Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Critical Alert (Error #268D3), Call 1-844-307-7679


  • This topic is locked This topic is locked
28 replies to this topic

#1 barnierubble

barnierubble

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 24 July 2016 - 06:07 PM

Upon visiting some websites I'm interrupted by a warning purporting itself to be from Microsoft and threatening to disable my computer if I don't call them right away.  I've just shut down the browser via Task Manager (Firefox, mostly if not always... I use it almost exclusively though atm I'm using Edge).  The message is as follows, accompanied by an audio reading of the message:

 

 

**YOUR COMPUTER HAS BEEN BLOCKED**

Error #268D3

Please call us immediately at +1-844-307-7679

Do not ignore this critical alert.

If you close this page, your computer access will be disabled to prevent further damage to our network.

 

Your computer has alerted us that it has been infected with a virus and spyware. The following information is being stolen.

 

>Facebook Login

>Credit Card Details

>Email Account Login

>Photos stored on this computer

>You must contact us immediately so that our engineers can walk you through the removal process over the phone.  Please call us within the next 5 minutes to prevent your computer from being disabled.

 Toll free: 1-844-307-7679

 

 

This topic was recently posted by user: hursthome, who unfortunately never followed up on any potential resolution.  Bleepingcomputer.com's Satchfan responded to them with some instructions.  I took the liberty of running through their suggestions, but to no avail.  The issue persists.

 

 

Unfortunately I cannot seem to PASTE the FRST.txt log into this msg as requested (no idea why, I've made countless attempts), so find it attached along with the Addition.txt file et al, as per Satchfan's initial instructions to hursthome. Hopefully someone can help me identify the source and rectify this annoyance once and for all.Attached File  FRST.txt   86.49KB   12 downloadsAttached File  Addition.txt   39.22KB   6 downloadsAttached File  AdwCleanerC1.txt   4.2KB   6 downloadsAttached File  JRT.txt   1.15KB   6 downloadsAttached File  Mbam.txt   1.02KB   5 downloads

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 25 July 2016 - 08:30 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Failed to access process -> firefox.exe
Failed to access process -> plugin-container.exe
U3 idsvc; no ImagePath
U4 vsserv; no ImagePath
U3 wpcsvc; no ImagePath
Task: {2F7877AB-623D-49DE-80CE-E3D92FFA2DA4} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {5CE08584-C4DF-41EA-84C2-2CCDD85C09D1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {767481DB-8EC7-49A8-AFEC-8146D0176E72} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {7F7AEE46-9B36-4FC9-9F5D-79AE40193A97} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {865BD9D0-F8D3-48F1-AC7D-B644CFE6707A} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A8F62C74-4477-44B8-B3D0-E2C82050D9A0} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {C7BD52BD-BA4D-4E91-A211-2F542A1C0EC7} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {DA030661-B354-4B71-A72C-B7B4322CB82C} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {E19C8609-33DC-4626-808C-822AF9C664CC} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {E7D39797-7748-4FB9-8318-8FFFFC4BB5BC} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {F2B9DDBB-FB80-4EBF-A678-D7D230E37F86} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {F432DDF7-33E0-441E-8EC8-FA8FE191CF19} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {F5F6BDE9-5044-4739-94E2-62137FFAD70A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
AlternateDataStreams: C:\Users\Andrew\Desktop\FreeStudio.exe:BDU [0]
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Remove Firefox using the instructions one this page.
https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer

Before proceeding save your Bookmarks.
https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Install the latest version of the application.

You can then import them to the new version of Firefox.

Firefox Password manager -
Remember, delete and change saved passwords in Firefox
https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-passwords
<<<>>>

Please post the log and let me know what problem persists.

#3 barnierubble

barnierubble
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 25 July 2016 - 12:50 PM

Thanks for your response nasdaq.  I followed your instructions but as I stated previously, I cannot seem to PASTE any content into these posts (I have no idea why).  Please find the Fixlog.txt  file attached.

 

Beyond that, the original issue persists.  It's occurred via (seemingly) random avenues, but the most consistent trigger that I can cite thus far is mp3juices.one where-upon the "Critical Alert from Microsoft" window/message will occur 7/10 times now by my estimation.  I've used the site frequently as reference, and for the odd mp3/download in past, accessing it usually via bookmark.Attached File  Fixlog.txt   10.15KB   6 downloads


Edited by barnierubble, 25 July 2016 - 12:55 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 26 July 2016 - 06:23 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

This may also help.
Microsoft Edge: How to Clear Browser History and Cache
http://acer--uk.custhelp.com/app/answers/detail/a_id/38047/~/microsoft-edge%3A-how-to-clear-browser-history-and-cache

What are the issues with the other browsers?

P.S.
It's OK to attach the file.

#5 barnierubble

barnierubble
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 26 July 2016 - 02:31 PM

Attached File  zoek-results.log   6.69KB   5 downloads

 

Computer seems to be "behaving" normally after having followed those instructions.  Nothing appears out of the ordinary, but after accessing several bookmarks with Firefox the only one that prompted the original "critical alert form Microsoft" pop-up was that mp3juices.one url...  After that I accessed the same url using Edge and encountered the same alert message.

 

Could it be that site is a malicious website? If so, I'll delete the bookmark and avoid it like the plague, but that still leaves the question of potentially related malware being on my system.  But if I knew the answer to that, I wouldn't be here.

