning
    Please acknowledged yourself this warning beforehand. The tool, ComboFix, is an extremely powerful malware removal tool if not one of the most powerful tools ever created. In the hands of an inept person or a simple mistake can render your machine un-bootable. Peruse every step I listed below unless you want a dreadful occurrence.
    ***

    • Disable your security software. For more information, peruse this thread;
    • Right-click and choose Run as administrator to run the program.
    • As a buit-in process, ComboFix will check if you system has Microsoft Windows Recovery Console installed. Let Combofix download and install Microsoft Windows Recovery Console.
      • It requires an active internet connection.
      • If your system already has Microsoft Windows Recovery Console installed, this step will be skipped
    • ComboFix will now scan your system for malwares and will attempt to remove them.
      • Note: ComboFix performs fifty steps during this fix. Please be patient.
    • After the scan your system will reboot and a log will be produced. The log is automatically saved in C:\ComboFix.txt.
    • Attach the log in your next reply.
    Crucial Notes:
    • Do not mouse-click when ComboFix is running as it may stall.
    • Do not re-run ComboFix if you face a problem. Ask for my instruction here.
    • ComboFix will make Internet Explorer your default browser and will change number of different Internet Explorer settings.
    • ComboFix prevents autorun functions of all CD and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you, please tell me.
    • It is possible that ComboFix, even on its first run, may have fixed the problems you are having. We strongly suggest that you still post your log into the topic that you are receiving help as you most likely will have infections left over that your helper will need to analyze further.
    • ComboFix will disconnect your system from internet for security measures. The connection is automatically restored after the scan but if it does not, it can be restored by rebooting the PC.

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #19 on: May 12, 2015, 01:47:45 AM »
Hello,
I just put my antiradioactive suit and ran Combofix, it went through some stages but I have this warning:

Unable to create a backup of the current registry file
C:\Windows\System32\config\SYSTEM !
Continue restoration of this file?


I have no idea whether to say Yes or No.

I'm writing from my mobile phone, I'm keeping the computer on standby until I hear from you.

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #20 on: May 12, 2015, 01:51:59 AM »
By the way, Combofix is just about to reboot. Screen says this:

Rebooting Windows
Please allow Combofix to reboot the machine.
Warning! Do not manually reboot the machine yourself

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #21 on: May 12, 2015, 12:19:38 PM »
Last one is just saying let CF do it, don't touch anything. When CF reboots the machine, it will auto run and do more stuff. if you do the reboot using the power button, CF won't continue.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #22 on: May 12, 2015, 04:33:28 PM »
FRST has already created a backup of the registry so continue with ComboFix.

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #23 on: May 13, 2015, 12:22:25 AM »
I continued but I got this error message :

Error restoring C:/Windows/erdnt/subs/system
To
C:/Windows /System32/config/System

Continue with the next file?
[RegReplaceKey: 5 - Access is denied]

I was going to click Yes, but I'd better be sure and wait for your response.

It will be the second day I sleep with the computer turned on right beside me...

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #24 on: May 13, 2015, 03:28:07 PM »
Click 'Yes' and proceed.

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #25 on: May 14, 2015, 02:28:39 AM »
The log file is attached.

I have the impression that the pop-ups have stopped - hurray !
Not sure yet though because I'm not having access to my computer very often these days, but if I see something I will let you know.

Thank you very much for your pro help ! :)

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #26 on: May 14, 2015, 06:38:15 AM »
Monitor it for the next 24 hours and report to me. Just a friendly reminder, if you ever encounter such problem in the future, do not run Combofix on your own as it one of the most powerful removal tools and if done incorrectly, it can make the PC un-bootable.

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #27 on: May 15, 2015, 12:59:04 AM »
Bad news ... I'm still getting pop-ups about the same thing.

Is this thing just extremely annoying, or is there some kind of danger related to it ? Like should I backup my stuff or it's inoffensive ?

REDACTED

  • Guest
Re: Harrassing pop-up : onlinesecuritymetere.in
« Reply #28 on: May 16, 2015, 03:34:52 PM »
  • Step #5 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
Code: [Select]
Start
CreateRestorePoint:
CloseProcesses:
Emptytemp:
ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll [2014-11-17] ()
C:\ProgramData\Microsoft\Secure
End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt;
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
        Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Copy and Paste the contents of the log in your next reply.
    [/list]
    « Last Edit: May 16, 2015, 03:36:25 PM by Valinorum »

    REDACTED

    • Guest
    Re: Harrassing pop-up : onlinesecuritymetere.in
    « Reply #29 on: May 17, 2015, 04:08:35 PM »
    Here is the log file. So far no pop-ups ! :)

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-05-2015 02
    Ran by Nizar at 2015-05-17 15:14:52 Run:2
    Running from C:\Users\Nizar\Desktop
    Loaded Profiles: Nizar (Available profiles: Nizar & UpdatusUser)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    Start
    CreateRestorePoint:
    CloseProcesses:
    Emptytemp:
    ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll [2014-11-17] ()
    C:\ProgramData\Microsoft\Secure
    End
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\1SecureIconsProvider" => Key deleted successfully.
    "HKCR\CLSID\{FC9D8189-520A-4417-AED7-9EAC810C6FBA}" => Key deleted successfully.

    "C:\ProgramData\Microsoft\Secure" directory move:

    Could not move "C:\ProgramData\Microsoft\Secure" directory. => Scheduled to move on reboot.

    EmptyTemp: => Removed 458.2 MB temporary data.

    Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-05-17 15:16:34)<=

    C:\ProgramData\Microsoft\Secure => Is moved successfully.

    ==== End of Fixlog 15:16:34 ====