Jump to content

Infected with Scorpion Saver

Danimal1969

By Danimal1969
in Resolved Malware Removal Logs

 Share

Recommended Posts

Danimal1969

Danimal1969

Posted
  • Author
Posted

Latest System Look Log. Is this bad or??

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 23:00 on 29/11/2013 by Dan
Administrator - Elevation successful

========== filefind ==========

Searching for "*Scorpion*"
C:\temp\ScorpionSaver.msi --a---- 3182592 bytes [14:40 28/11/2013] [23:42 29/11/2013] 59A6501D0C16BD6C8E56A09DDA0CB4BD
C:\Users\Dan\Music\iTunes\iTunes Media\Music\Lucy Kaplansky\Flesh And Bone\01 Scorpion.m4a --a---- 3774307 bytes [18:04 15/01/2011] [00:51 13/10/2007] 0BA6F8BB0C335F410CBCF262298DBA9B
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2N723IB3\Scorpion-Saver-Firefox-extensions[1].jpg --a---- 25025 bytes [06:15 26/11/2013] [06:15 26/11/2013] 9C0C4339E5CCDC60CF609D34978394F6
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\Scorpion-Saver-Ads[1].jpg --a---- 51488 bytes [06:15 26/11/2013] [06:15 26/11/2013] 32A62E588393EE456B50E1C2080A6FDB
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\Scorpion-Saver-Chrome-extensions[1].jpg --a---- 32883 bytes [06:15 26/11/2013] [06:15 26/11/2013] 8303A4A8C9E0555328077D36C6070C83
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\Scorpion-Saver-uninstall[1].jpg --a---- 37224 bytes [06:15 26/11/2013] [06:15 26/11/2013] A7D150A57463C176789140F02694BF97
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\scorpion-saver[1].png --a---- 1342 bytes [06:11 26/11/2013] [06:11 26/11/2013] C51DCB4776983987646A297AF0F32917
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\scorpion-saver_1[1].png --a---- 206434 bytes [06:11 26/11/2013] [06:11 26/11/2013] E4B3DED31FE89CF8A7DE68C0D6B9BF03
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PWPR6J5P\scorpion-saver-removal[1].htm --a---- 50873 bytes [06:15 26/11/2013] [06:15 26/11/2013] 4D69F8154549CDABD5A3497D048BB8AC
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PWPR6J5P\Scorpion-Saver-virus[1].jpg --a---- 75200 bytes [06:15 26/11/2013] [06:15 26/11/2013] 1E534421E00DAF6496C47663B4FFDD86
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\4OHD9248\f.scorpionsaverjs[1].xml --a---- 13 bytes [00:47 27/11/2013] [00:57 27/11/2013] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\Favorites\Remove Scorpion Saver pop-up ads (Virus Removal Guide).url --a---- 4057 bytes [06:19 26/11/2013] [06:19 26/11/2013] D0AB194617D3DF9D922A294E250CE16E

Searching for "*adpeak*"
C:\FRST\Quarantine\AdpeakProxy.dll --a---- 338944 bytes [19:54 24/11/2013] [15:18 16/10/2013] 85FB18C4B0665C24E6BAA502837011A5
C:\FRST\Quarantine\AdpeakProxy64.dll --a---- 439296 bytes [19:54 24/11/2013] [15:18 16/10/2013] 78857BF5996E9BC8E82C1B671CBF85E6

========== folderfind ==========

Searching for "*Scorpion*"
C:\Users\Dan\Music\iTunes\iTunes Media\Music\Scorpions d------ [02:39 12/01/2011]
C:\Users\Dan\Music\New Music from Scott\Music\Scorpions d------ [18:32 09/01/2011]

Searching for "*adpeak*"
No folders found.

========== regfind ==========

Searching for "*Scorpion*"
No data found.

Searching for "*adpeak*"
No data found.

Searching for "Scorpion"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\F5D333A8-C748-4686-AE0A-9E008F670C22]
@="ScorpionSaver"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\F5D333A8-C748-4686-AE0A-9E008F670C22\InProcServer32]
@="C:\Program Files(x86)\ScorpionSaver\IECore.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Saver]

Searching for "adpeak"
No data found.

-= EOF =-

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Most of those entries are already showing as quarantined so are very safe. There are a couple of music files by the "Scorpions" I assume you recognize those and trust them?

 

We remove the rest with OTM:

 

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Reg :Reg

    :Reg[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\F5D333A8-C748-4686-AE0A-9E008F670C22][-HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Saver]:FilesC:\temp\ScorpionSaver.msiC:\Program Files(x86)\ScorpionSaver:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Let me see that log.

 

Next,

 

Update Malwarebytes, then run a Full scan, kill any found entries. Post that log, also give an update on any remaining issues or concerns.....

 

I will be offline until maybe 9 pm UK time 1st December....

 

Kevin...

Link to post
Share on other sites
Danimal1969

Danimal1969

Posted
  • Author
Posted

OTM Log:

 

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\F5D333A8-C748-4686-AE0A-9E008F670C22\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Saver\ not found.
========== FILES ==========
C:\temp\ScorpionSaver.msi moved successfully.
File/Folder C:\Program Files(x86)\ScorpionSaver not found.
========== COMMANDS ==========
 
OTM by OldTimer - Version 3.1.21.0 log created on 11302013_102802

Link to post
Share on other sites
Danimal1969

Danimal1969

Posted
  • Author
Posted

Mbam looks good!

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.30.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16736
Dan :: HP-G72-DAN [administrator]

Protection: Enabled

11/30/2013 10:36:35 AM
mbam-log-2013-11-30 (10-36-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206499
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites
Danimal1969

Danimal1969

Posted
  • Author
Posted

Ran System look and OTM again. Got this log. This damn thing just keeps coming back!

 

All processes killed
========== REGISTRY ==========
========== FILES ==========
C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VYP3T8JW\remove-scorpion-saver[1].htm moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Dan
->Temp folder emptied: 2742431 bytes
->Temporary Internet Files folder emptied: 56107420 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 1117684 bytes
->Flash cache emptied: 932 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 27003 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 57.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 11302013_113201

Files moved on Reboot...
C:\Users\Dan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VYP3T8JW\xd_arbiter[1].htm not found!
File C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VYP3T8JW\xd_arbiter[2].htm not found!
File C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A7XP1276\fastbutton[1].htm not found!
File C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A7XP1276\index[6].htm not found!
File C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A7XP1276\like[2].htm not found!
File C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0LJDVG7V\postmessageRelay[1].htm not found!
File C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0LJDVG7V\WiHome[1].htm not found!
C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites
Danimal1969

Danimal1969

Posted
  • Author
Posted

Ran FRST again too:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-11-2013
Ran by Dan (administrator) on HP-G72-DAN on 30-11-2013 11:46:26
Running from C:\Users\Dan\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CinemaNow, Inc.) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
() C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe
(Audible, Inc.) C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Dropbox, Inc.) C:\Users\Dan\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicator.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
(Hewlett-Packard Development Company L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_11_7_700_224_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2095400 2010-04-15] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6234144 2010-03-13] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [intelliPoint] - C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2320752 2009-11-05] (Microsoft Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [HP Deskjet 3520 series (NET)] - C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe [2551656 2012-01-31] (Hewlett-Packard Co.)
MountPoints2: F - F:\LaunchU3.exe -a
HKLM-x32\...\Run: [iAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-04-13] (Intel Corporation)
HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602680 2010-07-02] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKU\Default\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
Startup: C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Dan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x577A5027A3ECCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {C6533ACD-D0A7-4CF9-A492-323D09D8C0C1} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM - {CC77866D-83CC-476D-8B37-2891DEBF635B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM - {D80DE8EC-0CAB-4066-A108-2DB20A43AC78} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {C6533ACD-D0A7-4CF9-A492-323D09D8C0C1} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 - {CC77866D-83CC-476D-8B37-2891DEBF635B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {CC77866D-83CC-476D-8B37-2891DEBF635B} URL =
SearchScopes: HKCU - {D80DE8EC-0CAB-4066-A108-2DB20A43AC78} URL =
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=1.1.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn\
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn\
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF

Chrome:
=======
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
CHR Extension: (Norton Identity Protection) - C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2013.1.0.32
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\Exts\Chrome.crx

==================== Services (Whitelisted) =================

R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-07-02] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe [264360 2013-10-18] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

