Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Scorpion Saver and other pop-up programs


  • This topic is locked This topic is locked
28 replies to this topic

#1 mystery987

mystery987

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 13 December 2013 - 04:03 PM

Hi.  My computer is infected with scorpion saver and possibly other malware which create non-stop pop-ups.  I have no idea how to remove these things.  Any help will be much appreciated!  Thank you!

 

DDS LOG BELOW

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16526
Run by Dr. Saron at 14:58:58 on 2013-12-13
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2036.895 [GMT -6:00]
.
AV: GFI Software VIPRE *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: GFI Software VIPRE *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
FW: GFI Software VIPRE *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ScorpionSaver Services\AdpeakProxy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
BHO: ScorpionSaver: {10AD2C61-0898-4348-8600-14A342F22AC3} - c:\program files\scorpionsaver\IECore.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\20.4.0.40\ips\ipsbho.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\20.4.0.40\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\20.4.0.40\coieplg.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: c:\windows\system32\AdpeakProxy.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{76802DCB-AE4D-4CED-B9A0-0B5EB48E2476} : DHCPNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dr. saron\appdata\roaming\mozilla\firefox\profiles\v7of18qn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mysearchresults.com/?c=9001&t=03
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: 2013-11-25 09:13; addon@defaulttab.com; c:\users\dr. saron\appdata\roaming\mozilla\firefox\profiles\v7of18qn.default\extensions\addon@defaulttab.com.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1404000.028\symds.sys [2013-6-12 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1404000.028\symefa.sys [2013-6-12 934488]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\bashdefs\20131203.001\BHDrvx86.sys [2013-12-3 1098968]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\1404000.028\ccsetx86.sys [2013-6-12 134744]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\ipsdefs\20131212.001\IDSvix86.sys [2013-12-12 394456]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1404000.028\ironx86.sys [2013-6-12 175264]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\1404000.028\symtdiv.sys [2013-6-12 352344]
R2 AdpeakProxy;AdpeakProxy;c:\program files\scorpionsaver services\AdpeakProxy.exe [2013-10-16 3688448]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Level Quality Watcher;Level Quality Watcher;c:\program files\level quality watcher\v1.01\levelqualitywatcher32.exe run options=01110010000000000000000000000000 sourceguid=f5d333a8-c748-4686-ae0a-9e008f670c22 --> c:\program files\level quality watcher\v1.01\levelqualitywatcher32.exe run options=01110010000000000000000000000000 sourceguid=F5D333A8-C748-4686-AE0A-9E008F670C22 [?]
R2 N360;Norton 360;c:\program files\norton 360\engine\20.4.0.40\ccsvchst.exe [2013-6-12 144368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-12-6 108120]
R3 NmPar;MosChip PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2006-12-19 81408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-12-11 19:45:57    --------    d-----w-    c:\users\dr. saron\appdata\local\CutePDF Writer
2013-12-11 14:57:08    2050560    ----a-w-    c:\windows\system32\win32k.sys
2013-12-11 14:57:07    335360    ----a-w-    c:\windows\system32\SysFxUI.dll
2013-12-11 14:57:07    167936    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-12-11 14:57:07    130048    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-12-11 14:57:04    36864    ----a-w-    c:\windows\system32\wshcon.dll
2013-12-11 14:57:04    172032    ----a-w-    c:\windows\system32\scrrun.dll
2013-12-11 14:57:04    155648    ----a-w-    c:\windows\system32\wscript.exe
2013-12-11 14:57:04    135168    ----a-w-    c:\windows\system32\cscript.exe
2013-12-11 14:57:04    131072    ----a-w-    c:\windows\system32\wshom.ocx
2013-12-11 14:57:02    158208    ----a-w-    c:\windows\system32\imagehlp.dll
2013-12-11 01:59:45    9272200    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-11-29 16:08:52    --------    d-----w-    c:\program files\ScorpionSaver Services
2013-11-28 16:07:37    --------    d-----w-    c:\program files\ScorpionSaver
2013-11-26 15:15:02    338944    ----a-w-    c:\windows\system32\AdpeakProxy.dll
2013-11-25 15:13:57    --------    d-----w-    c:\users\dr. saron\appdata\roaming\DefaultTab
2013-11-25 15:13:37    499712    ----a-w-    c:\windows\system32\MSVCP71.DLL
2013-11-25 15:13:34    98304    ----a-w-    c:\windows\system32\L3CODECX.AX
2013-11-25 15:13:34    348160    ----a-w-    c:\windows\system32\cdga.dll
2013-11-25 15:13:34    274432    ----a-w-    c:\windows\system32\cdg.dll
2013-11-25 15:13:34    14909    ----a-w-    c:\windows\system32\A_reg.reg
2013-11-25 15:13:34    110592    ----a-w-    c:\windows\system32\PropListCtrl.ocx
2013-11-25 15:13:34    1017208    ----a-w-    c:\windows\system32\CLVSD.ax
2013-11-25 15:13:34    --------    d-----w-    c:\users\dr. saron\appdata\local\AVGO
2013-11-25 15:13:34    --------    d-----w-    c:\program files\AVGO
2013-11-25 15:13:20    --------    d-----w-    C:\temp
2013-11-25 15:13:16    --------    d-----w-    c:\program files\Level Quality Watcher
2013-11-14 12:22:49    297984    ----a-w-    c:\windows\system32\gdi32.dll
2013-11-14 12:22:41    993792    ----a-w-    c:\windows\system32\crypt32.dll
2013-11-14 12:22:32    444928    ----a-w-    c:\windows\system32\IKEEXT.DLL
2013-11-14 12:22:31    596480    ----a-w-    c:\windows\system32\FWPUCLNT.DLL
.
==================== Find3M  ====================
.
2013-12-11 01:59:51    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-11 01:59:50    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-14 22:50:50    1806848    ----a-w-    c:\windows\system32\jscript9.dll
2013-11-14 22:42:41    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-11-14 22:42:32    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-11-14 22:38:54    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-11-14 22:38:16    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-11-14 22:35:52    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-11-11 10:09:31    98816    ----a-w-    c:\windows\system32\mfps.dll
2013-11-11 10:08:36    4096    ----a-w-    c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2013-11-11 10:08:35    519680    ----a-w-    c:\windows\system32\d3d11.dll
2013-11-11 10:08:35    369664    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-11-11 10:08:35    252928    ----a-w-    c:\windows\system32\dxdiag.exe
2013-11-11 10:08:35    195584    ----a-w-    c:\windows\system32\dxdiagn.dll
2013-11-11 10:08:34    974848    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-11-11 10:08:34    321024    ----a-w-    c:\windows\system32\PhotoMetadataHandler.dll
2013-11-11 10:08:34    189440    ----a-w-    c:\windows\system32\WindowsCodecsExt.dll
2013-10-30 02:13:01    1304064    ----a-w-    c:\windows\system32\WMALFXGFXDSP.dll
2013-09-24 03:07:05    53760    ----a-w-    c:\windows\apppatch\iebrshim.dll
.
============= FINISH: 14:59:27.04 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:00 AM

