Author Topic: Clickered.com pop-up  (Read 5748 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Clickered.com pop-up
« on: August 27, 2014, 04:14:36 AM »
I have a custom built machine running Windows 7.

My Avast Web Shield has been going crazy since yesterday with pop up windows alerting me to threat detections. All the pop ups say the following:

avast! Web Shield has blocked a harmful webpage or file.

Process: C:\Users\Terry\AppData\...\chrome.exe
Infection: URL:Mal
Object: hxxp://clickered.com/cen?ag=b65b07b69e0d7c318a8620be45ed72d5-18-0&g=ZZZ&t=aa2a773

The first part of the above object threat from the hxxp through to the ag= is always the same for each threat detected. The numbers following the = are different for each threat.

The pop ups are from WebShield and they come in sets of 6 threats/popups every 10 minutes.

I've followed all the instructions in the "Logs to assist in cleaning malware" and have attached the logs. Please let me know if you need anything more from me.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31072
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Clickered.com pop-up
« Reply #1 on: August 27, 2014, 01:20:20 PM »
Thank you for providing the log files.
Now have some patience please, a malware removal export will soon help you to solve it.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Clickered.com pop-up
« Reply #2 on: August 27, 2014, 03:17:58 PM »
Here you go, this should clear it

 CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
HKU\S-1-5-21-591495085-3126796574-4059196606-1001\...\Run: [fTalk] => [X]
HKU\S-1-5-21-591495085-3126796574-4059196606-1001\...\Run: [TornTv Downloader] => C:\Users\Terry\AppData\Roaming\TornTV.com\Torntv Downloader.exe [296960 2014-08-19] (Cool Mirage)
SearchScopes: HKLM-x32 - DefaultScope {61F8549E-4E97-4793-B4BE-38699C48D317} URL =
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKCU - {61F8549E-4E97-4793-B4BE-38699C48D317} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289075&CUI=UN11042830903143710&UM=2
SearchScopes: HKCU - {7338B377-503A-4DF7-9D77-E7E2779A1F6E} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=714647&p={searchTerms}
SearchScopes: HKCU - {8B585516-F8F2-4B77-BA8B-DE89A3E1101E} URL = http://search.conduit.com/Results.aspx?ctid=CT3300024&SearchSource=45&UM=2&q={searchTerms}
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
CHR HKCU\...\Chrome\Extension: [cflheckfmhopnialghigdlggahiomebp] - C:\Users\Terry\AppData\Local\CRE\cflheckfmhopnialghigdlggahiomebp.crx [2013-03-26]
CHR HKCU\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Users\Terry\AppData\Local\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx [2013-03-26]
CHR HKLM-x32\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Users\Terry\AppData\Local\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx [2014-07-25]
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
R2 TorchCrashHandler; C:\Users\Terry\AppData\Local\Torch\Update\TorchCrashHandler.exe [1205088 2013-06-27] (TorchMedia Inc.) [File not signed]
R2 trntv; C:\Users\Terry\AppData\Roaming\TornTV.com\TornTVSvc.exe [10240 2014-08-19] () [File not signed]
2014-08-25 16:41 - 2014-08-25 16:42 - 00000000 ____D () C:\Users\Terry\AppData\Local\Idle~_~Crawler
2014-08-25 16:41 - 2014-08-25 16:41 - 00004578 _____ () C:\Windows\System32\Tasks\Idle~_~Crawler Runner
2014-08-25 16:41 - 2014-08-25 16:41 - 00004018 _____ () C:\Windows\System32\Tasks\LaunchSignup
2014-08-25 16:37 - 2014-08-25 16:42 - 00000000 ____D () C:\Program Files (x86)\globalUpdate
2014-08-25 16:37 - 2014-08-25 16:37 - 00000000 ____D () C:\Users\Terry\AppData\Local\globalUpdate
2014-08-25 16:36 - 2014-08-25 16:37 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\TornTV.com
2014-08-26 12:55 - 2014-06-30 15:13 - 00000000 _____ () C:\Windows\system32\Drivers\lvuvc.hs
2014-08-26 12:53 - 2013-05-01 11:47 - 00000000 ____D () C:\Users\Terry\AppData\Local\CRE
Task: {0F5CC53C-1035-47D0-B0D2-0431F57C1C91} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION
Task: {CF903100-56B5-409A-B57E-CAFB4B953AE6} - System32\Tasks\Idle~_~Crawler Runner => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe
Task: {E5D7C7FF-8250-4174-8D62-F0B371670907} - System32\Tasks\Microsoft\Windows\Maintenance\Idle~_~Crawler Update => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe
C:\Program Files (x86)\globalUpdate
C:\Users\Terry\AppData\Local\Idle~_~Crawler
C:\Users\Terry\AppData\Roaming\TornTV.com
C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\File System\006
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