R1 BHDrvx64; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20131114.001\BHDrvx64.sys [1524824 2013-11-01] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1501000.012\ccSetx64.sys [162392 2013-09-25] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-11-29] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [137648 2013-11-29] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20131128.001\IDSvia64.sys [521816 2013-11-28] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20131129.009\ENG64.SYS [126040 2013-11-29] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20131129.009\EX64.SYS [2099288 2013-11-29] (Symantec Corporation)
R3 RSUSBSTOR; C:\Windows\SysWow64\Drivers\RtsUStor.sys [225280 2009-09-22] (Realtek Semiconductor Corp.)
R1 SRTSP; C:\Windows\System32\Drivers\N360x64\1501000.012\SRTSP64.SYS [858200 2013-09-26] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1501000.012\SRTSPX64.SYS [36952 2013-09-09] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\N360x64\1501000.012\SYMDS64.SYS [493656 2013-09-09] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360x64\1501000.012\SYMEFA64.SYS [1147480 2013-09-26] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2013-11-29] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\1501000.012\Ironx64.SYS [264280 2013-09-26] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1501000.012\SYMNETS.SYS [590936 2013-09-25] (Symantec Corporation)
U4 Level Quality Watcher;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-29 19:41 - 2013-11-29 19:41 - 00001442 _____ C:\Users\Dan\Desktop\AdwCleaner[s5].txt
2013-11-29 19:37 - 2013-11-30 11:35 - 00000280 _____ C:\Windows\setupact.log
2013-11-29 19:37 - 2013-11-29 19:37 - 00000000 _____ C:\Windows\setuperr.log
2013-11-29 19:36 - 2013-11-30 11:35 - 00002330 _____ C:\Windows\PFRO.log
2013-11-29 19:25 - 2013-11-29 19:26 - 00225434 _____ C:\Users\Dan\Documents\cc_20131129_192534.reg
2013-11-29 19:13 - 2013-11-29 19:13 - 00000000 ____D C:\Windows\System32\Tasks\Norton Security Suite
2013-11-29 18:41 - 2013-11-29 18:41 - 00002768 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2013-11-29 18:40 - 2013-11-29 18:40 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-11-29 18:40 - 2013-11-29 18:40 - 00000000 ____D C:\Program Files\CCleaner
2013-11-29 18:39 - 2013-11-29 18:39 - 04618136 _____ (Piriform Ltd) C:\Users\Dan\Desktop\ccsetup408.exe
2013-11-29 18:11 - 2013-11-29 19:00 - 00002440 _____ C:\Users\Public\Desktop\Norton Security Suite.lnk
2013-11-29 16:50 - 2013-11-29 16:52 - 00019298 _____ C:\Users\Dan\Desktop\Addition.txt
2013-11-29 16:48 - 2013-11-30 11:46 - 00016654 _____ C:\Users\Dan\Desktop\FRST.txt
2013-11-29 16:47 - 2013-11-29 18:50 - 00000000 ____D C:\FRST
2013-11-29 16:34 - 2013-11-29 16:34 - 01959024 _____ (Farbar) C:\Users\Dan\Desktop\FRST64.exe
2013-11-29 15:46 - 2013-11-29 15:46 - 00000695 _____ C:\Users\Dan\Desktop\JRT.txt
2013-11-29 15:17 - 2013-11-29 15:17 - 00000000 ____D C:\Users\Dan\Desktop\Old Firefox Data
2013-11-28 20:38 - 2013-11-28 20:38 - 00000000 ____D C:\Windows\ERUNT
2013-11-28 20:37 - 2013-11-28 20:37 - 01034531 _____ (Thisisu) C:\Users\Dan\Desktop\JRT.exe
2013-11-28 19:59 - 2013-11-29 23:29 - 00000634 _____ C:\Users\Dan\Desktop\myuninst.cfg
2013-11-28 19:46 - 2013-11-28 19:46 - 00046124 _____ C:\Users\Dan\Desktop\myuninst.zip
2013-11-28 11:23 - 2013-11-28 11:23 - 00010046 _____ C:\Users\Dan\Desktop\11282013_093800.log
2013-11-28 09:38 - 2013-11-28 09:38 - 00000000 ____D C:\_OTM
2013-11-28 09:35 - 2013-11-28 09:35 - 00522240 _____ (OldTimer Tools) C:\Users\Dan\Desktop\OTM.exe
2013-11-27 20:36 - 2013-11-30 11:10 - 00007992 _____ C:\Users\Dan\Desktop\SystemLook.txt
2013-11-27 20:09 - 2013-11-27 20:09 - 00165376 _____ C:\Users\Dan\Desktop\SystemLook_x64.exe
2013-11-27 19:09 - 2013-11-29 19:34 - 00000000 ____D C:\AdwCleaner
2013-11-27 16:07 - 2013-11-27 16:07 - 01091882 _____ C:\Users\Dan\Desktop\AdwCleaner.exe
2013-11-26 21:31 - 2013-11-28 12:16 - 00024080 _____ C:\Users\Dan\Desktop\dds.txt
2013-11-26 21:31 - 2013-11-28 12:16 - 00014160 _____ C:\Users\Dan\Desktop\attach.txt
2013-11-26 20:47 - 2013-11-26 20:47 - 00000017 _____ C:\Windows\SysWOW64\shortcut_ex.dat
2013-11-26 20:33 - 2013-11-26 20:33 - 00688992 ____R (Swearware) C:\Users\Dan\Desktop\dds.scr
2013-11-23 17:17 - 2013-11-23 17:17 - 00001264 _____ C:\Users\Dan\Desktop\Revo Uninstaller.lnk
2013-11-23 17:17 - 2013-11-23 17:17 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2013-11-23 16:30 - 2013-11-23 16:30 - 00000000 ____D C:\Users\Dan\AppData\Roaming\Malwarebytes
