Possibly Delivered By The 'TV Fanatic' Or 'ShopAtHome' Toolbars, Or Imposter

Hi MajorGeeks Tech Rep., Members and the Thread Community -

Here goes (this is my first post and I'm suspecting that it might be too long - there's one way to find out) . . .

While carefully following the instructions, I have completed the MajorGeeks' malware removal prep./removal tools scanning procedure (please see file report attachments). With the exception of the RogueKiller Scan, none of the succeding scans indicated the presence of malware and, therefore, no initiate removal prompt/malware removal took place.

The 'Current/Up-To-Date' TDS SKiller tool gave me a '0' malware result and, despite a 'thorough' search of my computers files, I found no trace of a report log under any possible file name/location, or within the program itself. Based on the MajorGeeks instructions, my impression is that this log file would have been generated/saved, automatically, by the program, without the intervention of the user. Of course, no malware removal was, or would have been, performed by the TDS SKiller tool, or any other anti-malware tool recommended by MajorGeeks, or otherwise.

Despite a high-speed wireless connection, my pc's performance remains sluggish/atypical, including a few peculiar incidents (sections of a web page's background disappearing/not loading, Comodo Firewall reports suggesting suspicious 'shopathome' program file/registry interaction) which cause me to suspect malware.

*I have reviewed the link information provided by MajorGeeks, regarding the other possible/non-malware related causes for slow/problem computer performance.

At some point, while browsing the web, my system appears to have "acquired" the infamous 'TV Fanatic' Toolbar and the 'ShopAtHome' Toolbar (or imposter) without the appropriate download initiation alerts. At tht time (prior to becoming aware of the MajorGeeks tech service/procedures), I, immediately, uninstalled as many traces of those programs, as possible. Of course, there are, probably, concealed files remaining (system restore, other protected files?).

I wanted to make certain to note that Comodo Firewall was installed on my laptop, after I completed the MajorGeeks malware removal procedure, I hope that this 'mid-stream' security program installation does not complicate things for MajorGeeks Tech Dept. Disk emulation software remains disabled.

I hope that this information/these attachments and the MajorGeeks forum/community will be able to shed some light on the problems that I am experiencing.

- Thanks,
gr8fl

 

Hi Kestrel 13,

- Thank you for your help.

For some reason, my thread reply formating toolbar is unresponsive, so this draft will have to do.

The JRT tool scan/removal seems to have proceeded smoothly; based on the log, I believe that it removed, roughly, 9 problem files.

Despite reassurances from the GetLogs.bat scan display, prompting the user that any "Can't Find Registry Key" alerts are routine and to be ignored - another alert, that the scanning process didn't reference, appeared - which read as follows:

"Unsupported 16-Bit Application

The program or feature “\??\C:\MGTools\ltime.exe” cannot start or run due to incompatability with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available."

None-the-less, I did not interrupt the remainder of the GetLogs.bat log report scan. The scan display showed repeated 'Access Denied' notifications and, toward the begining of that scan, a passage stating that it had encountered "32-Bit" OS Windows!

My system is 64-Bit, which makes, both, the incompatability alert and the 32-Bit Windows issue even more difficult for a layperson/non-tech to understand.

Since, I believe, this same logging scan/process had been run, successfully, on my computer, in order to compose the first MGTools report, I find all of this very confusing.

The GetLogs.bat scan did not complete/finish routinely and did not generate a log report - disappearing after I closed the alert window. The last several lines of the scan display showed repeats of the "Access Denied" notification, before it vanished.

I ran the scan again, with the same result. Maybe, this is, simply, a matter of installing a compatible version of the tool - but, I'm concerned that there may be a more complex issue behind the problem.

So far, my pc seems to be performing well, but you know how 'stealthy' malware can be, depending on the architecture.

[I'm not certain whether, or not, your tech response email is going to display, along with this reply, or, whether it is appropriate that it be posted (given that someone might make the misguided attempt to apply some portion of your advice, tailored/specific to my circumstances, with unfortunate results).]

As requested, I have included the JRT.txt file attachment . . . please advise.

Thanks,
gr8fl

 

Hi chaslang/MajorGeeks Tech,

I'm 'absolutely positive' that the file I opened for the, immediate, scan that followed was identified as 'GetLogs.bat' and not 'GetRunKey.bat'.

Additionally, I just ran a file search, again, for the GetLogs.bat file and it is nowhere to be found - at least, it's not where it had been located.

As a layperson/non-tech, my thoughts are taking me in the impractical direction of wondering whether, or not, malware could be behind this seeming diversion/misdirection, but find the notion somewhat surreal because that would suggest something very elaborate which, I would have thought, isn't likely/probably doesn't exist (and overkill, given that the data on my pc doesn't warrant such a sophisticated attempt, though malware breaches can be random).

Please be assured that this new Member is not mistaken/confused regarding the name of the report log file that was accessed (or, the result/outcome of the process) . . . it was named/identified GetLogs.bat.

Would it be premature of me to ask you what might explain this discrepancy?

Thanks,
gr8fl :confused

 

Hi again chaslang/MajorGeeks Rep.,

Sorry about the confusion . . . I'm fairly confident that I've discovered what the problem was.

First, I ran a search with a more specific pathway and 'did' find the GetLogs.bat file, as well as the the 'not to be opened/included' GetRunKey.bat (never run/in a separate location). So, a missing tool file is no longer a part of the equation.

I had, indeed, accessed the correct report log file, GetLogs.bat, when I ran the problem scan referred to, earlier - but, when I disabled all of my anti-virus/spyware/firewalls, before doing so, I had forgotten about a relatively new security program that I had installed, called 'Autorun Eater' (for the benefit of the MajorGeeks Malware Forum community: 'Autorun Eater' counters unwelcome/unannounced downloads) and had failed to disable it.

Between that and, possibly, the fact that my UAC / User Account Control remained enabled (several prompts/permissions), the scan behaved atypically;
at least, that's a non-tech's theory.

I disabled both of those programs and the GetLogs.bat scan appeared to run/work like a charm (please see attachment: MGlogs.zip; the JRT.txt file attachment was included, earlier today, with my email reply to Tech, Kestrel13).

You'd know, better, whether the re-attempted GetLogs.bat report log scan was successful, or not. If the MGlogs.zip file (as well as the JRT.txt file) results look good to you, I may be 'Out Of The Woods' thanks to MajorGeeks!

. . . Here's hoping.

Thanks again,
gr8fl

 

Hi again Kestrel13,

. . . Uh oh.

I have uinstalled/deleted everything that was searchable/discoverable (by a non-tech).

Following the uninstall/any discernable 'remaining traces' deletion, I was unable to discover any additional problem programs/files, that were apparent.

Comodo firewall has displayed ShopAtHome.com Helper registry access/interaction alerts, in the past - I was hoping that our recent efforts had removed that threat.

Do malware programs/traces hold on, despite measures like the ones that we have taken (- very carefully/thoroughly, at this end)?

Is there a more specific drive pathway that I can attempt in order to locate the offending 'ShopAtHome.com Helper' file?

- I hope that I haven't run out of options.

Thanks again,
gr8fl

 

Hey Kestrel13/MajorGeeks Rep.,

MajorGeeks Techs, please reference the text field highlighted in blue, below, for condensed (to the best of my ability) case update specifics.

When requested by Tech Kestrel13, on 03-06-14 03:14, an uninstall was performed for all noted problem programs, including ShopATHome. Following these uninstall processes, my pc provided reports which indicated that the uninstalls were succesful.

After additional steps/scans, recommended by MajorGeeks Techs, were performed (Junkware Removal Tool, GetLogs.bat file report log scan) - Kestrel13 informed me that the file 'ShopAtHomeHelper' had not been removed from my system, during the ShopAtHome program uninstall and I (which, apparently, she was not clear that I had, already, performed), immediately, ran an 'unsuccesful' system file search for the tenacious file.

