Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Shop to win malware at startup - can't uncheck


  • This topic is locked This topic is locked
8 replies to this topic

#1 daynip

daynip

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 11 May 2012 - 04:27 AM

Hello!

My little nephew likes to download random stuff online (mom doesn't watch him since she knows nothing about computers) and now we have malware! I tried running spybot, malwarebytes, security essentials & hijack this (try to fix BHO freecause shopping & HKCU..run shop to win, but it doesn't work). I noticed that "shop to win" is always checked on msconfig - I try to uncheck it, but it just checks itself back again. Not sure what to do! Thanks a lot for the help!


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Brian Cortes at 2:08:56 on 2012-05-11
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1916.606 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\SysWOW64\Macromed\Flash\FlashUtil10q_ActiveX.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: {8e51683a-ea9d-4127-ae14-a13294ff6f7c}: Freecause Shopping BHO
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Shop To Win] C:\Program Files (x86)\Shop To Win\ShopToWin.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{83FC78CC-FB36-4C88-BECA-2317F33A3718} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{83FC78CC-FB36-4C88-BECA-2317F33A3718}\25F616462557E6E65627D27657563747 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{83FC78CC-FB36-4C88-BECA-2317F33A3718}\35B69784967686350756564643 : DhcpNameServer = 10.6.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Freecause Shopping BHO - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\system32\DRIVERS\MpFilter.sys --> C:\windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-5-7 654408]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-5-7 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\windows\system32\DRIVERS\LVPr2M64.sys --> C:\windows\system32\DRIVERS\LVPr2M64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-19 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-19 136176]
S3 lvpopf64;Logitech POP Suppression Filter;C:\windows\system32\DRIVERS\lvpopf64.sys --> C:\windows\system32\DRIVERS\lvpopf64.sys [?]
S3 LVRS64;Logitech RightSound Filter Driver;C:\windows\system32\DRIVERS\lvrs64.sys --> C:\windows\system32\DRIVERS\lvrs64.sys [?]
S3 LVUVC64;Logitech Webcam C160(UVC);C:\windows\system32\DRIVERS\lvuvc64.sys --> C:\windows\system32\DRIVERS\lvuvc64.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\windows\system32\DRIVERS\NisDrvWFP.sys --> C:\windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-8-25 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
.
=============== Created Last 30 ================
.
2012-05-11 08:39:20 388096 ----a-r- C:\Users\Brian Cortes\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-11 08:39:17 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-05-11 07:56:59 89088 ----a-w- C:\windows\System32\RegisterIEPKEYs.exe
2012-05-10 23:38:12 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0499CAE6-6451-4C07-A706-F13DBBB6E36E}\mpengine.dll
2012-05-09 23:09:07 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-08 19:37:48 1544704 ----a-w- C:\windows\System32\DWrite.dll
2012-05-08 19:37:47 1077248 ----a-w- C:\windows\SysWow64\DWrite.dll
2012-05-08 19:37:45 5559664 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-05-08 19:37:43 3146240 ----a-w- C:\windows\System32\win32k.sys
2012-05-08 19:37:42 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-05-08 19:37:41 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-05-08 19:36:47 75120 ----a-w- C:\windows\System32\drivers\partmgr.sys
2012-05-08 19:36:24 1918320 ----a-w- C:\windows\System32\drivers\tcpip.sys
2012-05-08 19:36:21 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-08 19:36:21 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-08 19:36:21 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-08 19:36:20 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-08 19:36:20 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-05-07 20:26:58 -------- d-----w- C:\Users\Brian Cortes\AppData\Roaming\Malwarebytes
2012-05-07 20:26:46 -------- d-----w- C:\ProgramData\Malwarebytes
2012-05-07 20:26:45 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-05-07 20:26:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-07 08:48:10 1147392 ----a-w- C:\windows\System32\MyDefragScreenSaver_v4.3.1.exe
2012-05-07 08:48:09 485376 ----a-w- C:\windows\System32\MyDefragScreenSaver_v4.3.1.scr
2012-05-07 08:48:09 -------- d-----w- C:\Program Files\MyDefrag v4.3.1
2012-05-07 08:36:03 -------- d-----w- C:\windows\pss
2012-05-07 07:12:20 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-05-07 07:12:20 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-05-07 06:57:15 -------- d-----w- C:\Users\Brian Cortes\AppData\Local\ElevatedDiagnostics
2012-04-12 21:33:40 -------- d-----w- C:\Users\Brian Cortes\AppData\Local\{C9EE01F6-F759-4121-9164-50016DC76235}
2012-04-12 01:49:11 81408 ----a-w- C:\windows\System32\imagehlp.dll
2012-04-12 01:49:11 23408 ----a-w- C:\windows\System32\drivers\fs_rec.sys
2012-04-12 01:49:11 159232 ----a-w- C:\windows\SysWow64\imagehlp.dll
2012-04-12 01:49:09 172544 ----a-w- C:\windows\SysWow64\wintrust.dll
2012-04-12 01:49:08 5120 ----a-w- C:\windows\SysWow64\wmi.dll
2012-04-12 01:49:08 5120 ----a-w- C:\windows\System32\wmi.dll
2012-04-12 01:49:08 220672 ----a-w- C:\windows\System32\wintrust.dll
2012-04-11 22:42:09 -------- d-----w- C:\Users\Brian Cortes\AppData\Local\{FAB6E8E1-5750-46C8-AB4F-AADBFEC1D07F}
2012-04-11 22:41:50 -------- d-----w- C:\Users\Brian Cortes\AppData\Local\{2DCBDF6D-37B0-4F1A-8B4E-9E32A219232E}
2012-04-11 22:31:52 -------- d-----w- C:\Users\Brian Cortes\AppData\Local\{EBBA2E98-893E-418B-B8C2-AF1F1FDC5E12}
2012-04-11 22:30:57 -------- d-----w- C:\Users\Brian Cortes\AppData\Local\{583A075D-FC35-4AA2-B21B-9F728D0E29E9}
2012-04-11 22:26:36 -------- d-----w- C:\Users\Brian Cortes\AppData\Local\{F42402FF-9328-484C-9314-CEFF078C04A7}
.
==================== Find3M ====================
.
2012-05-11 07:56:59 35840 ----a-w- C:\windows\SysWow64\imgutil.dll
2012-03-21 03:44:12 98688 ----a-w- C:\windows\System32\drivers\NisDrvWFP.sys
2012-03-21 03:44:12 203888 ----a-w- C:\windows\System32\drivers\MpFilter.sys
2012-02-17 06:38:26 1031680 ----a-w- C:\windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\windows\System32\drivers\tdtcp.sys
.
============= FINISH: 2:10:10.00 ===============

