Clickered Malware - Need Removal Help Please

Avast WebShield has suddenly started to give me block warnings regarding the Clickered malware which I have tried to remove without success.

Having seen the help given in other threads I would appreciate it if someone could do the same for me and assist me with manual removal.

If anyone can give me instructions and tell me which logs I need to provide I would be most grateful.

Thanks in advance for any/all help.

follow instructions here https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan tool logs

Thanks Pondus for the very prompt response.

I’m attaching the four requested log files as instructed.

Hi :slight_smile:

Please run these two tools.

https://sites.google.com/site/cannedfixes/junkware-removal-tool/JRTbythisisu.png
Fix with Junkware Removal Tool

Please download JRT by Thisisu and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/junkware-removal-tool/JRTbythisisu.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow the prompts and let this process run uninterrupted.
[*]This scan can take a while, depending on your System specs.
[*]Upon completion, a log (JRT.txt) will open on your desktop.

Please include the contents of that file in your reply.
Do not forget to re-enable your previously switched off protection software!
Please also manually reboot your machine after this procedure.

https://sites.google.com/site/cannedfixes/adwcleaner/adwcleaner_new.png
Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/adwcleaner/adwcleaner_new.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow the prompts and click Scan.
[*]When finished, please click Clean.
[*]Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.

Hi Naat,

Have run both scans and the reports are attached as requested.

Thanks for your prompt attention :slight_smile:

You are welcome :slight_smile:

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/remove%20outdated.jpg
Uninstall some programs

We need to uninstall some programs.

[*]Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png

  • R on your keyboard at the same time. Type appwiz.cpl and click OK.
    [*]Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time

[b]The list of programs to uninstall:[b]

[*]PDF Creator Packages

Do not confuse it with legitimate PDF Creator installation!
After completing uninstalls, please manually reboot your machine!

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]

Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png

  • R on your keyboard at the same time. Type Notepad and click OK.

[*]Copy the entire content of the codebox below and paste into the Notepad document:

start
() C:\Windows\score.exe
() C:\Users\Dell\AppData\Local\Idle~_~Crawler\Idle~_~Crawler.exe
(The Chromium Authors) C:\Users\Dell\AppData\Local\Idle~_~Crawler\Chrome-bin\chrome.exe
R2 scores; C:\Windows\score.exe [4823040 2014-08-29] () [File not signed]
C:\Windows\score.exe
C:\Users\Dell\AppData\Local\Idle~_~Crawler
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969c9-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-364517635-3994631332-8910258-1001_Classes\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Dell\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
Hosts:
Task: {532DAA8C-AA76-4C2C-8F88-DAFBE3F57132} - System32\Tasks\Idle~_~Crawler Runner => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe <==== ATTENTION
Task: {F313DCD6-38CF-43D1-AD36-95887F518BE1} - System32\Tasks\Microsoft\Windows\Maintenance\Idle~_~Crawler Update => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe <==== ATTENTION
%LOCALAPPDATA%\Idle~_~Crawler
cmd: type C:\AdwCleaner\AdwCleaner[S0].txt > %userprofile%\desktop\ForNaat.txt
cmd: type C:\AdwCleaner\AdwCleaner[S1].txt >> %userprofile%\desktop\ForNaat.txt
EmptyTemp:
end

[*]Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.

XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.

XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Additionally on your desktop should appear “extra” report called “ForNaat”. Attach it also :slight_smile:

Hi Naat,

OK, when attempting to remove the PDF Creator Packages via control panel I received the “already uninstalled” message, so I deleted it from CP’s program list.

I have run the fix and scans as requested and attached are the logs for all of them.

However no ‘ForNaat’ report appeared on my desktop - sorry.