2013-11-23 16:29 - 2013-11-23 16:29 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-23 16:29 - 2013-11-23 16:29 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-11-23 16:29 - 2013-11-23 16:29 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-11-23 16:29 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-11-23 14:53 - 2013-02-09 22:59 - 00445693 _____ C:\Windows\system32\Drivers\etc\hosts.20131123-145302.backup
2013-11-13 23:32 - 2013-10-12 03:45 - 02241536 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-11-13 23:32 - 2013-10-12 03:45 - 01364992 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-11-13 23:32 - 2013-10-12 03:45 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-11-13 23:32 - 2013-10-12 03:43 - 19269632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 03959808 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 02648576 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-11-13 23:32 - 2013-10-12 03:43 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-11-13 23:32 - 2013-10-12 02:03 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-11-13 23:32 - 2013-10-12 02:03 - 01138176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 14355968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 02049024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-11-13 23:32 - 2013-10-12 02:02 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-11-13 23:32 - 2013-10-12 01:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-11-13 23:32 - 2013-10-12 01:08 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-11-13 23:32 - 2013-10-12 00:44 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-11-13 23:32 - 2013-10-12 00:15 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-11-13 18:34 - 2013-10-05 15:25 - 01474048 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-11-13 18:34 - 2013-10-05 14:57 - 01168384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-11-13 18:34 - 2013-10-03 21:28 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\SmartcardCredentialProvider.dll
2013-11-13 18:34 - 2013-10-03 21:25 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\credui.dll
2013-11-13 18:34 - 2013-10-03 21:24 - 01930752 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2013-11-13 18:34 - 2013-10-03 20:58 - 00152576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SmartcardCredentialProvider.dll
2013-11-13 18:34 - 2013-10-03 20:56 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-11-13 18:34 - 2013-10-03 20:56 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credui.dll
2013-11-13 18:34 - 2013-09-27 20:09 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2013-11-13 18:33 - 2013-10-11 21:30 - 00830464 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2013-11-13 18:33 - 2013-10-11 21:29 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2013-11-13 18:33 - 2013-10-11 21:29 - 00324096 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2013-11-13 18:33 - 2013-10-11 21:03 - 00656896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2013-11-13 18:33 - 2013-10-11 21:01 - 00216576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL
2013-11-13 18:33 - 2013-10-02 21:23 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2013-11-13 18:33 - 2013-10-02 21:00 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2013-11-13 18:33 - 2013-09-24 21:26 - 00154560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2013-11-13 18:33 - 2013-09-24 21:26 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2013-11-13 18:33 - 2013-09-24 21:23 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2013-11-13 18:33 - 2013-09-24 21:23 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2013-11-13 18:33 - 2013-09-24 21:23 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2013-11-13 18:33 - 2013-09-24 21:22 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2013-11-13 18:33 - 2013-09-24 21:21 - 01447936 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2013-11-13 18:33 - 2013-09-24 21:21 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2013-11-13 18:33 - 2013-09-24 20:58 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2013-11-13 18:33 - 2013-09-24 20:57 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2013-11-13 18:33 - 2013-09-24 20:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2013-11-13 18:33 - 2013-09-24 20:56 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2013-11-13 18:33 - 2013-09-24 20:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2013-11-13 18:33 - 2013-07-04 07:18 - 00458712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2013-11-02 20:38 - 2013-11-28 20:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified Files and Folders =======

