Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

shopperz malware in registry. [Solved]


  • This topic is locked This topic is locked

#1
bfeltz55

bfeltz55

    New Member

  • Member
  • Pip
  • 8 posts

Hi I have shopperz malware in my windows 8.1 registry. Malwarebytes and Hitman Pro do not remove. They find it, "remove it" but shopperz is there for the next scan. I tried Malwarebytes in safe mode with no luck. I have ran FRST in administrator mode and attached is the search.txt file as a result of doing a registry search for "shopperz". I do not understand how to make a fixlist.txt file with this. I guess I don't understand the switch opitions. Any help would be greatly appreciated. Thank you

 

Update 1) When I run the fix by copying the "search.txt" I get "Error: No automatic fix found for this entry." in all the fixlog output lines. I have attached this file as well ... What am I doing wrong ???? Where can I fins a list of of the fix switches? Thanks... 

 

Update 2) I also ran OTL and have attached a log here. I don't even see shopperz here

Attached Files


Edited by bfeltz55, 08 February 2015 - 01:13 PM.

  • 0

Advertisements


#2
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,913 posts
Hi bfeltz55, :)

:welcome:

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):
  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
  • Please do not install any new software while we are working on this system as it may hinder our process.
  • Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
  • Please do not try to fix anything without being ask.
  • Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
  • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
  • Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
  • If you are confused about any instruction, stop and ask. Do not keep on going.
  • Do not repeat the steps if you face any problems.
  • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
  • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
  • The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.
 
  • Step #1 Scan with Farbar Recovery Scan Tool
    • Please download Farbar Recovery Scan Tool by Farbar to your Desktop from the link below.
      Download link for 32 bit system
      Download link for 64 bit system
    • Right-click on the program and choose Run as administrator;
    • Put tick-mark on all boxes under Whitelist and Optional Scan;
    • Click on Scan;
    • After the scan two notepad files will be opened --
      • FRST.txt;
      • Addition.txt
    • Copy and Paste the contents of the logs in your next reply.
 
  • Required Log(s):
    • Farbar Tool Log(s)--
      • FRST.txt
      • Addition.txt
Regards,
Valinorum
  • 0

#3
bfeltz55

bfeltz55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Hi Valinorum,

 

Thanks for the help !! Attached are the files you are looking for. 

Attached Files


  • 0

#4
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,913 posts
Uninstall HitmanPro 3.7,


 
  • Step #2 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
      Start
      CreateRestorePoint:
      CloseProcesses:
      EmptyTemp:
      AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
      AlternateDataStreams: C:\ProgramData\Temp:C3BB6A9A
      SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
      SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
      SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
      SearchScopes: HKU\S-1-5-21-3713703873-1345214829-3567504906-1001 -> {326582FE-09EE-4B49-91FA-04DC40FAB664} URL = 
      Handler: WSIEChrome - No CLSID Value
      End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt;
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
      • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Copy and Paste the contents of the log in your next reply.
 
  • Required Log(s):
    • FRST Fix Log
Regards,
Valinorum
  • 0

#5
bfeltz55

bfeltz55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Okay I uninstalled hit,an pro. Followed your instructions. Rebooted. See the attached.

Attached Files


  • 0

#6
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,913 posts
How is your PC?
  • 0

#7
bfeltz55

bfeltz55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

I wonder why you had me do those "AlternateDataStreams:" and "SearchScopes" commands? Those didn't make much sense to me. Can at least try to explain those actions.

 

Why doesn't normal Malwarebytes scan fix all this? I even tried their Anti-rootkit tool.

 

I didn't see your reply above "how's your PC? " Well I need to run Malwarebytes because shopperz is still in my registry big time.


Edited by bfeltz55, 08 February 2015 - 02:21 PM.

  • 0

#8
bfeltz55

bfeltz55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Please look at the most recent registry search file (with FRST) . I am running Malwarebytes now and should be done soon. 

Attached Files


  • 0

#9
bfeltz55

bfeltz55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Still have shopperz, with first scan. Will reboot and scan again? Please see attached

Attached Thumbnails

  • Capture2.JPG

  • 0

#10
bfeltz55

bfeltz55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Maybe we should focus here: (see attached)

 

Attached Thumbnails

  • Part1.png

  • 0

#11
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,913 posts
  • Step #3 Fix with MiniRegTool
    Please download MiniRegTool.zip and unzip it.
    Please download MiniRegTool64.zip and unzip it.
    • Run the tool.
    • Copy and paste the following into the edit box:
      HKEY_LOCAL_MACHINE\SOFTWARE\shopperz
      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\shopperz
      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\csrcc
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\csrcc
      HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz
      HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|"C:\Program Files\shopperz\spdata.exe"
      HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz
      HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}
      HKEY_USERS\S-1-5-19\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}
      [HKEY_USERS\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
      [HKEY_USERS\S-1-5-20\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
      [HKEY_USERS\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
      [HKEY_USERS\S-1-5-21-3713703873-1345214829-3567504906-1001\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3713703873-1345214829-3567504906-1001\Software\shopperz]
      [HKEY_USERS\S-1-5-21-3713703873-1345214829-3567504906-1001\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3713703873-1345214829-3567504906-1001\Software\shopperz\script_storage]
      [HKEY_USERS\S-1-5-21-3713703873-1345214829-3567504906-1001\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3713703873-1345214829-3567504906-1001\Software\shopperz\script_storage]
      
    • Check the Delete Keys/Values including Locked/Null embedded radio button.
    • Press Go button and post the result.
 
  • Step #4 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
      Start
      C:\Program Files\shopperz
      End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt;
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
      • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Copy and Paste the contents of the log in your next reply.
 
  • Step #5 Scan with Malwarebytes' Anti-Malware
    • Download Malwarebytes' Anti-Malware from the suitable link below --
    • Double-click mbam-setup.exe to install the application.
    • Before clicking Finish perform the following actions --
      • Un-check the box beside Enable free trial of Malwarebytes Anti-Malware Premium.
      • Check the box beside Launch Malwarebytes Anti-Malware
    • Once the program has loaded, The MBAM dashboard will appear with an alert to update - click the green button Update Now;
    • Click on Setting--
      • Navigate to the tab Detection and Protection and check all the boxes under Detection Options
    • From the Dashboard click on Scan Now;
    • If threats are detected click on Apply actions. If the program asks to reboot your PC, let it do so;
    • On completion of the scan click on View Detailed Log after that click on Export Button, select Text File and save the log to your Desktop;
    • Copy and Paste the contents of the log in your next reply.
 
  • Required Log(s):
    • Farbar Tool Log(s) --
      • MiniRegTool Log
      • FRST Fix Log
    • Malwarebytes' Anti-Malware Tool Log
Regards,
Valinorum
  • 0

#12
bfeltz55

bfeltz55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

I like all of your recent suggestions! Well since you went off-line yesterday, I was forced to restored to an earlier restore point prior to the shopperz infection. All is good now. I must admit I wished I waited to try all these things to see if it would have worked though. Regardless, I wanted to thank you for the detailed followup and the procedure may be useful for me or anyone else in the future.


  • 0

#13
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,913 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP