infected with scorpionsaver, possibly feven & more

[kevinf80]

What is the status of your system now, any remaining issues or concerns?

[lemony_yo]

scorpionsaver still appears in the list of installed programs in control panel.

[kevinf80]

Can you have a look at the following two keys via Regedit and see if that nuisance is listed:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

[lemony_yo]

i do not know how to check those keys via Regedit. (I am normally a Linux user)

[kevinf80]

Just check exactly as you did for reply #10.... Select start, type regedit into the search box, tap enter. regedit window will open. Expand the reg keys listed and check the install lists..

[lemony_yo]

Scorpionsaver is not listed under

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

 

what should i do now?

[kevinf80]

Download and install CCleaner from here:

 

http://www.piriform.com/ccleaner/builds

 

Ensure to select Slim version. (No Toolbar)

 

Run CCleaner, from the main GUI select > Tools > Uninstall tab. The installed programs list will populate. Select "ScorpionSaver" (if present) then "delete entry"

 

Next,

 

Select > Cleaner > Run Cleaner > all temp files and caches will be deleted/emptied

 

Next,

 

Select > Registry > "Scan for Issues" > with all found entries checked select > "Fix Selected Issues" follow prompts to make back up and remove all entries...

 

When CCleaner is finished reboot and check if this nuisance has finally gone.....

 

CCleaner is an excellent Utility and well worth keeping, bottom left hand corner of main interface is link "Online Help" use that link to get the full instructions for this very handy application.

[lemony_yo]

hello, your link takes me to a 404 error. when i type the url in that you recommend, the options are Ccleaner - installer or Ccleaner - portable.

I chose installer, allowed it to install without changing my browser to chrome, saw no options for toolbars anywhere.

 

Following your directions within Ccleaner, i found ScorpionSaver and clicked delete entry, and was given the error: Cannot delete MSI installer.

 

what do you recommend?

[kevinf80]

Ok, just leave that entry and then continue with the rest of the instructions....

[lemony_yo]

scorpionsaver is still in the uninstall program list in control panel.

[kevinf80]

This is unbelievable, Open Regedit again and navigate to and expand the two following Keys:

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

 

When you have expanded down to "Uninstall" folder right click on that folder and select "Export" save the exported file from each key to your Desktop, name the files 32 for the first key and 64 for the second.

 

Zip up both files and attach to your next reply

[kevinf80]

Change of plan, ignore my last reply and do the following:

 

Go to the following link and download MyUninstaller Open the link and scroll down below "Feedback" to find access to the d/l. Also read all of the available information at the link, specifically the section marked "Removing an Uninstall entry"

http://www.nirsoft.net/utils/myuninst.html

When you have the d/l unzip to your Desktop. Right click on the application and select "Run as Administrator" the program is a standalone executable so will not install.

When the program runs wait and the main interface will populate with an Installed Programs list.

Check through the list until you see an entry for ScorpionSaver. Below the menu bar are column headers, look under Obsolete and Uninstall If the word Yes is listed under Obsolete and not Uninstall against the ScorpionSaver entry it means we can safely delete that entry.

With ScorpionSaver Highlighted, either select > File > Delete Selected Entry or with ScorpionSaver selected (highlighted) click on the icon from the menu bar for "Delete selected entry". It looks like a red cross. I`ve also added a screen shot of the interface.

[kevinf80]

This post reset...

[lemony_yo]

Hi there, i tried to follow your second direction, but 'Uninstall' was marked Yes, not 'Obsolete'

 

I am attaching the exports that you asked for first.

 

Thank you for staying with me through this frustrating experience, you are a savior.

32and64.zip

[kevinf80]

Thanks for the zip files, ok do the following:

 

Re-Run   by double left click, Vista and Widows 7 users accept UAC alert.

• Under the box at the bottom, paste in the following, start with and include the colon plus Reg . :Reg
   

  :Reg[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}]:Commands[emptytemp][CREATERESTOREPOINT]

   
  
• Then click button at the top
  
• Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  
• Please post that log in your next reply.
  

 

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start > All Programs > Accessories > Notepad), click File > Open, in the File Name box enter  *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

Is it finally gone??

[lemony_yo]

All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}\ not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: josh
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 10872 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 26038100 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 18039 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 25.00 mb
 
Restore point Set: OTL Restore Point
 
OTL by OldTimer - Version 3.2.69.0 log created on 11282013_164730

Files\Folders moved on Reboot...
C:\Users\josh\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\josh\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

[lemony_yo]

i do not see Scorpionsaver in the uninstall program list in control panel!

but i do see it in ccleaner

In MyUninstaller, Yes is under Uninstall, not Obsolete.

[kevinf80]

The good news is not seeing that nuisance in the uninstall program list, do this please...

 

You can drag and drop MyUninstaller to the recyclcle bin or Right click on it direct and select delete.

 

Re-boot your PC, open CCleaner, select > tools > uninstall > ScorpionSaver should not show now, if it does select it in the list then "delete entry"

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log, let me know if you have any remaining issues or concerns...

 

Kevin

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!