Clickered.com Malware

Hello
Sorry to have to bother you with the same question but I also have clickered.com malware messages popping up in Avast and the iStartsurf bug in Fireforx. I have run both Trojankiller and Malwarebyes Anti-Malware. Both have removed dozens of files and I’ve rebooted and reset Firefox’s parameters but both problems keep resurfacing.

Having run the farbar scan I have created the two log files which are attached.
Thanks

Hi :slight_smile:

I will review your logs and post back with my thoughts shortly :slight_smile:

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/remove%20outdated.jpg
Uninstall some programs

We need to uninstall some programs.

[*]Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png

  • R on your keyboard at the same time. Type appwiz.cpl and click OK.
    [*]Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time.

[b]The list of programs to uninstall:[b]

[]Ask Toolbar Updater
[
]Idle~_~Crawler

After completing uninstalls, please manually reboot your machine!

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]

Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png

  • R on your keyboard at the same time. Type Notepad and click OK.

[*]Copy the entire content of the codebox below and paste into the Notepad document:

start
() C:\Users\Suzanne\AppData\Local\Idle~_~Crawler\Idle~_~Crawler.exe
(The Chromium Authors) C:\Users\Suzanne\AppData\Local\Idle~_~Crawler\Chrome-bin\chrome.exe
C:\Users\Suzanne\AppData\Local\Idle~_~Crawler
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1409653905&from=amt&uid=TOSHIBAXMK3275GSX_2229F0C3SXX2229F0C3S&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1409653905&from=amt&uid=TOSHIBAXMK3275GSX_2229F0C3SXX2229F0C3S&q={searchTerms}
SearchScopes: HKCU - {945A4D9A-D63D-4D21-9189-EB40BFE16AE2} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=U4&apn_dtid=OSJ000YYUK&apn_uid=AA88C244-432C-4DCC-B4DA-ECD7D84C9FB3&apn_sauid=2AB679ED-8B41-4C10-8567-5B4F266E6CBD
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Task: {A13FC72C-F697-4F38-A0A2-075B25E42B82} - System32\Tasks\Idle~_~Crawler Runner => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe <==== ATTENTION
Task: {0C0730EE-B88B-441E-A2FE-03096854D09F} - System32\Tasks\Microsoft\Windows\Maintenance\Idle~_~Crawler Update => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe <==== ATTENTION
Task: C:\Windows\Tasks\OALKHIRY.job => C:\Users\Suzanne\AppData\Roaming\OALKHIRY.exe
C:\Users\Suzanne\AppData\Roaming\OALKHIRY.exe
Task: {B8EA761D-4C8F-40ED-BDC7-06A9C01C302D} - System32\Tasks\OALKHIRY => C:\Users\Suzanne\AppData\Roaming\OALKHIRY.exe
AlternateDataStreams: C:\ProgramData\TEMP:0CFF5F08
EmptyTemp:
end

[*]Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.

XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.

XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Hi Naat

Thanks so much for your help.

I have removed the programs you mentioned and created the fixlist text file in the same folder as the FRST.txt file and run FRST64. Unfortunately it keeps crashing.

I have tried:
Rebooting
Disabling internet connection
Uninstalling Trojankiller and Malwarebytes anti-malware (in case there was a conflict)
Disabling Avast
Removing and re-downloading FRST

All to no avail. It runs for about 20 seconds and then crashes.

Any ideas?

Suz

The FRST fix crashes?

Please generate a fresh set of logfiles from FRST, with the Addition option checked.

Yes, the FIX kept crashing!
New scan files attached.
This is fascinating stuff - can you actually ‘read’ these text files?
Thanks
Suz

Can you tell me what did you perform with ZOEK? Are you trying to self-fix the issue? Or are you receiving help somewhere else?

No I just downloaded it in readiness as I saw it had appeared on other posts - haven’t used it.