 

Hopefully you can direct me further toward the answer, and solution if necessary.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 27 July 2016 - 07:30 AM


I do not know of any tools to check or remove bookmarks.
You can place the Curson or the link to each bookmark and find out if the URL (link) is what you expect. If any unknown site remove it.

You can also run this online scan

Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 barnierubble

barnierubble
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 27 July 2016 - 05:45 PM

I went through those instructions exactly, Nasdaq.  Twice in fact, the 1st scan indicated 9 threats before I had to walk away... the scan was >2hrs so I wasn't able to stick around for the duration, but it never completed.  I returned to a black window with a dialogue box on top stating that the process could not be completed.

Attached File  ESET_ScanResults.png   25.5KB   0 downloads 

 

I went through the process as instructed once more, where-in the scan only identified 1 threat within the later portion, only to have an identical result as the first scan. As you pointed out, ESET only creates a log upon ending it's process so there's no record of the threats it identified or what if anything has been done with them.  Kind of huge waste of a day. 

 

This process has certainly provided more questions than answers at this point, so I hope you can forgive my frustration.


Edited by barnierubble, 27 July 2016 - 06:01 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 28 July 2016 - 07:41 AM

EOS_2 UTILITY IS FROM CANON.

Did you ever had any Canon products on this computer?

Other than that do you have any issues?

#9 barnierubble

barnierubble
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 28 July 2016 - 05:43 PM

I think I may have a registry issue at the moment. I was recently attempting to delete registry keys that pertained to some free softwares that were suspect. I followed a set of instructions obtained from

http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

and although I was careful, I'm having some issues that may be related to that. So today, I tried then to Restore back to 3 different restore points, which all resulted in the following:

Attached File  SystemRestoreDidNotCompleteSuccessfully-IMAGE.png   10.91KB   0 downloads

 

Of course, the 2nd and 3rd attempts to Restore were done with antivirus disabled as the dialogue box suggests, but to no avail. It also suggests trying an "Advanced Recovery Method" but I don't even know what that means.  I passed my comfort level a long time ago, and at this point I'm cursing myself and this bleepin' computer.  Any advice?

 

Perhaps I need to go drastic and transfer all my datafiles to another location and reinstall windows10. If I had the means I'd just throw it away and go buy a Mac... I mean, what good is any technology if I spend my whole life's energy simply maintaining it?

 

Thank you none-the-less for your help thus far


Edited by barnierubble, 28 July 2016 - 05:56 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 29 July 2016 - 08:09 AM


Download run this Revo Uninstaller tool.
http://www.revouninstaller.com/

Remove every entries associated with programs you wish to remove.

==

Restore point if all fails.
This program will recreate the correct registry setting and re-register all VSS components. Please download one of the below programs to fix your problem:

Operating system 32 or 64 bit.

VSSfix 32bit
http://updates.macrium.com/reflect/utilities/vssfix.exe

VSSfix 64bit
http://updates.macrium.com/reflect/utilities/vssfixx64.exe

You can right click the exe file and run as Administrator in normal mode and see if that solves the problem. If not try running in Safe Mode.

Keep me posted.

#11 barnierubble

barnierubble
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 29 July 2016 - 02:56 PM

I had already uninstalled the programs in question, but also went so far as to follow the instructions I sited in my last post in order to delete some registry files related to said programs.  I don't think there's anything left of them, so forgive me, I'm not sure what to do with REVOuninstaller.  

 

At the time I thought it was a wise move, but I'm now suspicious It may have done more harm than good given the timing.  For example, immediately afterward my wireless printer would not engage, though printing directly from a webpage worked, but the final dialogue box to verify the action showed as a much larger black box with basic text (DOS style) as opposed to the traditional small grey dialogue box I'm accustomed to seeing.  It's strange.

 

Unless any of that changes your last instructions, should I go ahead with "VSSfix" or did you intend for me to employ REVO and then VSSfix, specifically in that order?

 

I will only follow your instructions exactly without deviation hence forth, so I don't screw things up more.  Just need your patience as I'm out of my depth.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 30 July 2016 - 07:08 AM

Forget about the RevoUninstaller for now.

my wireless printer would not engage, though printing directly from a webpage worked, but the final dialogue box to verify the action showed as a much larger black box with basic text (DOS style) as opposed to the traditional small grey dialogue box I'm accustomed to seeing. It's strange.

It may help to r.Reinstall the Printer.

==

The VSS fix is to repair the System Restore.

Run it.

Keep me posted.

#13 barnierubble

barnierubble
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 30 July 2016 - 05:51 PM

Thanks for that clarification. I ran VSSfix, which only took a few seconds. Attempted System Restore 3 more times after that using 2 different restore points just to be thorough, with the antivirus disabled of course. Unfortunately the results were all the same as previous attempts:

Attached File  SystemRestoreDidNotCompleteSuccessfully-IMAGE.png   10.91KB   0 downloads


Edited by barnierubble, 30 July 2016 - 05:53 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 31 July 2016 - 08:26 AM

Was there an other Virus protection software installed/remove before ZoneAlarm?

#15 barnierubble

barnierubble
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 01 August 2016 - 01:43 PM

Was there an other Virus protection software installed/remove before ZoneAlarm?

 

Yes, Rogers Online Protection Basic, it was "uninstalled" for the Windows 10 upgrade. Could it still prevent a successful System Restore?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users