After updating the MajorGeeks Tech Department, Kestrel13 recommended the 'Revo Uninstaller Tool'.

While, I did install that versatile tool, I found that since I had, 'already', previously performed a ShopAtHomeHelper file uninstall (at that time, noted by my system as being succesful, with no recognizable trace remaining, in my System Programs list) - the tool was only able to offer partial/limited assistance in locating the undesired file, for removal (later on, after I was able to locate the ShopAtHomeHelper file manually, I had 'considered' trying out this tool's "Hunter" feature, because it seemed to be the most reliable/appropriate means, offered, for assured removal, 'under the circumstances', but, excercising discretion, decided to hold-off).

**Following some online research, I was able to identify a more specific pathway to the elusive ShopAtHomeHelper file (C:\Users\InsertUser's Name\AppData\Roaming\ ShopAtHome\ShopAtHomeHelper) and, so, have successfully located the file in my system, which, as it turns out, is actually a folder containing '14' files. This folder, or, any portion of its14 files, are 'not' represented/shown on my System Programs list.

**For now, I am refraining from a standard, manual 'right click/pop-up window/Delete' command, until I receive approval from a MajorGeeks Tech, because it is concievable that these malware programs may respond atypically/evasively.

Now that I've located the folder, if a MajorGeeks Tech believes that it is advisable to remove it with a particular malware tool (Revo Uninstaller Tool's 'Hunter' sub-tool?) - certainly, I would prefer to use the method which offers the greatest assurances.**

(. . . Please advise).

I assume that I would, then, need to run another GetLogs.bat file report log scan for confirmation of a successful removal/complete "decontamination".

Point of interest: This folder's properties/previous versions record shows multiple bi-weekly updates/changes, which (in addition to any routine/mundane program adjustments/alterations) I am concerned (layperson's speculation) is an indication of this malware program's evolutionary record of "morphing mutations", choreographed for the purpose of evading detection/remaining formidable as an unwelcome/agenda focused system intruder that is resistant to location removal.

. . . Of course, MajorGeeks Techs would know, better, the answer to that question.

Thanks, once again
gr8fl

 

Kestrel13/MajorGeeksTech (please see asterisks, as well),

- No, To Both Questions.

*I have, now, 'successfully located' the ShopAtHomeHelper folder (which encloses 14 files) in my system and am ready to delete it.

**Should I, simply, delete it, or use the malware removal tool of your/theTech Department's choice?

Thanks,
gr8fl

 

Kestrel13,

. . . The answer is 'No' to both of your recent questions:

Do you still see the shopathome.com helper still installed in your add/[COLOR=#009600 !important][COLOR=#009600 !important]remove [COLOR=#009600 !important]programs[/COLOR][/COLOR][/COLOR] on your computer?

Does it show up in Revo Uninstaller?

???,
gr8fl

 

Received registry add success message; see C:\MGlogs.zip attachment.

 

- Yes, there are outstanding problems:

When, upon your recommendation, I attempted the ShopAtHomeHelper folder deletion, I received a notification stating that "the folder or file cannot be deleted, because it is is open in another program (earlier registry uninstall attempt?)".

Additionally, ever since your requested registry add command (executed 'exactly as instructed') was made, my pc has been making a persistent grinding noise.

. . . I am aware of this site's 'Terms of Use/User Agreement'.

Would it have made any difference, if the ShopAtHomeHelper folder had been deleted before/without the registry uninstall attempt (layperson speculation, please pardon)?

 

Pathway: C:\Users\Mark\AppData\Roaming\ShopAtHome\ShopAtHomeHelper

- I haven't theard the grinding noise for quite some time, now.

 

- The OTM report log looks promising (attached).

I ran a system/drive search for C:\Users\Mark\AppData\Roaming\ShopAtHome\ShopAtHomeHelper (including pathway/drive variations and the folder does not appear to be present.

My system's performance appears to be much improved.