Fine, let’s get the remnants :slight_smile:

https://sites.google.com/site/cannedfixes/junkware-removal-tool/JRTbythisisu.png
Fix with Junkware Removal Tool

Please download JRT by Thisisu and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/junkware-removal-tool/JRTbythisisu.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow the prompts and let this process run uninterrupted.
[*]This scan can take a while, depending on your System specs.
[*]Upon completion, a log (JRT.txt) will open on your desktop.

Please include the contents of that file in your reply.
Do not forget to re-enable your previously switched off protection software!
Please also manually reboot your machine after this procedure.

https://sites.google.com/site/cannedfixes/adwcleaner/adwcleaner_new.png
Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/adwcleaner/adwcleaner_new.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow the prompts and click Scan.
[*]When finished, please click Clean.
[*]Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.

Naat, you’re a genius and I owe you a large beer :slight_smile:

log files attached.

Thanks, Suz

Hi :slight_smile:

We are not done yet, I need to see some fresh reports to be sure.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.

XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Hello Naat

Files attached

Have a good day

Suz

Have a good day
Thank you and likewise! :)

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]

Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png

  • R on your keyboard at the same time. Type Notepad and click OK.

[*]Copy the entire content of the codebox below and paste into the Notepad document:

start
Hosts:
C:\Users\Suzanne\AppData\Roaming\OALKHIRY
Emptytemp:
end

[*]Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.

XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

Hello Naat

FRST keeps crashing. If this is to delete a folder or file or regsitry key can I do it manually?

Thanks

Suz

Let’s do it using another tool. When it’s about malware, I prefer not to take any manual attempts.

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/BlitzBlank.png
Fix with BlitzBlank

Please download BlitzBlank by EmsiSoft and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/BlitzBlank.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]The tool will warn you that is should be used only upon a trusted helper supervision. Accept the warning.
[*]Navigate to the Script tab.
[*]Paste there the content of the codebox below:


DeleteFile:
C:\Users\Suzanne\AppData\Roaming\OALKHIRY

.
[*]Click Execute Now button at the bottom.
[*]You may be prompted that you are going to delete some entries. Please Agree.
[*]The tool with prompt you to reboot. Please agree.
[*]After the reboot, please navigate to the C:\BlitzBlank.log report.

Please include the content of that logfile in your next reply.

Good morning

Unfortunately there is an error running the file:
DeleteFile:
C:\Users\Suzanne\AppData\Roaming\OALKHIRY
‘Syntax error in line 2’.

I cannot see this folder on my system…

Suz

Quite odd. Let’s try another procedure.
BTW - it’s not a folder, it’s a file.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]

Please delete your copy of FRST and obtain a fresh one: Farbar Recovery Scan Tool x64

Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png

  • R on your keyboard at the same time. Type Notepad and click OK.

[*]Copy the entire content of the codebox below and paste into the Notepad document:

start
Unlock: C:\Users\Suzanne\AppData\Roaming\OALKHIRY
C:\Users\Suzanne\AppData\Roaming\OALKHIRY
end

[*]Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.

XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

Hold on. I think I know where could be a mistake when processing the BlitzBlank script.

Try these instructions before running FRST fix:

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/BlitzBlank.png
Fix with BlitzBlank

Please download BlitzBlank by EmsiSoft and save it to your desktop.
Download also the attached scriptfile named BlitzBlankScript and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/BlitzBlank.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]The tool will warn you that is should be used only upon a trusted helper supervision. Accept the warning.
[*]In the upper bar please press the
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/BlitzBlankOpen.png
icon.
[*]An explorer window should appear. On your desktop please find the BlitzBlankScript file downloaded earlier and choose Open.
[*]Click Execute Now button at the bottom.
[*]You may be prompted that you are going to delete some entries. Please Agree.
[*]The tool with prompt you to reboot. Please agree.
[*]After the reboot, please navigate to the C:\BlitzBlank.log report.

Please include the content of that logfile in your next reply.

OK I have done that & the file is attached.
Suz

ODD, really :o

Try the BlitzBlank once more as instructed here: