Hi, I'm using Avira as my AV; it detected an exe in system volume information contains pattern of DR/MartShop.2 . The information says it's a 'dropper' and I searched my comp to find the files that they said DR/MartShop.2 would drop and ended up finding them. Avira has me "access deny" by default- I tried that but it just ends up prompting me again then I tried to 'move to quarantine' and I still get the detection prompt. I tried manually deleting some of the files but they seem to be in use so it won't let me. Any advice?

Please follow the steps below so we can help clean up your computer:

Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

Click 'Do a System Scan and Save log'. The HJT log will open in notepad. Don't try to fix anything yourself.

Copy and paste the contents of the HJT log into a NEW TOPIC in "HijackThis Logs and Malware Removal"
http://www.bleepingcomputer.com/forums/forum22.html

Also include a link to this topic. Please be patient as our HJT team members work on serveral forums.

Also you can read the Preparation Guide for use before posting a HijackThis Log

I already had Avira delete the file acting like the dropper before I read your post; I'm going to DL the link and post in a few minutes but in the meantime this is the information that Avira has provided about some of the files that the dropper might have thrown in my system:

Files The following files are created:

– Non malicious files:
• %PROGRAM FILES%\SRCheckPermission.txt
• %home%\Application Data\ShoppingReport\cs\Config.xml
• %PROGRAM FILES%\ShoppingReport\Uninst.exe

– Temporary files that might be deleted afterwards:
• %TEMPDIR%\ns%random character string%.tmp\modern-header.bmp
• %TEMPDIR%\ns%random character string%.tmp\Uninst.dll

– %TEMPDIR%\ns%random character string%.tmp\InstallerHelperPlugin.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/MartSho.dll.2

– %PROGRAM FILES%\ShoppingReport\Bin\2.0.24\ShoppingReport.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/MartSho.dll.3

Registry The following registry keys are added:

– HKLM\SOFTWARE\ShoppingReport
• "LeftPaneTitle"="ShopperReports"
• "affid"="1000007001"
• "Version"="2.0.24"
• "ProductName"="ShopperReports"
• "SG_Not_Set"=dword:00000001

– HKCU\Software\ShoppingReport
• "CurrentPageNum"=dword:00000001
• "IEButtonPaneUrl_C9CCBB35"="cs.ShopperReports.com/cs/**********"
• "IEButtonPaneSize_C9CCBB35"="262"
• "IEButtonPaneOrient_C9CCBB35"="vertical"
• "IEButtonPaneUrl_A16AD1E9"="cs.ShopperReports.com/cs/**********
• "IEButtonPaneSize_A16AD1E9"="262"
• "IEButtonPaneOrient_A16AD1E9"="vertical"
• "CfgPrcs"=dword:00000001

– HKCR\BackLink\Clsid
• @="{fcbf906f-4080-11d1-a3ac-00c04fb950dc}"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
ShoppingReport
• "DisplayIcon"="%PROGRAM FILES%\ShoppingReport\Uninst.exe"
• "DisplayName"="ShopperReports"
• "UninstallString"="%PROGRAM FILES%\ShoppingReport\Uninst.exe"
• "DisplayVersion"="2.0.24"
• "URLInfoAbout"="http://www.ShopperReports.com"
• "Publisher"="ShopperReports"

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• NSIS

Now that you have an open HJT log posted in the HijackThis Logs and Analysis forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.