Clickered.com pop-up

I have a custom built machine running Windows 7.

My Avast Web Shield has been going crazy since yesterday with pop up windows alerting me to threat detections. All the pop ups say the following:

avast! Web Shield has blocked a harmful webpage or file.

Process: C:\Users\Terry\AppData.…\chrome.exe
Infection: URL:Mal
Object: hxxp://clickered.com/cen?ag=b65b07b69e0d7c318a8620be45ed72d5-18-0&g=ZZZ&t=aa2a773

The first part of the above object threat from the hxxp through to the ag= is always the same for each threat detected. The numbers following the = are different for each threat.

The pop ups are from WebShield and they come in sets of 6 threats/popups every 10 minutes.

I’ve followed all the instructions in the “Logs to assist in cleaning malware” and have attached the logs. Please let me know if you need anything more from me.

Thank you for providing the log files.
Now have some patience please, a malware removal export will soon help you to solve it.

Here you go, this should clear it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-591495085-3126796574-4059196606-1001\...\Run: [fTalk] => [X] HKU\S-1-5-21-591495085-3126796574-4059196606-1001\...\Run: [TornTv Downloader] => C:\Users\Terry\AppData\Roaming\TornTV.com\Torntv Downloader.exe [296960 2014-08-19] (Cool Mirage) SearchScopes: HKLM-x32 - DefaultScope {61F8549E-4E97-4793-B4BE-38699C48D317} URL = SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = SearchScopes: HKCU - {61F8549E-4E97-4793-B4BE-38699C48D317} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289075&CUI=UN11042830903143710&UM=2 SearchScopes: HKCU - {7338B377-503A-4DF7-9D77-E7E2779A1F6E} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=714647&p={searchTerms} SearchScopes: HKCU - {8B585516-F8F2-4B77-BA8B-DE89A3E1101E} URL = http://search.conduit.com/Results.aspx?ctid=CT3300024&SearchSource=45&UM=2&q={searchTerms} Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File CHR HKCU\...\Chrome\Extension: [cflheckfmhopnialghigdlggahiomebp] - C:\Users\Terry\AppData\Local\CRE\cflheckfmhopnialghigdlggahiomebp.crx [2013-03-26] CHR HKCU\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Users\Terry\AppData\Local\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx [2013-03-26] CHR HKLM-x32\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Users\Terry\AppData\Local\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx [2014-07-25] CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION R2 TorchCrashHandler; C:\Users\Terry\AppData\Local\Torch\Update\TorchCrashHandler.exe [1205088 2013-06-27] (TorchMedia Inc.) [File not signed] R2 trntv; C:\Users\Terry\AppData\Roaming\TornTV.com\TornTVSvc.exe [10240 2014-08-19] () [File not signed] 2014-08-25 16:41 - 2014-08-25 16:42 - 00000000 ____D () C:\Users\Terry\AppData\Local\Idle~_~Crawler 2014-08-25 16:41 - 2014-08-25 16:41 - 00004578 _____ () C:\Windows\System32\Tasks\Idle~_~Crawler Runner 2014-08-25 16:41 - 2014-08-25 16:41 - 00004018 _____ () C:\Windows\System32\Tasks\LaunchSignup 2014-08-25 16:37 - 2014-08-25 16:42 - 00000000 ____D () C:\Program Files (x86)\globalUpdate 2014-08-25 16:37 - 2014-08-25 16:37 - 00000000 ____D () C:\Users\Terry\AppData\Local\globalUpdate 2014-08-25 16:36 - 2014-08-25 16:37 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\TornTV.com 2014-08-26 12:55 - 2014-06-30 15:13 - 00000000 _____ () C:\Windows\system32\Drivers\lvuvc.hs 2014-08-26 12:53 - 2013-05-01 11:47 - 00000000 ____D () C:\Users\Terry\AppData\Local\CRE Task: {0F5CC53C-1035-47D0-B0D2-0431F57C1C91} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION Task: {CF903100-56B5-409A-B57E-CAFB4B953AE6} - System32\Tasks\Idle~_~Crawler Runner => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe Task: {E5D7C7FF-8250-4174-8D62-F0B371670907} - System32\Tasks\Microsoft\Windows\Maintenance\Idle~_~Crawler Update => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe C:\Program Files (x86)\globalUpdate C:\Users\Terry\AppData\Local\Idle~_~Crawler C:\Users\Terry\AppData\Roaming\TornTV.com C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\File System\006 EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thank you for all the information. I followed your instructions. Here are the 2 logs. Please let me know what my next step is. When browsing my computer to find the AdwCleaner text file, I also saw another file in that folder: AdwCleaner[R0].txt. Do you need that file as well?

Could you confirm that the alerts have stopped …

The other adwcleaner log is just a duplicate :slight_smile:

Thank you. Yes, the alerts have stopped completely. Is it safe to re-install Chrome as my browser? I had uninstalled it a few days ago when all this first began.

It should be OK as you had a chrome imitator on your system

Once you are happy let me know and I will tidy up

I just re-installed Google Chrome and all settings are still there. So far everything seems to be good. The threats seem to be gone. There hasn’t been a pop up alert since I began running FRST at 8am today (just over 3 hrs ago). I can’t thank you enough for everything you did to help me out. What do I need to do with all the log files that you originally instructed me to save and send to you? I assume the tools you had me download should be kept on my computer for possible future use.

As the tools are regularly updated, I will clear them for you as an old tool is not much good :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

When I run Delfix, should I make sure all those boxes are checked like the pic shows? Should I run that now or wait until the 24 hrs have lapsed?

Use the boxes as ticked. You can do it now or tomorrow your choice :slight_smile:

My Malwarebytes Anti-Malware completed a scan and found problems. I’ve attached a log of the items. I’m not sure what the problem is since everything was good yesterday after your help. Please advise.

They are just two references to conduit that the other tools missed and are not a problem

Is there anything I need to do. The only thing I did after the clean up was re-install Chrome as my browser. If I need to uninstall it again and use a different browser, let me know and I’ll do that. Thank you.

No, that should be OK now