REDACTED

  • Guest
Re: Clickered.com pop-up
« Reply #3 on: August 27, 2014, 07:35:53 PM »
Thank you for all the information. I followed your instructions. Here are the 2 logs. Please let me know what my next step is. When browsing my computer to find the AdwCleaner text file, I also saw another file in that folder: AdwCleaner[R0].txt. Do you need that file as well?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Clickered.com pop-up
« Reply #4 on: August 27, 2014, 07:45:43 PM »
Could you confirm that the alerts have stopped .. 

The other adwcleaner log is just a duplicate :)

REDACTED

  • Guest
Re: Clickered.com pop-up
« Reply #5 on: August 27, 2014, 07:58:50 PM »
Thank you. Yes, the alerts have stopped completely. Is it safe to re-install Chrome as my browser? I had uninstalled it a few days ago when all this first began.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Clickered.com pop-up
« Reply #6 on: August 27, 2014, 08:00:13 PM »
It should be OK as you had a chrome imitator on your system

Once you are happy let me know and I will tidy up

REDACTED

  • Guest
Re: Clickered.com pop-up
« Reply #7 on: August 27, 2014, 08:19:39 PM »
I just re-installed Google Chrome and all settings are still there. So far everything seems to be good. The threats seem to be gone. There hasn't been a pop up alert since I began running FRST at 8am today (just over 3 hrs ago). I can't thank you enough for everything you did to help me out. What do I need to do with all the log files that you originally instructed me to save and send to you? I assume the tools you had me download should be kept on my computer for possible future use.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Clickered.com pop-up
« Reply #8 on: August 27, 2014, 08:29:26 PM »
As the tools are regularly updated, I will clear them for you as an old tool is not much good :)

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Download and run Delfix



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave:

REDACTED

  • Guest
Re: Clickered.com pop-up
« Reply #9 on: August 27, 2014, 08:41:34 PM »
When I run Delfix, should I make sure all those boxes are checked like the pic shows? Should I run that now or wait until the 24 hrs have lapsed?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Clickered.com pop-up
« Reply #10 on: August 27, 2014, 08:56:22 PM »
Use the boxes as ticked.  You can do it now or tomorrow your choice :)

REDACTED

  • Guest
Re: Clickered.com pop-up
« Reply #11 on: August 29, 2014, 01:40:10 AM »
My Malwarebytes Anti-Malware completed a scan and found problems. I've attached a log of the items. I'm not sure what the problem is since everything was good yesterday after your help. Please advise.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Clickered.com pop-up
« Reply #12 on: August 29, 2014, 02:34:24 PM »
They are just two references to conduit that the other tools missed and are not a problem

REDACTED

  • Guest
Re: Clickered.com pop-up
« Reply #13 on: August 29, 2014, 04:22:50 PM »
Is there anything I need to do. The only thing I did after the clean up was re-install Chrome as my browser. If I need to uninstall it again and use a different browser, let me know and I'll do that. Thank you.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Clickered.com pop-up
« Reply #14 on: August 29, 2014, 04:36:33 PM »
No, that should be OK now