Posted 13 December 2013 - 05:05 PM

Hello mystery987,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
1.
Download AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    "Run as administrator"
  • Click the Scan button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.
2.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 mystery987

mystery987
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 13 December 2013 - 06:25 PM

I had no problem running AdwCleaner or RogueKiller, but I don't know what you meant by "close all the running processes" so I just closed all open programs before running the executable.  The logs are below.

 

AdwCleaner

# AdwCleaner v3.015 - Report created 13/12/2013 at 17:18:17
# Updated 10/12/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Dr. Saron - DRSARON-PC
# Running from : C:\Users\Dr. Saron\Desktop\Malware\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : Level Quality Watcher

***** [ Files / Folders ] *****

File Found : C:\Users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\defaulttab.config
File Found : C:\Users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\Extensions\addon@defaulttab.com.xpi
File Found : C:\Users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\searchplugins\search.xml
File Found : C:\Windows\system32\AdpeakProxy.ini
File Found : C:\Windows\system32\AdpeakProxyOff.ini
Folder Found C:\Program Files\Level Quality Watcher
Folder Found C:\Program Files\ScorpionSaver
Folder Found C:\Program Files\ScorpionSaver Services
Folder Found C:\Users\Dr. Saron\AppData\Roaming\DefaultTab

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Adpeak, Inc.
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\Default Tab
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKLM\Software\Adpeak, Inc.
Key Found : HKLM\SOFTWARE\Classes\AppID\{9DC8FA51-B596-4F77-802C-5B295919C205}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3E28F712-0D6C-4EE3-AC8C-8F060F5D7C33}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6CE321DA-DC11-45C6-A0FC-4E8A7D978ABC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6EEBC7FF-67DA-4B90-9251-C2C5696E4B48}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{74137531-80F7-406F-9543-7D11385FA8C8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{832599B2-55BF-4437-8F3E-030CF5AEB262}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9B7B034B-944A-4261-B487-862F642F7615}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE91F9CE-0900-4E2A-B673-F3F6E4FC54D9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B1A429DB-FB06-4645-B7C0-0CC405EAD3CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DD67706E-819E-4EBD-BF8D-6D6147CC7A49}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F62A4AF9-58B4-4FEC-89CC-D717A547D8E8}
Key Found : HKLM\Software\Default Tab
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32DA746012E6D4F488AAD113D6FA4A44
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3FB1AAC4382437047A03618BF727B859
Key Found : HKLM\Software\PIP
Key Found : HKLM\Software\Scorpion Saver

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\prefs.js ]

Line Found : user_pref("extensions.defaulttab.config", "{\"status\": \"ok\", \"config\": {\"set_default_search\": \"Search|Conduit\", \"features\": [{\"engine\": \"\", \"additional_config\": \"\", \"ai\": 0, \"fea[...]

*************************

AdwCleaner[R0].txt - [3460 octets] - [13/12/2013 17:15:50]
AdwCleaner[R1].txt - [3380 octets] - [13/12/2013 17:18:17]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [3440 octets] ##########

 

