 Dr/martshop.2, Malware |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
 Feb 2 2008, 07:58 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 7 Joined: 2-February 08 Member No.: 187,940  |
|
 |
 
|
|
Feb 2 2008, 08:26 PM
Post
#2
|
|
 Bleepin' Helper Group: Members Posts: 1,079 Joined: 23-February 07 From: The United States Member No.: 113,595 |
Please follow the steps below so we can help clean up your computer:
Download HijackThis here: http://www.trendsecure.com/portal/en-US/th.../hijackthis.php Click 'Do a System Scan and Save log'. The HJT log will open in notepad. Don't try to fix anything yourself. Copy and paste the contents of the HJT log into a NEW TOPIC in "HijackThis Logs and Malware Removal" http://www.bleepingcomputer.com/forums/forum22.html Also include a link to this topic. Please be patient as our HJT team members work on serveral forums. Also you can read the Preparation Guide for use before posting a HijackThis Log -------------------- |
|
|
|
|
Feb 2 2008, 08:35 PM
Post
#3
|
|
|
New Member Group: Members Posts: 7 Joined: 2-February 08 Member No.: 187,940 |
I already had Avira delete the file acting like the dropper before I read your post; I'm going to DL the link and post in a few minutes but in the meantime this is the information that Avira has provided about some of the files that the dropper might have thrown in my system:
Files The following files are created: Non malicious files: %PROGRAM FILES%\SRCheckPermission.txt %home%\Application Data\ShoppingReport\cs\Config.xml %PROGRAM FILES%\ShoppingReport\Uninst.exe Temporary files that might be deleted afterwards: %TEMPDIR%\ns%random character string%.tmp\modern-header.bmp %TEMPDIR%\ns%random character string%.tmp\Uninst.dll %TEMPDIR%\ns%random character string%.tmp\InstallerHelperPlugin.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/MartSho.dll.2 %PROGRAM FILES%\ShoppingReport\Bin\2.0.24\ShoppingReport.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/MartSho.dll.3 Registry The following registry keys are added: HKLM\SOFTWARE\ShoppingReport "LeftPaneTitle"="ShopperReports" "affid"="1000007001" "Version"="2.0.24" "ProductName"="ShopperReports" "SG_Not_Set"=dword:00000001 HKCU\Software\ShoppingReport "CurrentPageNum"=dword:00000001 "IEButtonPaneUrl_C9CCBB35"="cs.ShopperReports.com/cs/**********" "IEButtonPaneSize_C9CCBB35"="262" "IEButtonPaneOrient_C9CCBB35"="vertical" "IEButtonPaneUrl_A16AD1E9"="cs.ShopperReports.com/cs/********** "IEButtonPaneSize_A16AD1E9"="262" "IEButtonPaneOrient_A16AD1E9"="vertical" "CfgPrcs"=dword:00000001 HKCR\BackLink\Clsid @="{fcbf906f-4080-11d1-a3ac-00c04fb950dc}" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ ShoppingReport "DisplayIcon"="%PROGRAM FILES%\ShoppingReport\Uninst.exe" "DisplayName"="ShopperReports" "UninstallString"="%PROGRAM FILES%\ShoppingReport\Uninst.exe" "DisplayVersion"="2.0.24" "URLInfoAbout"="http://www.ShopperReports.com" "Publisher"="ShopperReports" File details Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer: NSIS |
|
|
|
|
Feb 2 2008, 08:45 PM
Post
#4
|
|
 Bleepin' Mod Group: Moderator Posts: 4,623 Joined: 18-March 06 From: B.C. Canada Member No.: 59,826 |
Now that you have an open HJT log posted in the HijackThis Logs and Analysis forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system. At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean. I'm closing this topic until you are cleared by the HJT Team. If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic. If you have any questions, don't hesitate to send me a PM. --------------------  Join Bleeping Computers Folding@home Team and Help find a cure. I am thankful for laughter, except when milk comes out of my nose. ~Woody Allen |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 8th January 2009 - 09:48 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.