system
August 30, 2014, 2:00am
1
Hello All,
Have been pulling my hair out trying to get rid of the clickered.com issue. Ran avast, Malwarebytes, spybot and sophos with no success. Tried to prep for this post by running Farbar64 to give you the logs before you asked for them but it hangs everytime on getting events. I can provide the farbar logs it did create. Keep getting the popup from avast about the event asking if I want to set as a false positive. The alert says a chrome.exe process and I have removed chrome. I use Firefox about 98% of the time. Do not have a good restore point to use either. Was going to try creating a new account on the laptop thinking it may be an issue with my wife’s profile.
Any thoughts from this point? I am running win7 64 bit. Please don’t make me run Linux on this box… Terrified of explaining to my wife how to use Linux
Thanks,
Steve
hey and welcome to the forum please follow this guide and attach the logs from mbam,and farbor
https://forum.avast.com/index.php?topic=53253.0
a malware expert will help you from there.
spybot is no good anymore sens it can’t keep up with the malware out there today. So i suggest you uninstall it and keep malwarebytes instead.
Attach what logs you have and I will see where we can go from there
system
August 30, 2014, 11:25pm
4
thanks for the reply. I was not able to get the full logs logged on as my wife. I did create a new user profile and while the pop ups keep happening, I was able to get a full scan for the logs as attached.
Thanks again for all your help,
Steve
OK lets get started. Once these fixes have run could you go to the infected user (I believe it is Pat) and run a fresh FRST scan from there
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM-x32\...\Run: [BrowserSafeguard] => "C:\Program Files (x86)\Browsersafeguard\BrowserSafeguard.exe"
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2516} URL = http://www.default-search.net/search?sid=516&aid=104&itype=n&ver=12791&tm=427&src=ds&p={searchTerms}
SearchScopes: HKLM - {E7DD16D0-E836-40AA-A533-3CD0D2ADCBD4} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2516} URL = http://www.default-search.net/search?sid=516&aid=104&itype=n&ver=12791&tm=427&src=ds&p={searchTerms}
SearchScopes: HKLM-x32 - {E7DD16D0-E836-40AA-A533-3CD0D2ADCBD4} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA} [2014-07-23]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2014-07-23]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA} [2014-07-23]
2014-08-28 11:02 - 2014-08-28 16:57 - 00000000 ____D () C:\Users\pat\AppData\Local\Idle~_~Crawler
2014-08-28 11:02 - 2014-08-28 11:02 - 00004578 _____ () C:\Windows\System32\Tasks\Idle~_~Crawler Runner
2014-08-28 11:01 - 2014-08-28 11:02 - 00000000 ____D () C:\Users\Public\30486184C2A347E7A52AC8D62AF1C776
2014-08-14 18:17 - 2014-08-14 18:18 - 00000000 ____D () C:\Users\Public\9B5FA4664AAA43488A3338B456970A30
2014-08-08 11:20 - 2014-08-08 11:20 - 00000000 ____D () C:\Users\Public\5E4D98A75092499E8108FB1068D15D46
2014-08-07 13:44 - 2014-08-07 13:44 - 00000000 ____D () C:\Users\Public\3A58226D150C4FF8BD48FE3415141072
2014-08-02 20:09 - 2014-08-02 20:09 - 00000000 ____D () C:\Program Files (x86)\predm
2014-08-02 19:54 - 2014-08-02 20:12 - 00000000 ____D () C:\Program Files (x86)\Linkey
2014-08-02 19:53 - 2014-08-02 23:10 - 00000000 ____D () C:\Program Files (x86)\globalUpdate
2014-08-02 19:53 - 2014-08-02 19:53 - 00000000 ____D () C:\Users\pat\AppData\Local\globalUpdate
2014-08-02 19:50 - 2014-07-30 15:45 - 04816384 _____ () C:\Windows\score.exe
2014-08-28 16:57 - 2014-08-28 11:02 - 00000000 ____D () C:\Users\pat\AppData\Local\Idle~_~Crawler
2014-08-28 11:02 - 2014-08-28 11:02 - 00004578 _____ () C:\Windows\System32\Tasks\Idle~_~Crawler Runner
2014-08-28 11:02 - 2014-08-28 11:01 - 00000000 ____D () C:\Users\Public\30486184C2A347E7A52AC8D62AF1C776
2014-08-28 09:21 - 2010-07-20 12:25 - 00000000 ____D () C:\Users\pat\AppData\Local\WeatherBug
2014-08-14 18:18 - 2014-08-14 18:17 - 00000000 ____D () C:\Users\Public\9B5FA4664AAA43488A3338B456970A30
2014-08-08 11:20 - 2014-08-08 11:20 - 00000000 ____D () C:\Users\Public\5E4D98A75092499E8108FB1068D15D46
2014-08-07 13:44 - 2014-08-07 13:44 - 00000000 ____D () C:\Users\Public\3A58226D150C4FF8BD48FE3415141072
Task: {5BA11EA9-4278-4FB2-A91D-B53173ECCC0A} - System32\Tasks\Idle~_~Crawler Runner => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe
Task: {DB610975-CF1D-4494-832B-B81DF636DFF9} - System32\Tasks\Microsoft\Windows\Maintenance\Idle~_~Crawler Update => %LOCALAPPDATA%\Idle~_~Crawler\Idle~_~Crawler.exe
C:\Program Files (x86)\Browsersafeguard
C:\Users\pat\AppData\Local\Idle~_~Crawler
C:\Windows\score.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
system
August 31, 2014, 10:10pm
6
here are the log files generated.
thanks,
steve
Have the alerts ceased for all users ?
system
September 1, 2014, 4:46pm
8
so far so good …
I assume the log looks good to you?
Thanks for your help
Steve
Subject to no further problems
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
Malwarebytes .
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe
system
September 1, 2014, 10:30pm
10
looks good, thanks again,
Steve