RogueKiller

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Dr. Saron [Admin rights]
Mode : Scan -- Date : 12/13/2013 17:21:31
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ][PUM] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> FOUND
[HJ SECU][PUM] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ SECU][PUM] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ SECU][PUM] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x820CE823 -> HOOKED (Unknown @ 0x86509F18)
[Address] SSDT[14] : NtAlertThread @ 0x8204734F -> HOOKED (Unknown @ 0x86509F90)
[Address] SSDT[18] : NtAllocateVirtualMemory @ 0x8208369D -> HOOKED (Unknown @ 0x86B12A20)
[Address] SSDT[21] : NtAlpcConnectPort @ 0x820258A7 -> HOOKED (Unknown @ 0x8634FAB0)
[Address] SSDT[42] : NtAssignProcessToJobObject @ 0x81FF8B32 -> HOOKED (Unknown @ 0x86509990)
[Address] SSDT[67] : NtCreateMutant @ 0x8205B993 -> HOOKED (Unknown @ 0x86509D40)
[Address] SSDT[77] : NtCreateSymbolicLinkObject @ 0x81FFB349 -> HOOKED (Unknown @ 0x86509788)
[Address] SSDT[78] : NtCreateThread @ 0x820CCE40 -> HOOKED (Unknown @ 0x866BE108)
[Address] SSDT[116] : NtDebugActiveProcess @ 0x8209FED4 -> HOOKED (Unknown @ 0x86509A28)
[Address] SSDT[129] : NtDuplicateObject @ 0x82033579 -> HOOKED (Unknown @ 0x86493680)
[Address] SSDT[147] : NtFreeVirtualMemory @ 0x81EBFE75 -> HOOKED (Unknown @ 0x86493D98)
[Address] SSDT[156] : NtImpersonateAnonymousToken @ 0x81FF5F3F -> HOOKED (Unknown @ 0x86509DE8)
[Address] SSDT[158] : NtImpersonateThread @ 0x8200B589 -> HOOKED (Unknown @ 0x86509E80)
[Address] SSDT[165] : NtLoadDriver @ 0x81FA6E12 -> HOOKED (Unknown @ 0x86350AF0)
[Address] SSDT[177] : NtMapViewOfSection @ 0x8204B994 -> HOOKED (Unknown @ 0x868C3720)
[Address] SSDT[184] : NtOpenEvent @ 0x82034DF7 -> HOOKED (Unknown @ 0x86509CA8)
[Address] SSDT[194] : NtOpenProcess @ 0x8205C12F -> HOOKED (Unknown @ 0x864F8BB0)
[Address] SSDT[195] : NtOpenProcessToken @ 0x8203CA58 -> HOOKED (Unknown @ 0x86841138)
[Address] SSDT[197] : NtOpenSection @ 0x8204C78C -> HOOKED (Unknown @ 0x86509B78)
[Address] SSDT[201] : NtOpenThread @ 0x8205762B -> HOOKED (Unknown @ 0x868C3F18)
[Address] SSDT[210] : NtProtectVirtualMemory @ 0x820553E2 -> HOOKED (Unknown @ 0x865098E8)
[Address] SSDT[282] : NtResumeThread @ 0x82056C4A -> HOOKED (Unknown @ 0x86944398)
[Address] SSDT[289] : NtSetContextThread @ 0x820CE2CF -> HOOKED (Unknown @ 0x86944560)
[Address] SSDT[305] : NtSetInformationProcess @ 0x8204F9E6 -> HOOKED (Unknown @ 0x869445F8)
[Address] SSDT[317] : NtSetSystemInformation @ 0x82021F1E -> HOOKED (Unknown @ 0x86509AC0)
[Address] SSDT[330] : NtSuspendProcess @ 0x820CE75F -> HOOKED (Unknown @ 0x86509C10)
[Address] SSDT[331] : NtSuspendThread @ 0x81FD5945 -> HOOKED (Unknown @ 0x86944430)
[Address] SSDT[334] : NtTerminateProcess @ 0x8202C16B -> HOOKED (Unknown @ 0x868C3570)
[Address] SSDT[335] : unknown @ 0x82057660 -> HOOKED (Unknown @ 0x869444C8)
[Address] SSDT[348] : NtUnmapViewOfSection @ 0x8204BC57 -> HOOKED (Unknown @ 0x868C36A8)
[Address] SSDT[358] : NtWriteVirtualMemory @ 0x82048A27 -> HOOKED (Unknown @ 0x86B12978)
[Address] SSDT[382] : NtCreateThreadEx @ 0x82057115 -> HOOKED (Unknown @ 0x86509830)
[Address] Shadow SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8794BDE0)
[Address] Shadow SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x87949818)
[Address] Shadow SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8572F970)
[Address] Shadow SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8794B4D0)
[Address] Shadow SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x86B90CB8)
[Address] Shadow SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x86B90FC0)
[Address] Shadow SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x864EF880)
[Address] Shadow SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x87944BE8)
[Address] Shadow SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x86347E00)
[Address] Shadow SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x862F2878)
[Inline] EAT @explorer.exe (FwDoNothingOnObject) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36671E66)
[Inline] EAT @explorer.exe (FwEnableMemTracing) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36671E66)
[Inline] EAT @explorer.exe (FwSetMemLeakPolicy) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36671E66)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:00 AM

Posted 15 December 2013 - 12:37 AM

1.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

2.

  •    
  • Re-Run RogueKiller
       
  • Close all the running processes
       
  • Under Vista/Seven, right click -> Run as Administrator
       
  • Otherwise just double-click on RogueKiller.exe
       
  • When prompted, Click Delete 
       
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
       
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

 

3.

  • Download Malwarebytes Anti-Rootkit from HERE

      
  • Unzip the contents to a folder in a convenient location.
      
  • Open the folder where the contents were unzipped and run mbar.exe
      
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
      
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
      
  • Wait while the system shuts down and the cleanup process is performed.
      
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
      
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

 

4.

Please download SC-Cleaner to your desktop and run it..


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 mystery987

mystery987
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 15 December 2013 - 03:49 PM

I have run the four pieces of software that you instructed.

1.  ADWCleaner - Ran the software with no problem, but the computer would not shut down for the restart.  I had to turn off the computer using the power button.  The first time I turned it back on, the fan ran noisily, but the computer never started.  The second time it came on and restarted.  Log copied below.

2.  RogueKiller - I still don't understand what "close all running processes" means, so I just closed all of the open windows.  If that's not right and I need to do this step again, please let me know.  Log copied below.

3.  Malwarebytes - Ran the software with no problem and the second time I ran it, no malware was found.  Logs copied below.

4.  SC-Cleaner - Ran the software with no problem.  Log copied below.

 

ADWCleaner log

# AdwCleaner v3.015 - Report created 15/12/2013 at 12:41:41
# Updated 10/12/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Dr. Saron - DRSARON-PC
# Running from : C:\Users\Dr. Saron\Desktop\Malware\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : Level Quality Watcher

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Level Quality Watcher
Folder Deleted : C:\Program Files\ScorpionSaver Services
Folder Deleted : C:\Program Files\ScorpionSaver
Folder Deleted : C:\Users\Dr. Saron\AppData\Roaming\DefaultTab
File Deleted : C:\Users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\Extensions\addon@defaulttab.com.xpi
File Deleted : C:\Windows\system32\AdpeakProxy.ini
File Deleted : C:\Windows\system32\AdpeakProxyOff.ini
File Deleted : C:\Users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\defaulttab.config
File Deleted : C:\Users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\searchplugins\search.xml

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9DC8FA51-B596-4F77-802C-5B295919C205}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3E28F712-0D6C-4EE3-AC8C-8F060F5D7C33}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6CE321DA-DC11-45C6-A0FC-4E8A7D978ABC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6EEBC7FF-67DA-4B90-9251-C2C5696E4B48}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{74137531-80F7-406F-9543-7D11385FA8C8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{832599B2-55BF-4437-8F3E-030CF5AEB262}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9B7B034B-944A-4261-B487-862F642F7615}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE91F9CE-0900-4E2A-B673-F3F6E4FC54D9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B1A429DB-FB06-4645-B7C0-0CC405EAD3CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DD67706E-819E-4EBD-BF8D-6D6147CC7A49}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F62A4AF9-58B4-4FEC-89CC-D717A547D8E8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Adpeak, Inc.
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Default Tab
Key Deleted : HKLM\Software\Adpeak, Inc.
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\Scorpion Saver
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32DA746012E6D4F488AAD113D6FA4A44
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3FB1AAC4382437047A03618BF727B859

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526

-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\prefs.js ]

Line Deleted : user_pref("extensions.defaulttab.config", "{\"status\": \"ok\", \"config\": {\"set_default_search\": \"Search|Conduit\", \"features\": [{\"engine\": \"\", \"additional_config\": \"\", \"ai\": 0, \"fea[...]

*************************

AdwCleaner[R0].txt - [3460 octets] - [13/12/2013 17:15:50]
AdwCleaner[R1].txt - [3520 octets] - [13/12/2013 17:18:17]
AdwCleaner[R2].txt - [3580 octets] - [15/12/2013 12:40:50]
AdwCleaner[S0].txt - [3577 octets] - [15/12/2013 12:41:41]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3637 octets] ##########

 

RogueKiller log

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Dr. Saron [Admin rights]
Mode : Remove -- Date : 12/15/2013 14:21:47
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> REPLACED (1)
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ][PUM] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> REPLACED (1)
[HJ SECU][PUM] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ SECU][PUM] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ SECU][PUM] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x820A9823 -> HOOKED (Unknown @ 0x867A9650)
[Address] SSDT[14] : NtAlertThread @ 0x8202234F -> HOOKED (Unknown @ 0x867A96E8)
[Address] SSDT[18] : NtAllocateVirtualMemory @ 0x8205E69D -> HOOKED (Unknown @ 0x867A9EA0)
[Address] SSDT[21] : NtAlpcConnectPort @ 0x820008A7 -> HOOKED (Unknown @ 0x86055BE8)
[Address] SSDT[42] : NtAssignProcessToJobObject @ 0x81FD3B32 -> HOOKED (Unknown @ 0x868E34F0)
[Address] SSDT[67] : NtCreateMutant @ 0x82036993 -> HOOKED (Unknown @ 0x861FB6F0)
[Address] SSDT[77] : NtCreateSymbolicLinkObject @ 0x81FD6349 -> HOOKED (Unknown @ 0x86254EE8)
[Address] SSDT[78] : NtCreateThread @ 0x820A7E40 -> HOOKED (Unknown @ 0x86254218)
[Address] SSDT[116] : NtDebugActiveProcess @ 0x8207AED4 -> HOOKED (Unknown @ 0x868E3568)
[Address] SSDT[129] : NtDuplicateObject @ 0x8200E579 -> HOOKED (Unknown @ 0x867A9FC0)
[Address] SSDT[147] : NtFreeVirtualMemory @ 0x81E9AE75 -> HOOKED (Unknown @ 0x867A9D30)
[Address] SSDT[156] : NtImpersonateAnonymousToken @ 0x81FD0F3F -> HOOKED (Unknown @ 0x86220430)
[Address] SSDT[158] : NtImpersonateThread @ 0x81FE6589 -> HOOKED (Unknown @ 0x862546E8)
[Address] SSDT[165] : NtLoadDriver @ 0x81F81E12 -> HOOKED (Unknown @ 0x86055B70)
[Address] SSDT[177] : NtMapViewOfSection @ 0x82026994 -> HOOKED (Unknown @ 0x867A9C78)
[Address] SSDT[184] : NtOpenEvent @ 0x8200FDF7 -> HOOKED (Unknown @ 0x867DAE00)
[Address] SSDT[194] : NtOpenProcess @ 0x8203712F -> HOOKED (Unknown @ 0x86254150)
[Address] SSDT[195] : NtOpenProcessToken @ 0x82017A58 -> HOOKED (Unknown @ 0x867A9F48)
[Address] SSDT[197] : NtOpenSection @ 0x8202778C -> HOOKED (Unknown @ 0x86212078)
[Address] SSDT[201] : NtOpenThread @ 0x8203262B -> HOOKED (Unknown @ 0x862540A8)
[Address] SSDT[210] : NtProtectVirtualMemory @ 0x820303E2 -> HOOKED (Unknown @ 0x868E3448)
[Address] SSDT[282] : NtResumeThread @ 0x82031C4A -> HOOKED (Unknown @ 0x867A9780)
[Address] SSDT[289] : NtSetContextThread @ 0x820A92CF -> HOOKED (Unknown @ 0x867A9AA0)
[Address] SSDT[305] : NtSetInformationProcess @ 0x8202A9E6 -> HOOKED (Unknown @ 0x867A9B38)
[Address] SSDT[317] : NtSetSystemInformation @ 0x81FFCF1E -> HOOKED (Unknown @ 0x86254538)
[Address] SSDT[330] : NtSuspendProcess @ 0x820A975F -> HOOKED (Unknown @ 0x86220B10)
[Address] SSDT[331] : NtSuspendThread @ 0x81FB0945 -> HOOKED (Unknown @ 0x867A9920)
[Address] SSDT[334] : NtTerminateProcess @ 0x8200716B -> HOOKED (Unknown @ 0x862542D0)
[Address] SSDT[335] : NtTerminateThread @ 0x82032660 -> HOOKED (Unknown @ 0x867A9A08)
[Address] SSDT[348] : NtUnmapViewOfSection @ 0x82026C57 -> HOOKED (Unknown @ 0x867A9BE0)
[Address] SSDT[358] : NtWriteVirtualMemory @ 0x82023A27 -> HOOKED (Unknown @ 0x867A9DD8)
[Address] SSDT[382] : NtCreateThreadEx @ 0x82032115 -> HOOKED (Unknown @ 0x86254F70)
[Address] Shadow SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x86D28070)
[Address] Shadow SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x86D29570)
[Address] Shadow SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x86D294F8)
[Address] Shadow SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x86D295E8)
[Address] Shadow SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x86D29178)
[Address] Shadow SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x86D2A2A8)
[Address] Shadow SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x86D29470)
[Address] Shadow SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x86D293B0)
[Address] Shadow SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x86D29240)
[Address] Shadow SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x86D292C8)
[Inline] EAT @explorer.exe (FwDoNothingOnObject) : FirewallAPI.dll -> HOOKED (Unknown @ 0x3630E866)
[Inline] EAT @explorer.exe (FwEnableMemTracing) : FirewallAPI.dll -> HOOKED (Unknown @ 0x3630E866)
[Inline] EAT @explorer.exe (FwSetMemLeakPolicy) : FirewallAPI.dll -> HOOKED (Unknown @ 0x3630E866)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD3200AAKX-001CA0 ATA Device +++++
--- User ---
[MBR] dc5148c287709540ae88e01835fdbe15
[BSP] b53a772bc16779eed06d4e76bad0dd3f : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 252622 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_12152013_142147.txt >>
RKreport[0]_S_12132013_172131.txt;RKreport[0]_S_12152013_142135.txt

 

MBAR log 1 [mbar log]

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2013.12.15.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Dr. Saron :: DRSARON-PC [administrator]

12/15/2013 2:25:44 PM
mbar-log-2013-12-15 (14-25-44).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 201798
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Dr. Saron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Delete on reboot.

Files Detected: 1
C:\Users\Dr. Saron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Delete on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

MBAR log 2 [mbar log] - after MBAR cleaning process

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2013.12.15.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Dr. Saron :: DRSARON-PC [administrator]

12/15/2013 2:33:30 PM
mbar-log-2013-12-15 (14-33-30).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 201689
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

MBAR log 3 [system]

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.527000 GHz
Memory total: 2135375872, free: 853229568

Downloaded database version: v2013.12.15.06
Downloaded database version: v2013.10.11.02
Initializing...
======================
------------ Kernel report ------------
     12/15/2013 14:25:40
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360\1404000.028\SYMDS.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360\1404000.028\SYMEFA.SYS
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\e1e6032.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\mf.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\NmPar.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\N360\1404000.028\ccSetx86.sys
\SystemRoot\system32\drivers\N360\1404000.028\Ironx86.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\Drivers\N360\1404000.028\SYMTDIV.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\Drivers\BrUsbSer.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\System32\Drivers\BrSerIf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\N360\1404000.028\SRTSPX.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20131213.001\IDSvix86.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20131203.001\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\N360\1404000.028\SRTSP.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20131214.005\NAVEX15.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20131214.005\NAVENG.SYS
\??\C:\Windows\system32\TrueSight.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff850b0708
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-1\
Lower Device Object: 0xffffffff849f8b98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff850b0708, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff850b0328, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff850b0708, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff84a06918, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff849f8b98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-1\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 838E4672

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 517369856
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Infected: C:\Users\Dr. Saron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk --> [Rogue.LiveSecurityPlatinum]
Infected: C:\Users\Dr. Saron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum --> [Rogue.LiveSecurityPlatinum]
Scan finished
Creating System Restore point...
Cleaning up...
Removal successful. No system shutdown is required.
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.527000 GHz
Memory total: 2135375872, free: 923492352

=======================================
Initializing...
------------ Kernel report ------------
     12/15/2013 14:33:26
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360\1404000.028\SYMDS.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360\1404000.028\SYMEFA.SYS
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\e1e6032.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\mf.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\NmPar.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\N360\1404000.028\ccSetx86.sys
\SystemRoot\system32\drivers\N360\1404000.028\Ironx86.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\Drivers\N360\1404000.028\SYMTDIV.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\Drivers\BrUsbSer.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\System32\Drivers\BrSerIf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\N360\1404000.028\SRTSPX.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20131213.001\IDSvix86.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20131203.001\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\N360\1404000.028\SRTSP.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20131214.005\NAVEX15.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20131214.005\NAVENG.SYS
\??\C:\Windows\system32\TrueSight.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff850b0708
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-1\
Lower Device Object: 0xffffffff849f8b98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff850b0708, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff850b0328, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff850b0708, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff84a06918, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff849f8b98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-1\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 838E4672

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 517369856
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished

 

SC Cleaner log

Shortcut Cleaner 1.2.6 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
 http://www.bleepingcomputer.com/download/shortcut-cleaner/

Windows Version: Windows Vista ™ Home Premium Service Pack 2
Program started at: 12/15/2013 02:40:40 PM.

Scanning for registry hijacks:

 * No issues found in the Registry.

Searching for Hijacked Shortcuts:

Searching C:\Users\Dr. Saron\AppData\Roaming\Microsoft\Windows\Start Menu\

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

Searching C:\Users\Dr. Saron\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

Searching C:\Users\Public\Desktop\

Searching C:\Users\Dr. Saron\Desktop

0 bad shortcuts found.

Program finished at: 12/15/2013 02:40:42 PM
Execution time: 0 hours(s), 0 minute(s), and 1 seconds(s) 



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:00 AM

Posted 15 December 2013 - 07:56 PM

How is the machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 mystery987

mystery987
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 15 December 2013 - 08:30 PM

The computer is performing much better.  The annoying pop-ups and randow windows seem to have stopped for the most part.  Thanks so much for helping me get to this stage already!

 

There are a few things that I have noticed, however:

1.  On the bleepingcomputer.com site there is a pop up for "Call for Great Tech Support".  Is this supposed to be there?

2.  Also on the bleepingcomputer.com, there is some kind of shopping window at the top of the screen that always opens up and makes it hard to scroll to the part of the post you are looking for.

3.  ScorpionSaver and ScorpionSaver services still appear in the program uninstall list through the control panel.

4.  When I re-booted the computer some kind of Paperport software tried to install three times, but it couldn't find the needed files.  This is software for my Brother printer, but it didn't used to do this when I started the computer.  Was it accidentally uninstalled?

5.  Because Windows Security Center is turned off I always get a warning about that when I turn on the computer.  Is that OK?

 

It seems like the bulk of the probmels have been solved, but I am wondering if there is anything more that needs to be done to make sure the computer is completely free of infection.



#8 mystery987

mystery987
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 15 December 2013 - 08:32 PM

When I browsed to another screen on bleepingcomputer.com, the "call for great tech support" window came back and a new window also opened up [https://www.digitaleco.com/8110/antivirus.html].

There was also some kind of box for "home search assistant" that opened in the lower right hand corner of the screen but it disappeared without me having to click anything.



#9 mystery987

mystery987
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 15 December 2013 - 08:34 PM

Well, unfortunately Scorpion Saver is still here.  It just opened a new window and at the top is says "You have received a premium offer from Scorpion Saver"



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:00 AM

Posted 15 December 2013 - 11:18 PM

Please go ahead and run adwcleaner again.

 

Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop

Link 1
Link 2

  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • RcAuto1.gif
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 mystery987

mystery987
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 16 December 2013 - 12:13 AM

I have re-run adwcleaner again and the log is below.

 

I disabled Norton 360 and attempted to run Combofix, but I was not successful.  I get a warning that says "Combofix has detected the following real time scanner(s) to be active: antivirus: GFI Software VIPRE  antispyware: GFI Software VIPRE".  It then asks me to disable these scanners.  I can't find them anywhere to disable them.  They are no on the installed programs list, there is nothing about them in the small icons on the lower right, and its not a running service when I run services.msc.  Combofix won't let me cancel.  It just says that "the above real time scanners are still active but ComboFix shall continue to run."  I am going to send this post, close Firefox, run Combofix, and hope for the best...

 

adwcleaner log

# AdwCleaner v3.015 - Report created 15/12/2013 at 22:55:29
# Updated 10/12/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Dr. Saron - DRSARON-PC
# Running from : C:\Users\Dr. Saron\Desktop\Malware\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [3460 octets] - [13/12/2013 17:15:50]
AdwCleaner[R1].txt - [3520 octets] - [13/12/2013 17:18:17]
AdwCleaner[R2].txt - [3580 octets] - [15/12/2013 12:40:50]
AdwCleaner[R3].txt - [1043 octets] - [15/12/2013 22:54:43]
AdwCleaner[S0].txt - [3717 octets] - [15/12/2013 12:41:41]
AdwCleaner[S1].txt - [966 octets] - [15/12/2013 22:55:29]
 



#12 mystery987

mystery987
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 16 December 2013 - 12:31 AM

Here is the Combofix log

 