That’s OK, what I want to see was in the fixlog :slight_smile:

https://sites.google.com/site/cannedfixes/malwarebytes-anti-malware/51a46ae42d560-malwarebytes_anti_malware.png
Scan with Malwarebytes’ Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

[*]Install the progam and select update.
[*]Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
[*]Click the Scan tab, choose Threat Scan is checked and click Scan Now.
[*]If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
[*]Upon completion of the scan (or after the reboot), click the History tab.
[*]Click Application Logs and double-click the Scan Log.
[*]At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

https://sites.google.com/site/cannedfixes/eset-online-scanner/ESETOnline.png
Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

[*]Accept the Terms of Use and click Start.
[*]Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

[*]Download esetsmartinstaller_enu.exe that you’ll be given link to.
[*]Double click esetsmartinstaller_enu.exe.
[*]Allow the Terms of Use and click Start.

To perform the scan:

[*]Make sure that Enable detecion of potentially unwanted applications is checked.
[*]In the Advanced Settings dropdown menu: [*]Make sure that Remove found threats is unchecked.
[*]Scan archives is checked.
[*]Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
[*]Use custom proxy settings is unchecked.
[*]Click Start
[*]The program will begin to download it’s virus database. The speed may vary depending on your Internet connection.
[*]When completed, the program will begin to scan. This may take several hours. Please, be patient.
[*]Do not do anything on your machine as it may interrupt the scan.
[*]When the scan is done, click Finish
[*]A logfile will be created at C:\Program Files\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.
Don’t forget to re-enable previously switched-off protection software!

Hi Naat,

Your wish is my command :slight_smile:

Here are the required log files.

I have to go to bed now so might be a few hours before any more responses. I Appreciate your help so far and the good news is that the warnings have stopped since I completed the uninstall of PDF Creator - even though I didn’t actually uninstall anything ???

I see that ESET is flagging C:\Users\Dell\Downloads\PDFCreatorSetup.exe though so I’m guessing you’ll want me to remove that at some point?

Don’t worry, I also go to bed from time to time ;D

Yes, ESET is flagging it because there is some third-party bundled installation of some potentially unwanted program.

https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow onscreen instructions inside the black box. This scan won’t take long.
[*]Soon a notepad document called checkup.txt will open automaticaly.

Please include the content of that document.

Hi Naat

OK. here is the file.

Very good :slight_smile:
Do you experience any other issues?

https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
[*]Push Run.
[*]When finished, it will display a notepad report.

Include it for my review.
Please also manually reboot your machine after posting your logfile.

Hi Naat.

All done, log file attached.

I am not having any other issues, no. All seems to be working fine again.

Thank you so much for your time and effort on my behalf, you have been wonderful throughout.

You are welcome.

Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.

Recommended reading:

http://forum.programosy.pl/images/smilies/icon_exclaim.gif
MUST READ - security tips: Computer Security - a short guide to staying safer online.

http://forum.programosy.pl/images/smilies/icon_exclaim.gif
MUST READ - general maintenance: What to do if your Computer is running slowly?

Recommended additional software:

http://forum.programosy.pl/images/smilies/icon_arrow.gif
TFC - to clean unneeded temporary files.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
Malwarebytes’ Anti-Malware - to scan your system from time to time in search for malware.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
Malwarebytes’ Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
McShield - to prevent infections spread by removable media.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
CryptoPrevent - to secure yourself from very severe CryptoLocker infection.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

My help is always free, but if you are happy with the help provided and wish to help my fight against malware, please consider making a donation.
All donations are to refund a new HDD to replace the old one, which recently passed away!
https://www.paypalobjects.com/en_US/i/btn/btn_donate_SM.gif

Now if you have any other questions, feel free to ask me. Otherwise simply acknowledge my recommendations and this topic will be closed.

https://sites.google.com/site/cannedfixes/closing/Minion-Bye-smaller.jpg

Stay safe,
Naat :slight_smile:

Thanks Naat your help has been invaluable and I will try to help out with a donation once I get back to my own machine later today even though it will probably only be a small one. I appreciate the links to the software you have recommended and there are several I have not used/heard of so I will definitely check them out.

If I could afford to buy you a new HDD I would :smiley:

Thank you very much :slight_smile:

Safe surfing!
Naat