Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dr/martshop.2


  • This topic is locked This topic is locked
3 replies to this topic

#1 Mendetus

Mendetus

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 02 February 2008 - 07:58 PM

Hi, I'm using Avira as my AV; it detected an exe in system volume information contains pattern of DR/MartShop.2 . The information says it's a 'dropper' and I searched my comp to find the files that they said DR/MartShop.2 would drop and ended up finding them. Avira has me "access deny" by default- I tried that but it just ends up prompting me again then I tried to 'move to quarantine' and I still get the detection prompt. I tried manually deleting some of the files but they seem to be in use so it won't let me. Any advice?

BC AdBot (Login to Remove)

 


m

#2 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:09:38 PM

Posted 02 February 2008 - 08:26 PM

Please follow the steps below so we can help clean up your computer:

Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

Click 'Do a System Scan and Save log'. The HJT log will open in notepad. Don't try to fix anything yourself.

Copy and paste the contents of the HJT log into a NEW TOPIC in "HijackThis Logs and Malware Removal"
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Also include a link to this topic. Please be patient as our HJT team members work on serveral forums.

Also you can read the Preparation Guide for use before posting a HijackThis Log

Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#3 Mendetus

Mendetus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 02 February 2008 - 08:35 PM

I already had Avira delete the file acting like the dropper before I read your post; I'm going to DL the link and post in a few minutes but in the meantime this is the information that Avira has provided about some of the files that the dropper might have thrown in my system:

Files The following files are created:

– Non malicious files:
• %PROGRAM FILES%\SRCheckPermission.txt
• %home%\Application Data\ShoppingReport\cs\Config.xml
• %PROGRAM FILES%\ShoppingReport\Uninst.exe

– Temporary files that might be deleted afterwards:
• %TEMPDIR%\ns%random character string%.tmp\modern-header.bmp
• %TEMPDIR%\ns%random character string%.tmp\Uninst.dll

– %TEMPDIR%\ns%random character string%.tmp\InstallerHelperPlugin.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/MartSho.dll.2

– %PROGRAM FILES%\ShoppingReport\Bin\2.0.24\ShoppingReport.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/MartSho.dll.3

Registry The following registry keys are added:

– HKLM\SOFTWARE\ShoppingReport
• "LeftPaneTitle"="ShopperReports"
• "affid"="1000007001"
• "Version"="2.0.24"
• "ProductName"="ShopperReports"
• "SG_Not_Set"=dword:00000001

– HKCU\Software\ShoppingReport
• "CurrentPageNum"=dword:00000001
• "IEButtonPaneUrl_C9CCBB35"="cs.ShopperReports.com/cs/**********"
• "IEButtonPaneSize_C9CCBB35"="262"
• "IEButtonPaneOrient_C9CCBB35"="vertical"
• "IEButtonPaneUrl_A16AD1E9"="cs.ShopperReports.com/cs/**********
• "IEButtonPaneSize_A16AD1E9"="262"
• "IEButtonPaneOrient_A16AD1E9"="vertical"
• "CfgPrcs"=dword:00000001

– HKCR\BackLink\Clsid
• @="{fcbf906f-4080-11d1-a3ac-00c04fb950dc}"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
ShoppingReport
• "DisplayIcon"="%PROGRAM FILES%\ShoppingReport\Uninst.exe"
• "DisplayName"="ShopperReports"
• "UninstallString"="%PROGRAM FILES%\ShoppingReport\Uninst.exe"
• "DisplayVersion"="2.0.24"
• "URLInfoAbout"="http://www.ShopperReports.com"
• "Publisher"="ShopperReports"

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• NSIS

#4 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:07:38 PM

Posted 02 February 2008 - 08:45 PM

Now that you have an open HJT log posted in the HijackThis Logs and Analysis forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users