Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ScorpionSaver/Level Quality Watcher won't go away


  • Please log in to reply
10 replies to this topic

#1 Chris4111

Chris4111

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 05 December 2013 - 11:08 AM

Skimming through the forum this looks like a pretty common problem..

 

I received these files from CNET. I run MS Windows 7 professional and use only internet explorer 9. (this is where it gets tricky...I'm pretty computer illiterate so bare with me)

 

It's my work computer and our IT guy installed AVG 2012 onto it about a year ago but I've never touched the program, just assumed it was always doing it's thing in the background, I guess that's how I became infected? For simplicity let's say my knowledge of virus software features and applications is next to nothing.

 

I got the viruses a couple weeks ago and after google searching I tried the "regedit" delete of the scorpionsaver file only to have it come back the next day, so now my morning routine is to start up my computer and delete this file before starting work, which isn't a long-term solution, which brings me here. I browsed a few of the similar questions but it seems every computer is a different scenario with different solutions.

 

So, where do I go from here? I came across terms like "combofix" and "post the log" on this forum which I have no idea what they mean so please bare with me, and I will do my best to google search answers to the questions I may have for you so as to not waste your time along the way :thumbup2:

 

 

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 PM

Posted 05 December 2013 - 11:32 AM

Hello Chris.. One thing is o have them update AVG 2012 to 2014 so you have better protection..

Next....

Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
  • Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
    -- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).
    .
    ADW Cleaner
    Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • .
    .
    .
    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  • .

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Brian81

Brian81

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:44 PM

Posted 05 December 2013 - 12:42 PM

If you go into your Control Panel >> Programs and Features, does it show up here? If so, I would suggest running the uninstaller.



#4 Chris4111

Chris4111
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 05 December 2013 - 06:22 PM

If you go into your Control Panel >> Programs and Features, does it show up here? If so, I would suggest running the uninstaller.

 

Thanks for the reply, yes every morning when I begin using my computer I open the uninstaller to find that scorpionsaver has been installed on that day's date, uninstall and "regedit" delete scorpionsaver, do my work, go home, come to work the next morning and repeat the process.

 

Thanks also boopme for the reply, now that my work is done for today I'm going to attempt the tasks you listed up above.



#5 Chris4111

Chris4111
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 05 December 2013 - 06:42 PM

I completed the Malwarebytes instruction and got this log:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.05.08

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
cwhiteford :: LESLEY [administrator]

Protection: Enabled

12/5/13 3:28:29 PM
mbam-log-2013-12-05 (15-28-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 468417
Time elapsed: 11 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCR\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) -> Quarantined and deleted successfully.
HKCU\Software\Conduit\FF (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Scorpion Saver (PUP.Optional.ScorpionSaver) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\Program Files\Level Quality Watcher\v1.01 (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\ProgramData\Conduit\IE (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\ProgramData\Conduit\IE\CT3306061 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 12
C:\TEMP\InstallServices32.msi (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\TEMP\InstallServices64.msi (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\TEMP\scorpionsaver.exe (PUP.Optional.ScorpionSaver) -> Quarantined and deleted successfully.
C:\TEMP\ScorpionSaver.msi (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\Windows\System32\AdpeakProxy.dll (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\Users\cwhiteford\AppData\Local\Temp\nso2BE3.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\Users\cwhiteford\AppData\Local\Temp\AdpeakProxyr.log (PUP.Optional.AdpeakProxy) -> Quarantined and deleted successfully.
C:\Windows\Temp\AdpeakProxy.log (PUP.Optional.AdpeakProxy) -> Quarantined and deleted successfully.
C:\Windows\Temp\AdpeakProxyr.log (PUP.Optional.AdpeakProxy) -> Quarantined and deleted successfully.
C:\ProgramData\Conduit\IE\CT3306061\UninstallerUI.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)

 

 

 

Edit1- to add that I was asked by malwarebytes to restart my system, which I did immedietly. Moving on to the next step...

 

 

 

Edit2- I completed the ADW Cleaner instruction and got this log:

 

# AdwCleaner v3.014 - Report created 05/12/2013 at 15:50:58
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Professional (32 bits)
# Username : cwhiteford - LESLEY
# Running from : C:\Users\cwhiteford\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9K82UVBM\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\Conduit
Folder Deleted : C:\Program Files\Level Quality Watcher
Folder Deleted : C:\Users\lesley\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\cwhiteford\AppData\Local\Conduit
Folder Deleted : C:\Users\cwhiteford\AppData\LocalLow\Conduit
File Deleted : C:\END
File Deleted : C:\Users\lesley\AppData\Roaming\Mozilla\Firefox\Profiles\v1980sbr.default\searchplugins\SweetIm.xml

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasmancs
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3306061
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\Conduit

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16476

*************************

AdwCleaner[R0].txt - [1663 octets] - [05/12/2013 15:49:18]
AdwCleaner[S0].txt - [1630 octets] - [05/12/2013 15:50:58]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1690 octets] ##########

 

 

 

Edit3- I completed the Junkware Removal Tool instruction and got this log:

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Professional x64
Ran by cwhiteford on Thu 12/05/13 at 16:02:58.72
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mconduitinstaller_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mconduitinstaller_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CABFCED-C43E-4E6A-9B8C-02E679288FDC}

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 12/05/13 at 16:05:41.26
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

One thing that wasn't mentioned in the instruction above is that once I finished the JRT and the log popped up, I clicked to open IE and post the log here and automatically a window "Manage Add-ons" popped up and the "Search Providers" option was selected. Only Bing was listed.


