Can't get rid of ShopperLink malware

Hi

I've run through your Vista cleaning routine with the recommended tools but can't get rid of shopperlink - as with other posts the icon stays in my toolbar with the enable/disable option -pls help me get rid of it!!! logs attached...

thanks

 

here's my combofix report...

 

Hi adam0202,
Welcome to Major Geeks!

Try the easy way first and see if that works. It would be nice. Go to add/remove programs and uninstall ShopperLink 1.0.4

Let me know if this works.

abri

 

hi abri

thanks for the quick reply. unfortunately i don't have an entry on my add/remove programs for hopperlink...i don't think there's been one since it's been installed. any other help would be apprecated
thanks

 

Hi adam0202,

Please be sure, because in your newfiles log it shows it is in add/remove programs just before skype which is just before spybot.

serif movie
serif page plus
shopperlink
skype
spybot

 

hi abri

definitely nothing i can see there...I've attached a screenshot of what my add/remove looks like

thanks for looking into this for me

adam

 

Hi adam0202,

Try opening CCleaner and click on tools. There are two buttons, one button for Autostart and the other called something like Program Deinstallation. Be sure the Program Deinstalls button is the one clicked. Is Shopperlink in that list by any chance? If so remove it. It has a quiet string, which I think is causing it to be invisible for you. If it's there, be sure to click on uninstall and not on remove the entry. Remove the entry will take it out of the add/remove list and you don't want that, you want to uninstall it.

If it's not there, tell me.

abri

 

Hi adam0202,

It may be easiest just to remove this manually. Please continue as follows:

1) Your startup items are being control with msconfig. Please go to Start / Run and type in msconfig and click on okay. In the window that opens up click on normal system start and then accept and ok.

2) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 10


3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment



5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

Does the following program need to load at startup? If not, please fix it as well.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

After you click fix, just close hijackthis.

6) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
FILE::
C:\Temp\hapdirs4.exe
C:\Windows\444.471
C:\Windows\Temp\ehprivjob.log

FOLDER::
C:\ProgramData\Tarma Installer
C:\Program Files\eRightSoft
C:\Windows\System32\zID
C:\Windows\System32\mc4
C:\Windows\System32\get1
C:\Users\All Users\Tarma Installer
C:\Users\All Users\ipd
C:\ProgramData\Tarma Installer
C:\ProgramData\ipd
C:\Windows\System32\cox3

REGISTRY::
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


7) Now run CCleaner at the default setting with the Windows tab as the top one.
Also, please delete all the files in C:\Users\adam\AppData\Local\Temp\ that Windows will allow you to delete.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

hi abri

I've just installed ccleaner and there isn't an entry for it under uninstall however earlier today I noticed that the icon has disappreared from my tool bar - I haven't done anything since the last time I saw it there which makes me slightly suspicious as i read in another post that this thing hides itself sometimes...

one thing i do notice in the startup list on ccleaner is the following (ticked) entry:

Startup Common Item - Start DonorLink System tray app.lnk - C:\Program Data\ipd\tray.exe

is this anything to do with it do you reckon? when I have a look in the ipd folder there are 4 files - tray.exe, MSVCP71.DLL, MSVCR71.DLL and interprom_enabled.ico - this last one looks like the icon for shopperlink when it has been enabled...

Should i delete the startup entry? i haven' done anything with ccleaner so far

cheers

Adam

 

hi

looks like we crossed messages...thanks for the instructions will give em a g o+ let you know how i get on

thanks

 

hi abri

im experiencing a few problems with the instructions i've got as far as dragging CFscript.exe onto combofix on my desktop but my computer keeps BSODing when combofix is running - the first time this happened was just after i uninstalled java and then it's happened twice while running combofix...any idea's?

cheers

 

Hi adam0202,

Let's try removing the entries with Avenger:

1) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Now run CCleaner at the default setting with the Windows tab as the top one.

3) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger log.


Let me know how things are running now?

abri

 

Hi abri

no joy with this either....it's coming up with the attached error. i've tried it running as administrator as well and get the same error

cheers

 

hi abri

I ran avenger anyway, clicking ok to the bits that were coming up with the HKEY_CURRENT_USER errors and I've attached the log below - should i try and manually delete undeleted keys through regedit?

thanks

 

sorry...here is my new mglogs.zip...

 

Hi adam0202,

Please delete everything which Windows will allow you to delete from these folders?

C:\Users\adam\AppData\Local\Temp\
C:\Windows\Temp\

Then run CCleaner.

Is Shopper Link still showing? It is still listed in your add/remove programs. Let me know how the above goes while I look into this.

abri

 

hi abri
i deleted the temp files out of the folders - i managed to delete all but 2 in the first folder and 1 in the second + ran ccleaner

it may be gone now i think. the entry for DonorLink is still showing in ccleaner startup section. i re-ticked it and rebooted but no sign of the icon in my tray

are there any logs i can post to check its gone?

thanks for your help so far - my machine seems to be running faster since running through all these things

adam

 

Hi adam0202,

That's good news. Yes, you can attach a fresh set of MGlogs.zip. To get those run C:\MGtools\GetLogs.bat by double-clicking on the file.

abri

 

Hi adam0202,

I wanted to see a new set of the logs so I could check if the entry is gone from your add/remove programs list. It's also possible that DonorLink is part of what ShopperLink is posting. After checking the uninstalls list to make sure that Shopperlink is gone, the next step is to go through the final cleanup instructions to remove all our tools and logs from your computer. They take up space. Also, if your computer is clean, we would have you set a clean restore point. I'll post the final cleanup instructions for you here:quote]

• Uninstall SuperAntiSpyware
• If you installed Combofix to the desktop and renamed it cf.exe, it can be removed by going to Start/Run and copy-pasting in "%userprofile%\Desktop\cf" /u
• Check for the following and if found, remove them as well by deleting them: ComboFix.exe (if it wasn't renamed), C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
• If we had you run Avenger, you can delete all files related to Avenger now.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• Go to add/remove programs and uninstall HijackThis.
• Then go into Windows Explorer and find MGTools directly under C:\ (or the root drive where your operating system is installed).
• Open the MGTools folder and delete the contents.
• Then delete the folder itself.
• Look for any leftover logs on your desktop and if found delete them
• Run CCleaner
• After you've completed the above, please follow the instructions at this link for setting a clean restore point. - Before you do this step, please use your computer for a little while with a couple of reboots in between to make sure you are not experiencing anything unusual. Then complete this step as well. It will give you a clean restore point to come back to in the future. Disable and Enable System Restore!
• Once you've done this, please take a look at the link that follows. It's a good read and has some good information to help you prevent further malware invasions.
  
  How to Protect Yourself from Malware

Let us know how things went!
[/quote]abri

 

hi abri

sorry..i thought i posted these yesterday?!? anyway, here they are, I'll run through the instructions you've kindly provided and will post another set

thanks

adam

 

sorry just read your reply properly - I'll await your reply on the logs I just posted before uninstalling the apps + cleaning up

cheers

 

Hi adam0202,

The uninstall for Shopperlink is still listed in your add/remove programs, so I'll give you a patch to remove that. The problem about it is that it creates an entry which you can't see. This should take it out. Also, you are controlling your startup items with msconfig. When you do this and you uninstall a program that's been controlled this way, the uninstall isn't complete. In this case, it's left you with an entry for DonorLink which I'll add to the registry patch. Your computer needs to always be in normal startup mode except when you use msconfig for diagnostic purposes.

To help you get your startup items in the state you want them, I will give you some instructions in step three that will put these items back into hijackthis where I'll then give you one more set of instructions after I see the new logs so you can control them from loading while still having a back up to get them back if you change your mind.


1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

3) For information: Among the items you are trying to prevent from starting up with msconfig are Khost.exe which is part of Kontiki and MSN Messenger. You're also controlling RtHDVCpl which is part of your audio system driver. Superantispyware needs to be added back into normal startup, because otherwise it won't uninstall properly when you follow the final cleanup instructions. By doing the following, you'll be putting the computer back into normal startup mode, which will cause the startup items to appear in HijackThis. I'll then post one more set of instructions for HijackThis. The new MGlogs will also allow me to make sure that Shopperlink is out of your uninstalls list.

Please go to Start/Run and type in msconfig and check normal system start, click on accept and okay. After you do this, run the C:\MGTools\GetLogs.bat again.

Attach the new MGlogs.zip.

Thanks.
abri