2013-11-30 11:47 - 2013-11-29 16:48 - 00016654 _____ C:\Users\Dan\Desktop\FRST.txt
2013-11-30 11:46 - 2009-07-13 23:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-30 11:46 - 2009-07-13 23:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-30 11:38 - 2013-10-01 13:39 - 00000000 ___RD C:\Users\Dan\Dropbox
2013-11-30 11:38 - 2013-10-01 13:37 - 00000000 ____D C:\Users\Dan\AppData\Roaming\Dropbox
2013-11-30 11:36 - 2013-10-18 22:13 - 00000888 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-30 11:35 - 2013-11-29 19:37 - 00000280 _____ C:\Windows\setupact.log
2013-11-30 11:35 - 2013-11-29 19:36 - 00002330 _____ C:\Windows\PFRO.log
2013-11-30 11:35 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-30 11:33 - 2010-10-27 23:28 - 01165617 _____ C:\Windows\WindowsUpdate.log
2013-11-30 11:18 - 2013-10-18 22:13 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-30 11:10 - 2013-11-27 20:36 - 00007992 _____ C:\Users\Dan\Desktop\SystemLook.txt
2013-11-30 10:09 - 2009-07-14 00:08 - 00032562 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-11-29 23:29 - 2013-11-28 19:59 - 00000634 _____ C:\Users\Dan\Desktop\myuninst.cfg
2013-11-29 19:41 - 2013-11-29 19:41 - 00001442 _____ C:\Users\Dan\Desktop\AdwCleaner[s5].txt
2013-11-29 19:37 - 2013-11-29 19:37 - 00000000 _____ C:\Windows\setuperr.log
2013-11-29 19:34 - 2013-11-27 19:09 - 00000000 ____D C:\AdwCleaner
2013-11-29 19:26 - 2013-11-29 19:25 - 00225434 _____ C:\Users\Dan\Documents\cc_20131129_192534.reg
2013-11-29 19:23 - 2011-01-09 22:52 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-11-29 19:22 - 2013-05-26 21:43 - 00000000 ____D C:\Users\Dan\AppData\Roaming\FileZilla
2013-11-29 19:22 - 2009-09-06 20:57 - 00000000 ____D C:\Windows\Panther
2013-11-29 19:13 - 2013-11-29 19:13 - 00000000 ____D C:\Windows\System32\Tasks\Norton Security Suite
2013-11-29 19:06 - 2011-02-19 23:13 - 00000000 ____D C:\Users\Dan\AppData\Local\CrashDumps
2013-11-29 19:02 - 2010-12-26 13:03 - 00000000 ____D C:\Windows\system32\Drivers\N360x64
2013-11-29 19:00 - 2013-11-29 18:11 - 00002440 _____ C:\Users\Public\Desktop\Norton Security Suite.lnk
2013-11-29 19:00 - 2013-02-12 21:16 - 00003228 _____ C:\Windows\System32\Tasks\Norton WSC Integration
2013-11-29 18:50 - 2013-11-29 16:47 - 00000000 ____D C:\FRST
2013-11-29 18:41 - 2013-11-29 18:41 - 00002768 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2013-11-29 18:40 - 2013-11-29 18:40 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-11-29 18:40 - 2013-11-29 18:40 - 00000000 ____D C:\Program Files\CCleaner
2013-11-29 18:39 - 2013-11-29 18:39 - 04618136 _____ (Piriform Ltd) C:\Users\Dan\Desktop\ccsetup408.exe
2013-11-29 18:12 - 2010-10-27 23:47 - 00000000 ____D C:\ProgramData\Norton
2013-11-29 18:11 - 2010-12-26 13:03 - 00177752 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
2013-11-29 18:11 - 2010-12-26 13:03 - 00008222 _____ C:\Windows\system32\Drivers\SYMEVENT64x86.CAT
2013-11-29 18:09 - 2010-12-26 13:03 - 00000000 ____D C:\Program Files (x86)\Norton Security Suite
2013-11-29 18:05 - 2010-12-26 12:59 - 00000000 ____D C:\Users\Public\Downloads\Norton
2013-11-29 16:52 - 2013-11-29 16:50 - 00019298 _____ C:\Users\Dan\Desktop\Addition.txt
2013-11-29 16:34 - 2013-11-29 16:34 - 01959024 _____ (Farbar) C:\Users\Dan\Desktop\FRST64.exe
2013-11-29 15:46 - 2013-11-29 15:46 - 00000695 _____ C:\Users\Dan\Desktop\JRT.txt
2013-11-29 15:17 - 2013-11-29 15:17 - 00000000 ____D C:\Users\Dan\Desktop\Old Firefox Data