Edited by Chris4111, 05 December 2013 - 07:11 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 PM

Posted 05 December 2013 - 09:19 PM

Ok, do you want others in there?
 
 Looks like we got scorpion and it's friends like conduit and adspeak.

EDIT...
Empty your temp folders using TFC (Temporary File Cleaner)

[list]
  • Please download TFC by Old Timer and save it to your desktop.
    alternate download link
  • Save any unsaved work. (TFC will close ALL open programs including your browser!)
  • Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

Edited by boopme, 05 December 2013 - 10:06 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 richtv

richtv

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 05 December 2013 - 09:32 PM

I see a few threads here so i just chose this one.

had the same thing but i think i got rid of it, will just have to wait and see

I believe i got it when i installed the xpsviewer off of cnet.com, it is a software that converts xps into pdf files

what i use on my system:

WinXP

1. Norton 360

2. Spyhunter 4 [helped block scorpionsaver.exe from executing]

3. CCleaner - Business Edition [I also use this when emptying my Recycle Bin. Instead of right-click and selecting empty recycle bin, I select Run CCleaner]
 
4. Firefox with Adblock Plus and NoScript
 
5. Malwarebytes
 
Some things to look for when tracking this sucker down......
 
program:
 
C:\Program Files\Level Quality Watcher\v1.01
C:\temp
files include scorpionsaver.msi, scoprionsaver.exe
 
regedit:
 
HKEY_LOCAL_MACHINE \ SOFTWARE \ SCORPION SAVER

HKEY_LOCAL_MACHINE \ SOFTWARE \ LevelQualityWatcher

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Level Quality Watcher

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LEVEL_QUALITY_WATCHER

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Level Quality Watcher

Windows Task Manager:
levelqualitywatcher32.exe

C:\WINXP\Prefetch
XPSVIEWER-SETUP.EXE-1B75BD39.pf
908-02F1BFC3.pf
CMD.EXE-2AAB9DAB.pf
FIND.EXE-306D7099.pf
SC.EXE-049AAB35.pf
NS6D0.TMP-01B67449.pf
SCORPIONSAVER_11142013.EXE-01AD9F42.pf
LEVELQUALITYWATCHER32.EXE-0EE6E920.pf
SETUP.TMP-03C9D92F.pf
UN.PACKAGE.EXE-2E607531.pf
OPTIMIZERPRO.EXE-36D127CC.pf
SETUP.EXE-1381E4DD.pf
DEALPLY_7302013.EXE-3A0E777A.pf
REGSVR32.EXE-2CB1139E.pf
UNINST.EXE-3004731D.pf
DEALPLYLIVE.EXE-12CBB8F4.pf
DOLPHINFUTURES_XPSVIEWER_1_1_-307989DB.pf
DOLPHINFUTURES_XPSVIEWER_1_1_-1A290F58.pf
XPSVIEWER.EXE-03B02E5E.pf
XPSVIEWER.EXE-337FB01D.pf
 
note: the above prefetch i have listed because they were all added practically at the same time, maybe a minute apart at most!
 
company:
 
AdPeak, Inc.
 
more info on this adware or malware:
http://www.threatexpert.com/report.aspx?md5=f9c1a270add778c3417a080828b5ea36
http://www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader10.41037.html
 
HTH.
 
 
Mod Edit;;;;
A suggestion has been made that involves modifying the registry. Modifying the registry can be dangerous (and can render your system unbootable) so it's advisable that you make a backup of the registry before proceeding. Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding. Backing Up Your Registry
  • Go Here and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Registry Modifications For more information about modifying the registry, see this Microsoft article: http://support.microsoft.com/default.aspx/kb/256986

Edited by boopme, 06 December 2013 - 10:52 AM.


#8 Chris4111

Chris4111
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 05 December 2013 - 09:37 PM

No I do not, I was just pointing out what happened incase it was a symptom of something. I'll check my computer in the morning and see if scorpionsaver came back.

I want to visit scorpionsaver's website and see how they can justify causing so much stress to so many people.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 PM

Posted 05 December 2013 - 10:07 PM

Note I added a step in my last post.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Chris4111

Chris4111
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 05 December 2013 - 10:26 PM

Note I added a step in my last post.


Gotcha. So tomorrow morning if scorpionsaver is there should i start over from malwarebytes or just continue with TFC?

 

 

Edit- just logged on to my computer and checked the uninstaller, did not see scorpionsaver there for the first time in weeks. You guys are good, thank you.


Edited by Chris4111, 06 December 2013 - 09:36 AM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 PM

Posted 06 December 2013 - 10:52 AM

Your Welcome!!


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users