Attached Files


Edited by daynip, 11 May 2012 - 05:05 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:28 AM

Posted 11 May 2012 - 07:24 AM

Hi,

It is actually your SpyBot teatimer that is interfering here and restores the shoptowin entry in msconfig.
So I suggest you to disable it because it can interfere with the changes you'll make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.

Then you should be able to delete the shoptowin entry. We'll do this with a regfix, since, when you do this via msconfig, you disable it, while the shoptowin entry can actually get deleted instead.

But first of all, delete the following folder if still present:

C:\Program Files (x86)\Shop To Win

Then, do the following to deal with the orphaned shoptowin entries:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8e51683a-ea9d-4127-ae14-a13294ff6f7c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Shop To Win"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know if that solved your problem.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 daynip

daynip
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 11 May 2012 - 03:07 PM

Thank you very much for your help :)! That got rid of shop to win on startup (yay!), but when I run hijack this, "BHO freecause shopping - (8E.....) - no file" still appears. I can't seem to fix that. I'm assuming it won't cause any problems since it says no file?

Edited by daynip, 11 May 2012 - 03:08 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:28 AM

Posted 11 May 2012 - 04:15 PM

Hi,

Did you do the fix.reg step I posted? Because that should get rid of that BHO. Or you can check that entry in HijackThis and click the Fix checked button below (make sure your Internet Explorer is closed when you do this)
It's just an orphaned entry anyway, so if it's there or not, it won't harm though.

And glad I could help :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 daynip

daynip
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 11 May 2012 - 04:55 PM

Yup, I did the fix.reg step :). I copied the info into notepad and then saved it as "fix.reg". I was a bit confused by the wording in the sentence, so I might have done something wrong :o (hopefully I didn't mess up)! I did check the entry in hijack this, but it wasn't removed. IE wasn't opened.

If having that entry won't harm the computer, then I'm not concerned. Thank you once again for your help!

Edited by daynip, 11 May 2012 - 04:57 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:28 AM

Posted 11 May 2012 - 05:00 PM

I guess you probably didn't run HijackThis as administrator. So, rightclick HijackThis.exe and select "run as administrator" from the context menu. This will run HijackThis in admin mode.
Anyway, as I said earlier, if the entry sticks, don't worry about it. It's just an orphaned entry that doesn't load anything. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 daynip

daynip
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 11 May 2012 - 05:08 PM

That did it - thanks again for your help, you're awesome! :thumbup2:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:28 AM

Posted 11 May 2012 - 05:12 PM

Glad I could help :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:28 AM

Posted 21 May 2012 - 01:09 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users