clickered.com threat every few minutes

Viruses and worms
1

Background: There has been 1-2 instances of chrome running in the backround on mute playing a radio station that seem to start every time Chrome starts. Through some research I found these to be malware. Malwarebytes, ESET, and AVG were not picking anything up (not all running at once) so I downloaded Avast! and it took care of em.

Now: Only problem is, every ~5 minutes the alert comes back, and at this time I am back to where I started with the radio running muted in the background.

I saw this post: http://forum.avast.com/index.php?topic=133686.0 and figured I should attach my logs?
Also saw this one too http://forum.avast.com/index.php?topic=53253.0 , so I just started at the top. Attached are the reports for adwcleaner, malwarebytes, and OTL.

Any help is mega appreciated.

2

Hi there the problem with chrome is that it hides a lot of stuff from view and is a tad leaky. Let me know if this stops it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O2:64bit: - BHO: (ElectroLyrics-16) - {11111111-1111-1111-1111-110411411152} - C:\Program Files (x86)\ElectroLyrics-16\ElectroLyrics-16-bho64.dll File not found

:Files
C:\Program Files (x86)\ElectroLyrics-16

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

3

Thanks for reply! Here’s the produced log.
Also, don’t know if it’s important but within a minute or so of opening chrome again after rebooting I got the same two threats. Attached otl.txt!

4

Could you attach a screen shot of the alert as that will give me more data

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.

5

Here are two screen shots of the errors I am getting, and then also one of what I see when I click Details.

Below is the HRT report.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.0.7 (10.15.2013:2) OS: Windows 8 x64 Ran by Justin on Mon 10/28/2013 at 18:03:47.92 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 



~~~ Registry Values



~~~ Registry Keys

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installedbrowserextensions
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\crossrider
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\conduit
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{22222222-2222-2222-2222-220422412252}
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Interface\{55555555-5555-5555-5555-550455415552}
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66666666-6666-6666-6666-660466416652}
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{22222222-2222-2222-2222-220422412252}
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\Interface\{66666666-6666-6666-6666-660466416652}
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{55555555-5555-5555-5555-550455415552}
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{66666666-6666-6666-6666-660466416652}
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660466416652}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Justin\appdata\local\swvupdater"
Successfully deleted: [Folder] "C:\Program Files (x86)\mypc backup"
Successfully deleted: [Folder] "C:\Users\Justin\AppData\Roaming\microsoft\windows\start menu\programs\free ride games"
Failed to delete: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ Chrome

Successfully deleted: [Folder] C:\Users\Justin\appdata\local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda



~~~ Event Viewer Logs were cleared

Scan was completed on Mon 10/28/2013 at 18:05:51.20
Computer was rebooted
End of JRT log

6

When you launch chrome do you use a desktop/launchbar icon ? If so could you delete that and then run chrome to see if the alerts cease

7

I removed the chrome icon from the task bar, desktop, and windows 8 home screen, launched it, and I’m still getting the same two threat notifications =/

8

Hmm ok lets look deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

9

Alright, here we go. Log attached! Got one of the errors shortly after my computer restarted, but it came up before I even opened Chrome. Computer has been on for a bit and I’m not getting any more errors, however Chrome is still muted when I open it, and there is still that hidden instance of chrome running in the background playing a radio station.

For some reason there are less icons in my task bar tray. The Avast! icon isn’t there even those the setting is checked in the program. There are also more missing, but I can’t remember exactly which ones. Also to complicate things Windows 8.1 decided to download and is asking me to install.

10

Sorry, I was mistaken. Just got the error. only one this time though. Usually it was two that come within less than a minute of each other.

11

Combofix killed one. Which was well hidden… When you say you have two chromes running is that two tabs or two instances of chrome

12

Great news! Only one (or zero) tabs. In my audio mixer is where I see the the muted chrome… icon, i guess. In task manager under Background Processes there are a LOT more. The attached image is from when I have one chrome window open.
Also, it looks like I am back to two radio stations being played while muted, see second image.

13

Woop, getting the errors in twos again. Do you think a Windows reinstall would be the best course of action?

14

Nope as it is in chrome only then a full uninstall of chrome would be the initial course of action. Personally I would recommend against using chrome and firefox as there are to may places for bad addons to hide. As fast as I locate one area they find a new one

So do a full uninstall of Chrome and ensure that the problem has ceased. Once it has we will then remove all google folders and then try a fresh copy

15

Ah ok. I uninstalled chrome before and it didn’t seem to work but maybe I didn’t remove all the files?
Anyway, I’ve uninstalled again and I’m no longer getting the errors. How do I go about removing all the google folders?

16

Could you run a fresh OTL scan selecting all users and I will do it for you :slight_smile:

17

Booooom! You’re the bestest.

18

Try this :slight_smile:

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
[2013/10/30 16:23:00 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1444201986-2890331996-194539126-1002UA.job
[2013/10/30 06:23:00 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1444201986-2890331996-194539126-1002Core.job

:Files
C:\Users\Justin\AppData\Local\Google

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

19

Here we gooooo.
Also, when my computer restarted, AVG was no longer inactive and it detected and removed a threat. Don’t know if that will complicate things…
Log attached

20

Chrome and google have gone :slight_smile:

I would recommend that you uninstall AVG