Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i know i am infected and browsers wont work...


  • This topic is locked This topic is locked
16 replies to this topic

#1 kylejw1990

kylejw1990

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan, United States
  • Local time:07:38 AM

Posted 26 April 2014 - 08:55 PM

ok so a friend brought me her laptop because the browser stopped working. she uninstalled and reinstalled IE and FireFox. Both dont work. after looking more into it i found a "browser" service was turned off and upon trying to start it, it would say that supported services are not running. i found something called scorpiansaver on the computer and malwarebytes didnt detect it or AVG. i deleted it anyways but still not getting the browser to work...

 

if you have any information so i can clean this up and get it running again that would be wonderful! thanks 

 

EDIT::so the "browser service" is running now but still not connecting. pinging "www.google.com" works fine. when i open IE is opens "iexplore.exe" and "iexplore.exe *32". if i try to end the process it reopens itself right away and occasionally opens dllhost => COM Surrogate as well as something called Biomonitor.exe.... 

 

Edit 2: dds file added

Attached Files

  • Attached File  dds.txt   16.11KB   5 downloads

Edited by kylejw1990, 26 April 2014 - 10:11 PM.


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:38 PM

Posted 27 April 2014 - 04:50 AM

Hello kylejw1990 and welcome to Bleeping Computer.

 

My name is Satchfan and I would be glad to help you with your computer problem.

 

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

 

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

 

===================================================

Note: Please run these in the order given in the instructions.

===================================================

 

Download/run Rkill:

 

Please download Rkill from one of the following links and save to your Desktop:

 

Link One
Link Two
Link Three
Link Four

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.

 

You may have to make repeated attempts to use Rkill several times before it will run as some malware variants try to block it.

 

You'll be able to tell when rkill has done its job when your desktop (explorer.exe) cycles off and then on again.

 

Do not reboot your computer after running rkill as the malware programs will start again.

 

===================================================

 

Download and run AdwCleaner

 

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot - allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

 

Download and run OTL

 

  • download OTL to your desktop.
  • double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • click Scan all users.
  • under Custom Scan paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT

     

  • click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won’t take long.
  • when the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • you may need two posts to fit them both in.

Logs to include with next post:

 

AdwCleaner log
OTL.txt
Extras.txt

 

Please also include Attach.txt which was produced when you ran DDS.

 

Thanks

 

Satchfan


Edited by satchfan, 27 April 2014 - 05:04 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 kylejw1990

kylejw1990
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan, United States
  • Local time:07:38 AM

Posted 27 April 2014 - 09:17 AM

the 4 logs you wanted...

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:38 PM

Posted 27 April 2014 - 11:31 AM

Thanks for the logs.

Can you please copy/paste all future logs into the post and not attach them. Thanks. :)


Uninstall programs

Uninstall these programs:

ScorpionSaver
ScorpionSaver Services

  • click Start, Control Panel, Programs and Features
  • click on ScorpionSaver and then Uninstall
  • repeat this for the other programs listed above.

================================================

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

Run OTL

  • double click on the icon to run it.
  • copy/paste ALL the following text written inside the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Services
    :OTL
    IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{B9D5C3EE-725C-4094-886B-D065685C45E1}: "URL" = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
    IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
    O3 - HKU\S-1-5-21-130329963-310863107-2458394106-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O9:[b]64bit:[/b] - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - Reg Error: Key error. File not found
    O9:[b]64bit:[/b] - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - Reg Error: Key error. File not found
    O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000001 - CC:\Windows\system32\AdpeakProxy64.dll File not found
    O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000002 - CC:\Windows\system32\AdpeakProxy64.dll File not found
    O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000003 - CC:\Windows\system32\AdpeakProxy64.dll File not found
    O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000004 - CC:\Windows\system32\AdpeakProxy64.dll File not found
    O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000016 - CC:\Windows\system32\AdpeakProxy64.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
    
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{273E1F1A-7B1A-436C-A783-A4A8C97AD036}"=-
    "{9B65F9A3-9D24-452A-B6EF-1457D65E4259}" =
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • click the Run Fix button at the top
  • let the program run unhindered, reboot when it is done
  • please post the OTL fix log and new OTL log.

Logs to include in the next post:

OTL fix log
New OTL log


Can you tell me how your computer is running now.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 kylejw1990

kylejw1990
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan, United States
  • Local time:07:38 AM

Posted 27 April 2014 - 11:38 AM

just got the post... scorpionsaver programs throw an error if i try to uninstall it.

 

"the feature you are trying to use is on a network resource that is unavailable"

then another box says..." The installation source for this product is not available. Verify that the source exists and that you can access it."

 

Ideas? would you like me to bypass this step and continue?

 

EDIT:: i took a quick look through the directories and found no files or folders for adpeak/scorpion saver but it is still listed as available to be uninstalled... This link is to another forum which displays pics of what i am seeing.

 

https://forums.malwarebytes.org/index.php?showtopic=138064


Edited by kylejw1990, 27 April 2014 - 12:13 PM.


#6 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:38 PM

Posted 27 April 2014 - 03:29 PM

Leave the 'uninstall' instructions and follow the other  please.

 

We'll see what's happening when I receive the other log.


Edited by satchfan, 27 April 2014 - 03:31 PM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 kylejw1990

kylejw1990
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan, United States
  • Local time:07:38 AM

Posted 27 April 2014 - 04:03 PM

here is otl fix log:


 

All processes killed

========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B9D5C3EE-725C-4094-886B-D065685C45E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B9D5C3EE-725C-4094-886B-D065685C45E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC}\ not found.
Registry value HKEY_USERS\S-1-5-21-130329963-310863107-2458394106-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\ deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\{273E1F1A-7B1A-436C-A783-A4A8C97AD036} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{273E1F1A-7B1A-436C-A783-A4A8C97AD036}\ not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\"{9B65F9A3-9D24-452A-B6EF-1457D65E4259}" | /E : value set successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Ben\Desktop\cmd.bat deleted successfully.
C:\Users\Ben\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Ben
->Temp folder emptied: 398677103 bytes
->Temporary Internet Files folder emptied: 17005360 bytes
->Flash cache emptied: 42168 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 849849396 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 42351894 bytes
RecycleBin emptied: 96688 bytes
 
Total Files Cleaned = 1,247.00 mb
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.
 
OTL by OldTimer - Version 3.2.69.0 log created on 04272014_165319
 
Files\Folders moved on Reboot...
C:\Users\Ben\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
C:\Windows\temp\BEN-HP-20140427-0952.log moved successfully.
File\Folder C:\Windows\temp\officeclicktorun.exe_c2ruidll(201404270952057D8).log not found!
File\Folder C:\Windows\temp\officeclicktorun.exe_streamserver(201404270952067D8).log not found!
File move failed. C:\Windows\temp\ood_stream.x86.en-us.dat scheduled to be moved on reboot.
File move failed. C:\Windows\temp\ood_stream.x86.x-none.dat scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.
 
PendingFileRenameOperations files...
 
Registry entries deleted on Reboot...
 

 does the otl log overwite the old or do i run the scan again?

 

Also the browser is working now!!!THANK YOU. scorpion saver still shows up in the programs list...



#8 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:38 PM

Posted 27 April 2014 - 04:14 PM

Persistent isn’t it? Let’s see if we can find out more.

Please download SystemLook from one of the links below and save it to your Desktop.

SystemLook (32-bit)
SystemLook (64-bit)

  • double-click SystemLook.exe to run it.
  • copy the content of the following codebox into the main textfield - please make sure you include the colon, (:), at the beginning.:

    :filefind
    *scorpion*
    
    :folderfind
    *scorpion*
    
    :Regfind
    scorpion
    
    
  • click the Look button to start the scan.
  • when finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Satchfan

 

 


Edited by satchfan, 27 April 2014 - 04:16 PM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 kylejw1990

kylejw1990
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan, United States
  • Local time:07:38 AM

Posted 27 April 2014 - 04:21 PM

another log for ya:

 

 

SystemLook 04.09.10 by jpshortstuff
Log created at 17:19 on 27/04/2014 by Ben
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "*scorpion*"
No files found.

========== folderfind ==========

Searching for "*scorpion*"
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ScorpionSaver d------ [13:49 27/04/2014]

========== Regfind ==========

Searching for "scorpion"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{273E1F1A-7B1A-436C-A783-A4A8C97AD036}]
"DisplayName"="ScorpionSaver"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}]
"DisplayName"="ScorpionSaver"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adpeak, Inc.\ScorpionSaver Services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A9F56B942D9A2546BFE41756DE52495]
"ProductName"="ScorpionSaver"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8BA5CD9129705784F8B198C6A5C96EEA\SourceList]
"PackageName"="scorpionsaver_20131010.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A1F1E372A1B7C6347A384A8A9CA70D63]
"ProductName"="ScorpionSaver"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A1F1E372A1B7C6347A384A8A9CA70D63\SourceList]
"PackageName"="ScorpionSaver.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\C29B45BF-C192-4F7C-8871-58806852D3C3]
@="ScorpionSaver"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\C29B45BF-C192-4F7C-8871-58806852D3C3\InProcServer32]
@="C:\Program Files(x86)\ScorpionSaver\IECore.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\049970F0]
"AppFullPath"="C:\Program Files\ScorpionSaver Services\AdpeakProxy.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WinSock2\Parameters\AppId_Catalog\049970F0]
"AppFullPath"="C:\Program Files\ScorpionSaver Services\AdpeakProxy.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\AppId_Catalog\049970F0]
"AppFullPath"="C:\Program Files\ScorpionSaver Services\AdpeakProxy.exe"
[HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Scorpion Saver]
[HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Scorpion Saver]

-= EOF =-



#10 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:38 PM

Posted 28 April 2014 - 07:34 AM


Run Tweaking.com Registry Backup

We are going to make some changes to the registry which can create unforeseen problems so you need to back it up first.

  • download the tool found here  to your Desktop so it is easy to find
  • double click on the file you just downloaded to install it to your system
  • once the tool is installed, double-click on the Tweaking.com Registry Backup icon
    *Note:* The tool should automatically open to the Backup Registry tab.
  • press Backup Now
  • when the back up is complete, the tool will tell you that “Successful */* Files Backed Up”
  • you have now successfully backed up your Registry.

Next


  • copy the contents of the Code Box below to Notepad.
  • name the file as fix.reg
  • change the Save as Type to All Files and Save it to the desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{273E1F1A-7B1A-436C-A783-A4A8C97AD036}]
"DisplayName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}]
"DisplayName"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adpeak, Inc.\ScorpionSaver Services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A9F56B942D9A2546BFE41756DE52495]
"ProductName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8BA5CD9129705784F8B198C6A5C96EEA\SourceList]
"PackageName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A1F1E372A1B7C6347A384A8A9CA70D63]
"ProductName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A1F1E372A1B7C6347A384A8A9CA70D63\SourceList]
"PackageName"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\C29B45BF-C192-4F7C-8871-58806852D3C3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\C29B45BF-C192-4F7C-8871-58806852D3C3\InProcServer32]
@=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\049970F0]
"AppFullPath"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WinSock2\Parameters\AppId_Catalog\049970F0]
"AppFullPath"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\AppId_Catalog\049970F0]
"AppFullPath"=-
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Scorpion Saver]
[-HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Scorpion Saver]

Make sure there are NO blank lines before REGEDIT4

Then double-click on the fix.reg file, and when it prompts to merge say Yes.

===================================================

Run Malwarebytes’ Anti-Malware

I noticed that you had MBAM on your system: if you no longer have it, you can download it from here:

  • start Malwarebytes-Anti-Malware and update it, (“Update” tab}
  • once it is updated, click on “Scanner” tab, select Perform quick scan, then click Scan.
  • when the scan is complete, click OK, then Show Results to view the results.
  • be sure that everything is checked, and click Remove Selected.
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

===================================================

Run ESET Online Scan

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan


  • click the Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop.
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Scan archives and Remove found threats
  • click Advanced settings and select the following:


    o    Scan potentially unwanted applications
    o    Scan for potentially unsafe applications
    o    Enable Anti-Stealth technology
     

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • when the scan completes, push List of found threats
  • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    Note - if ESET doesn't find any threats, no report will be created.
     
  • push the back button.
  • push Finish

When the scan is complete:

If no threats were found:

o    put a checkmark in "Uninstall application on close"
o    close program
o    report to me that nothing was found

If threats were found:

o    click on "list of threats found"
o    click on "export to text file" and save it as ESET results and save to the desktop
o    Click on back
o    put a checkmark in "Uninstall application on close"
o    click on finish
o    close program
o    copy and paste the report here

Please post the Malwarebytes log and any resulting log from Eset.

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 kylejw1990

kylejw1990
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan, United States
  • Local time:07:38 AM

Posted 28 April 2014 - 10:56 AM

malwarebytes log:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.04.28.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17041
Ben :: BEN-HP [administrator]

Protection: Enabled

4/28/2014 10:18:42 AM
mbam-log-2014-04-28 (10-18-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227777
Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 9
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35853321-818D-4B5D-AA6B-6C56DBBFEEE7} (PUP.Optional.WebProtect) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{35853321-818D-4B5D-AA6B-6C56DBBFEEE7} (PUP.Optional.WebProtect) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{35853321-818D-4B5D-AA6B-6C56DBBFEEE7} (PUP.Optional.WebProtect) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\Software\Level Quality Watcher (PUP.Optional.LevelQualityWatcher.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Solid Savings (PUP.Optional.SolidSavings.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{19DC5AB8-0792-4875-8F1B-896C5A9CE6AE} (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Wow6432Node\Adpeak, Inc. (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AdpeakProxy (PUP.Optional.ScorpionSaver) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{19DC5AB8-0792-4875-8F1B-896C5A9CE6AE}|DisplayName (PUP.Optional.Adpeak) -> Data: Level Quality Watcher -> Quarantined and deleted successfully.
HKLM\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: {F04C4A5E-355B-11E3-A258-9439E5C8E69E} -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

eset log:

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\CT3304781\plugins\TBVerifier.dll.vir Win32/Toolbar.Conduit.AC potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\CT3314312\plugins\TBVerifier.dll.vir Win32/Toolbar.Conduit.AC potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Web Protect\WebProtect.dll.vir a variant of Win32/AdWare.Facetheme.F application
C:\Program Files (x86)\VideoConverter\VideoConverter.exe a variant of Win32/InstallCore.A potentially unwanted application
C:\Users\Ben\AppData\Local\CRE\eibleipkbineaadpnemmalkahodjhdbd.crx Win32/Toolbar.Conduit.AC potentially unwanted application
C:\Users\Ben\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab Win32/OpenCandy potentially unsafe application
C:\Windows\Installer\MSI90BB.tmp a variant of Win64/Adware.Adpeak.B application
 

 

scorpion no longer shows up under installed programs list...



#12 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:38 PM

Posted 28 April 2014 - 11:13 AM

Some of what the Eset scan found will be gone when we clean up but we’ll get rid of the others.

Please copy all text in the code box below and paste it into Notepad:
 

@echo off
del /f /s /q "C:\Program Files (x86)\VideoConverter\VideoConverter.exe”
del /f /s /q “C:\Users\Ben\AppData\Local\CRE\eibleipkbineaadpnemmalkahodjhdbd.crx”
del /f /s /q “C:\Users\Ben\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab”
del /f /s /q "C:\Windows\Installer\MSI90BB.tmp”
del %0
  • save the Notepad file to your desktop and name it delfiles.bat
  • save type as "All Files"
  • on your desktop, double-click on delfiles.bat to run it, (a black CMD window will flash, then disappear - this is normal).

====================================================

Download TFC to your desktop

 

  • close any open windows
  • double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run
  • click the Start button to begin the process
  • allow TFC to run uninterrupted
  • the program should not take long to finish it's job
  • once its finished it should automatically reboot your machine
  • if it doesn't, manually reboot to ensure a complete clean.

Are there any remaining problems?

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 kylejw1990

kylejw1990
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan, United States
  • Local time:07:38 AM

Posted 28 April 2014 - 11:23 AM

we should be all set. thank you so much for the help!!!



#14 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:38 PM

Posted 28 April 2014 - 06:42 PM

You're welcome. :thumbup2:

 

Your computer appears to be clean.

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:


Uninstall OTL

  • double-click OTL.exe
  • click the CleanUp! button.
  • select Yes when the Begin cleanup Process? prompt appears.
  • if you are prompted to reboot during the cleanup, select Yes.
  • the tool will delete itself once it finishes, if not delete it by yourself.

NOTE: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.

===================================================

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Create a Restore Point

  • click on Start > Control Panel (All Control Panel Items)
  • click on System > System Protection
  • check that you have System Protection turned on for the drive that you want to create a restore point for, (usually C:
  • click Create
  • type in a description for the restore point to help recognize it when doing a System Restore, and click on the Create button.

Remove old restore points


  • open Disk Cleanup by clicking Start. In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
  • if prompted, select the drive that you want to clean up, and then click OK.
  • in the Disk Cleanup for (drive letter) dialog box, click Clean up system files. If you're prompted for an administrator password or confirmation, type the password or provide confirmation
  • if prompted, select the drive that you want to clean up, and then click OK
  • click the More Options tab, then under System Restore and Shadow Copies, click Clean up
  • in the Disk Cleanup dialog box, click Delete
  • click Delete Files, and then click OK.

===================================================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

===================================================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

===================================================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

===================================================

I also recommend that you read the following:

How to prevent malware by miekiemoes

Help! My computer is slow! by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 kylejw1990

kylejw1990
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan, United States
  • Local time:07:38 AM

Posted 28 April 2014 - 10:56 PM

i have already returned the laptop back to its owner. so you may close this thread. i do have some questions if you dont mind...

 

1. How much did you learn from taking the malware course here on bleeping computer?

 

right now i have an associates in programming and getting bachelors in information assurance. I eventually want to write my own virus protection software.

 

2. Would signing up for these classes help in your opinion?

 

I can read all the material in the world on the internet but i learn from hands on work. I haven't found many sources out there that provide that hands on training unfortunately.

 

3. Do you know of any other sites that offer free quality anti-malware training other than here(with hands on stuff preferably)?

 

4. And lastly, do you know of any tools that would be good to have but dont exist or need improving?

 

if i am going to make something i would like for it to be used, tested, and judged by my peers. that will on really happen if it is needed right? 

 

That is it really. thanks again and have a wonderful day!!! :D






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users