ComboFix 13-12-13.01 - Dr. Saron 12/15/2013  23:14:51.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2036.1101 [GMT -6:00]
Running from: c:\users\Dr. Saron\Desktop\Malware\ComboFix.exe
AV: GFI Software VIPRE *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
FW: GFI Software VIPRE *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
SP: GFI Software VIPRE *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\bootstrap.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\defaults\preferences\prefs.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\harness-options.json
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\icon.png
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\install.rdf
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\locales.json
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\addon-kit\lib\page-mod.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\addon-kit\lib\private-browsing.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\addon-kit\lib\request.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\addon-kit\lib\windows.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\addon\runner.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\api-utils.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\base64.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\byte-streams.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\collection.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\content-proxy.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\content-worker.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\loader.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\symbiont.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\worker.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\cortex.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\cuddlefish.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\deprecate.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\dom\events.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\environment.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\errors.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\event\core.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\event\target.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\events.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\events\assembler.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\file.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\functional.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\globals.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\heritage.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\hidden-frame.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\core.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\html.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\loader.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\locale.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\prefs.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\light-traits.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\list.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\loader.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\match-pattern.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\memory.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\namespace.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\observer-service.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\plain-text-console.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\preferences-service.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\private-browsing\utils.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\promise.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\querystring.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\runtime.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\sandbox.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\self.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\system.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\system\events.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\tabs\events.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\tabs\observer.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\tabs\tab.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\tabs\utils.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\text-streams.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\timer.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\traceback.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\traits.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\traits\core.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\unload.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\url.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\utils\data.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\utils\object.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\utils\registry.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\utils\thumbnail.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\uuid.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\window-utils.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\window\utils.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\windows\dom.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\windows\loader.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\windows\observer.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\windows\tabs.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\xhr.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\xpcom.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\xul-app.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\ScorpionSaver\data\icon64.png
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\ScorpionSaver\lib\main.js
c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\extensions\ScorpionSaver@jetpack\resources\ScorpionSaver\lib\main.js.old
c:\users\Dr. Saron\AppData\Roaming\result.db
c:\windows\Installer\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}
c:\windows\Installer\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}\icon64.ico
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!services.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_AdpeakProxy
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-16 to 2013-12-16  )))))))))))))))))))))))))))))))
.
.
2013-12-15 20:25 . 2013-12-15 20:25    --------    d-----w-    c:\programdata\Malwarebytes
2013-12-15 20:25 . 2013-12-15 20:38    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-12-15 20:25 . 2013-12-15 20:33    104664    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-12-15 20:25 . 2013-12-15 20:25    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-12-13 23:15 . 2013-12-16 04:55    --------    d-----w-    C:\AdwCleaner
2013-12-11 19:45 . 2013-12-11 19:54    --------    d-----w-    c:\users\Dr. Saron\AppData\Local\CutePDF Writer
2013-12-11 14:57 . 2013-10-30 00:35    2050560    ----a-w-    c:\windows\system32\win32k.sys
2013-12-11 14:57 . 2013-10-30 02:12    335360    ----a-w-    c:\windows\system32\SysFxUI.dll
2013-12-11 14:57 . 2013-10-30 01:43    130048    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-12-11 14:57 . 2013-10-30 00:43    167936    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-12-11 14:57 . 2013-10-11 02:08    36864    ----a-w-    c:\windows\system32\wshcon.dll
2013-12-11 14:57 . 2013-10-11 02:08    131072    ----a-w-    c:\windows\system32\wshom.ocx
2013-12-11 14:57 . 2013-10-11 02:08    172032    ----a-w-    c:\windows\system32\scrrun.dll
2013-12-11 14:57 . 2013-10-11 00:35    135168    ----a-w-    c:\windows\system32\cscript.exe
2013-12-11 14:57 . 2013-10-11 00:35    155648    ----a-w-    c:\windows\system32\wscript.exe
2013-12-11 14:57 . 2013-10-22 07:19    158208    ----a-w-    c:\windows\system32\imagehlp.dll
2013-12-11 01:59 . 2013-12-11 01:59    9272200    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-11-26 15:15 . 2013-10-16 16:18    338944    ----a-w-    c:\windows\system32\AdpeakProxy.dll
2013-11-25 15:13 . 2003-03-18 15:14    499712    ----a-w-    c:\windows\system32\MSVCP71.DLL
2013-11-25 15:13 . 2013-11-25 15:13    --------    d-----w-    c:\users\Dr. Saron\AppData\Local\AVGO
2013-11-25 15:13 . 2013-11-25 15:13    --------    d-----w-    c:\program files\AVGO
2013-11-25 15:13 . 2010-10-07 06:02    274432    ----a-w-    c:\windows\system32\cdg.dll
2013-11-25 15:13 . 2009-09-01 11:51    1017208    ----a-w-    c:\windows\system32\CLVSD.ax
2013-11-25 15:13 . 2009-04-29 05:00    110592    ----a-w-    c:\windows\system32\PropListCtrl.ocx
2013-11-25 15:13 . 2006-09-27 11:46    348160    ----a-w-    c:\windows\system32\cdga.dll
2013-11-25 15:13 . 2006-07-17 15:42    14909    ----a-w-    c:\windows\system32\A_reg.reg
2013-11-25 15:13 . 2003-03-25 00:49    98304    ----a-w-    c:\windows\system32\L3CODECX.AX
2013-11-25 15:13 . 2013-12-03 15:47    --------    d-----w-    C:\temp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 01:59 . 2012-05-21 20:47    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-11 01:59 . 2012-05-21 20:47    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-11 10:11 . 2013-11-11 10:11    161792    ----a-w-    c:\windows\system32\msls31.dll
2013-11-11 10:11 . 2013-11-11 10:11    86528    ----a-w-    c:\windows\system32\iesysprep.dll
2013-11-11 10:11 . 2013-11-11 10:11    76800    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2013-11-11 10:11 . 2013-11-11 10:11    74752    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-11-11 10:11 . 2013-11-11 10:11    63488    ----a-w-    c:\windows\system32\tdc.ocx
2013-11-11 10:11 . 2013-11-11 10:11    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2013-11-11 10:11 . 2013-11-11 10:11    367104    ----a-w-    c:\windows\system32\html.iec
2013-11-11 10:11 . 2013-11-11 10:11    74752    ----a-w-    c:\windows\system32\iesetup.dll
2013-11-11 10:11 . 2013-11-11 10:11    23552    ----a-w-    c:\windows\system32\licmgr10.dll
2013-11-11 10:11 . 2013-11-11 10:11    152064    ----a-w-    c:\windows\system32\wextract.exe
2013-11-11 10:11 . 2013-11-11 10:11    150528    ----a-w-    c:\windows\system32\iexpress.exe
2013-11-11 10:11 . 2013-11-11 10:11    35840    ----a-w-    c:\windows\system32\imgutil.dll
2013-11-11 10:11 . 2013-11-11 10:11    11776    ----a-w-    c:\windows\system32\mshta.exe
2013-11-11 10:11 . 2013-11-11 10:11    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2013-11-11 10:11 . 2013-11-11 10:11    101888    ----a-w-    c:\windows\system32\admparse.dll
2013-11-11 10:09 . 2013-11-11 10:09    98816    ----a-w-    c:\windows\system32\mfps.dll
2013-11-11 10:09 . 2013-11-11 10:09    979456    ----a-w-    c:\windows\system32\MFH264Dec.dll
2013-11-11 10:09 . 2013-11-11 10:09    357376    ----a-w-    c:\windows\system32\MFHEAACdec.dll
2013-11-11 10:09 . 2013-11-11 10:09    302592    ----a-w-    c:\windows\system32\mfmp4src.dll
2013-11-11 10:09 . 2013-11-11 10:09    2873344    ----a-w-    c:\windows\system32\mf.dll
2013-11-11 10:09 . 2013-11-11 10:09    261632    ----a-w-    c:\windows\system32\mfreadwrite.dll
2013-11-11 10:09 . 2013-11-11 10:09    209920    ----a-w-    c:\windows\system32\mfplat.dll
2013-11-11 10:09 . 2013-11-11 10:09    586240    ----a-w-    c:\windows\system32\stobject.dll
2013-11-11 10:09 . 2013-11-11 10:09    135680    ----a-w-    c:\windows\system32\XpsRasterService.dll
2013-11-11 10:09 . 2013-11-11 10:09    478720    ----a-w-    c:\windows\system32\dxgi.dll
2013-11-11 10:09 . 2013-11-11 10:09    847360    ----a-w-    c:\windows\system32\OpcServices.dll
2013-11-11 10:09 . 2013-11-11 10:09    667648    ----a-w-    c:\windows\system32\printfilterpipelinesvc.exe
2013-11-11 10:09 . 2013-11-11 10:09    26112    ----a-w-    c:\windows\system32\printfilterpipelineprxy.dll
2013-11-11 10:09 . 2013-11-11 10:09    258048    ----a-w-    c:\windows\system32\winspool.drv
2013-11-11 10:09 . 2013-11-11 10:09    1554432    ----a-w-    c:\windows\system32\xpsservices.dll
2013-11-11 10:08 . 2013-11-11 10:08    4096    ----a-w-    c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
2013-11-11 10:08 . 2013-11-11 10:08    519680    ----a-w-    c:\windows\system32\d3d11.dll
2013-11-11 10:08 . 2013-11-11 10:08    369664    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-11-11 10:08 . 2013-11-11 10:08    252928    ----a-w-    c:\windows\system32\dxdiag.exe
2013-11-11 10:08 . 2013-11-11 10:08    195584    ----a-w-    c:\windows\system32\dxdiagn.dll
2013-11-11 10:08 . 2013-11-11 10:08    974848    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-11-11 10:08 . 2013-11-11 10:08    321024    ----a-w-    c:\windows\system32\PhotoMetadataHandler.dll
2013-11-11 10:08 . 2013-11-11 10:08    189440    ----a-w-    c:\windows\system32\WindowsCodecsExt.dll
2013-10-30 02:13 . 2008-01-21 02:23    1304064    ----a-w-    c:\windows\system32\WMALFXGFXDSP.dll
2013-10-11 02:08 . 2013-11-14 12:22    444928    ----a-w-    c:\windows\system32\IKEEXT.DLL
2013-10-11 02:07 . 2013-11-14 12:22    596480    ----a-w-    c:\windows\system32\FWPUCLNT.DLL
2013-10-03 12:45 . 2013-11-14 12:22    297984    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-03 12:45 . 2013-11-14 12:22    993792    ----a-w-    c:\windows\system32\crypt32.dll
2013-09-24 03:07 . 2013-11-11 10:47    53760    ----a-w-    c:\windows\apppatch\iebrshim.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-02 4452352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-14 59720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-11-02 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23    1008184    ----a-w-    c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-21 01:59]
.
2013-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-09 19:37]
.
2013-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-09 19:37]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Dr. Saron\AppData\Roaming\Mozilla\Firefox\Profiles\v7of18qn.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-15 23:26
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
c:\program files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2013-12-15  23:29:06 - machine was rebooted
ComboFix-quarantined-files.txt  2013-12-16 05:29
.
Pre-Run: 184,393,011,200 bytes free
Post-Run: 184,035,688,448 bytes free
.
- - End Of File - - 00EDECBDFE813E85DCA41EB15CE8B0FA
5C616939100B85E558DA92B899A0FC36



