massive ADWARE infestation Shoppers Report Click Potato

Hello helpful Avast team,

I have your paid Avast Int Security

I have cleaned massive ADware since Friday night
Avast blocked a download from a video site
and put ShopperReports.dll in Virus Chest
your scan afterwards on Friday night was clean

but Saturday morning I checked and used
SuperAntiSpyware
MalwareBytes
ESET
ComboFix
(from old instructions from another help website)

they found massive amounts of the ADware and in applications too.

after thinking all cleaned

I went to UNINSTALL programs and saw Shopper Reports and Click Potato were still applications so I UNinstalled
I think the Shopper Reports uninstall unleashed a new attack on Saturday

more cleaning

Where I am now

after MBAM’d and ComboFix
ESET online scan Saturday night was clean
Avast scan Sunday morning is clean

but I cannot use any SET UP to reinstall Firefox which I UNinstalled due to constant pop up messages that it could not UPDATE
or could not install the Kaspersky virus scan SET UP

also

I get the “WINDOWS HAS BLOCKED SOME STARTUP PROGRAMS” pop up balloon

pop up message I get about SET UP is
“A required privilege is not held by the client”

has something been deleted by ComboFix?
it deleted this item:

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat.
.

do you want my logs from MBAM ESET Super Anti Spy?

thank you for any help - I fear going further alone

Karen

Hi Karen R,

Look, this is Smart Shopper Adware, well HotBar is hosted on the same IP as this product,
you’d better be without it, I guess: http://www.freefixer.com/library/file/60535/
could be deleted with Windows Add/Remove programs, or else
use Toolbarcop to remove it, read how to use,
and download toolbarcop from here: http://www.majorgeeks.com/download4126.html

polonus

do you want my logs from MBAM ESET Super Anti Spy?
yes

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log )

thank you both I am here

2 different advice

which one do I choose?

Hi KarenR,

If you want to be absolutely and utterly certain for it to be gone, use Essexboy’s proposed cleansing routine: http://forum.avast.com/index.php?topic=53253.0
Nothing against doing the MBAM combined OTS routine, hope you get rid of it soon, loads of success,

polonus

my screen just crashed shut down and I just logged back in

so I may take a while

I thank you and shall try the cleansing first

as i say in my reply post the LOG`s then run OTS and also post that LOG

These programmes are a real annoyance although they are classified as adware rather than virus

Could you also attach the last Combofix log as well please - so that I can see why it deleted ntfs.dat

I cannot find ESET first scan that removed applications Saturday

attached are MBAM log and ComboFix from Saturday

remember ESET was clean by end of Saturday

I will await you?
or go ahead with the cleansing now?

Lets have a quick look with OTS to see if there is anything lingering… Are you still getting clickpotato and friends ?

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

hi Essexboy

will now do your OTS

no icon anymore for Click Potato and though I UNinstalled?

It may have gone, but then again there may be remnants - better safe than sorry ;D

here is OTS

also - IExplorer would not save a favourite I got a message?

weirdness

What error do you get when you try to save a favourite ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Users\staples\AppData\Roaming\Mozilla\FireFox\Profiles\t675kg47.default\prefs.js
YN -> browser.search.selectedEngine -> "DAEMON Search"
YN -> extensions.enabledItems -> {21b88860-5e00-44dd-bdac-fca1f791837e}:0.2.0.7
YN -> extensions.enabledItems -> {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
YN -> extensions.enabledItems -> {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
< FireFox Extensions [User Folders] > -> 
YY -> Kaboodle   -> C:\Users\staples\AppData\Roaming\Mozilla\Firefox\Profiles\t675kg47.default\extensions\{21b88860-5e00-44dd-bdac-fca1f791837e}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3886293462-2656852358-2641576973-1000\] > -> HKEY_USERS\S-1-5-21-3886293462-2656852358-2641576973-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{32099AAC-C132-4136-9E9A-4E364A424E17}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> http://download.eset.com/special/eos/OnlineScanner.cab [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  Comfix21450C -> C:\Comfix21450C
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

about IExplorer

Just checked if in fact did save the fave - yes

I will try another save to get you the message if you want

then I will do your next OTS step

thanks

;D

OTS run fix attchd
-it asked to restart
-restarted
-still get WINDOWS HAS BLOCKED PROGRAMS ON STARTUP

IExplorer before the fix -tried again to add fave - no message that time

If you right click the bubble you will get the option to unblock the programme… I reckon it will be malwarebytes

How is it now ?

ha ha you are psychic!

I right click but option is to run Malware Bytes

or show or remove blocked- then it opens windows defender

so should I remove Malware B from the startup list somehow?

No allow it to run as it is tidying up from its last run