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:00 AM

Posted 16 December 2013 - 05:21 PM

How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 mystery987

mystery987
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 16 December 2013 - 06:37 PM

Hi fireman4it,

 

The pop-ups seem to have been taken care of.  I guess the advertising that expands at the top of the bleeping computer website is supposed to be there.  Seems we are getting there.  Here are the things that are still of concern:

 

1.  ScorpionSaver Services still appears as a program in the control panel uninstall list.

2.  The Paperport software still keeps trying to install every time I restart the computer.  It's asking for a CD with the software on it.  The computer didn't used to do this.

3.   Doing basic functions on the computer, like opening browswers and surfing the internet, and using Microsoft Office software is extremely slow.  Also, shutting down the computer is slow as well.  Is there anything we can do to speed it up?

 

Thanks again for your continued help.



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:00 AM

Posted 16 December 2013 - 10:43 PM

ScorpionSaver Services still appears as a program in the control panel uninstall list.

 
Go ahead and see if it will uninstal. It probably wont so you can go ahead and remove it if it allows you to.
 
1.
We need to download Temp File Cleaner (TFC) by OldTimer:
  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process
    note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now
  • More Information can be found about the tool here: http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
     
     
     
    2.
    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    p22001645.gif



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    p22001646.gif


    Go to Step 4 and under "System Restore" click on Create button:

    p22001644.gif


    Go to Start Repairs tab and click Start button.

    p22001166.gif


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    p22001647.gif

    Click on box next to the Restart System when Finished. Then click on Start.
     
     
    Let me know how the machine s running now?

Edited by fireman4it, 16 December 2013 - 10:46 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users