2013-11-28 20:55 - 2013-11-02 20:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-11-28 20:38 - 2013-11-28 20:38 - 00000000 ____D C:\Windows\ERUNT
2013-11-28 20:37 - 2013-11-28 20:37 - 01034531 _____ (Thisisu) C:\Users\Dan\Desktop\JRT.exe
2013-11-28 19:48 - 2011-06-20 01:44 - 00035840 _____ (NirSoft) C:\Users\Dan\Desktop\myuninst.exe
2013-11-28 19:46 - 2013-11-28 19:46 - 00046124 _____ C:\Users\Dan\Desktop\myuninst.zip
2013-11-28 12:16 - 2013-11-26 21:31 - 00024080 _____ C:\Users\Dan\Desktop\dds.txt
2013-11-28 12:16 - 2013-11-26 21:31 - 00014160 _____ C:\Users\Dan\Desktop\attach.txt
2013-11-28 11:23 - 2013-11-28 11:23 - 00010046 _____ C:\Users\Dan\Desktop\11282013_093800.log
2013-11-28 09:38 - 2013-11-28 09:38 - 00000000 ____D C:\_OTM
2013-11-28 09:35 - 2013-11-28 09:35 - 00522240 _____ (OldTimer Tools) C:\Users\Dan\Desktop\OTM.exe
2013-11-27 20:09 - 2013-11-27 20:09 - 00165376 _____ C:\Users\Dan\Desktop\SystemLook_x64.exe
2013-11-27 16:07 - 2013-11-27 16:07 - 01091882 _____ C:\Users\Dan\Desktop\AdwCleaner.exe
2013-11-27 16:04 - 2012-06-06 18:16 - 00000000 ____D C:\Users\Dan\AppData\Roaming\uTorrent
2013-11-26 20:47 - 2013-11-26 20:47 - 00000017 _____ C:\Windows\SysWOW64\shortcut_ex.dat
2013-11-26 20:33 - 2013-11-26 20:33 - 00688992 ____R (Swearware) C:\Users\Dan\Desktop\dds.scr
2013-11-23 17:17 - 2013-11-23 17:17 - 00001264 _____ C:\Users\Dan\Desktop\Revo Uninstaller.lnk
2013-11-23 17:17 - 2013-11-23 17:17 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2013-11-23 16:30 - 2013-11-23 16:30 - 00000000 ____D C:\Users\Dan\AppData\Roaming\Malwarebytes
2013-11-23 16:29 - 2013-11-23 16:29 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-23 16:29 - 2013-11-23 16:29 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-11-23 16:29 - 2013-11-23 16:29 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-11-18 23:20 - 2012-05-07 18:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-11-17 23:56 - 2010-12-17 09:06 - 00000000 ____D C:\Users\Dan\AppData\Local\Mozilla
2013-11-17 12:55 - 2009-07-14 00:13 - 00733528 _____ C:\Windows\system32\PerfStringBackup.INI
2013-11-13 23:33 - 2013-09-25 21:19 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-11-13 23:31 - 2013-08-24 14:08 - 00000000 ____D C:\Windows\system32\MRT
2013-11-13 23:27 - 2010-12-25 12:41 - 82896128 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-11-13 19:00 - 2010-12-25 09:28 - 00003174 _____ C:\Windows\System32\Tasks\HPCeeScheduleForDan
2013-11-13 19:00 - 2010-12-25 09:28 - 00000324 _____ C:\Windows\Tasks\HPCeeScheduleForDan.job
2013-11-03 18:26 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-11-02 20:10 - 2013-10-01 13:39 - 00001013 _____ C:\Users\Dan\Desktop\Dropbox.lnk
2013-11-02 20:10 - 2013-10-01 13:37 - 00000000 ____D C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2013-11-02 20:10 - 2010-11-26 14:26 - 00000000 ___RD C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-11-03 17:20

==================== End Of Log ============================

Link to post
Share on other sites
Danimal1969

Danimal1969

Posted
  • Author
Posted

Every time I rerun the System Look, I come up with a registry entry for scorpion saver. I try to delete with OTM, but it comes back. Here are the logs for both. How do I permanently delete that?

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 11:48 on 30/11/2013 by Dan
Administrator - Elevation successful

========== filefind ==========

Searching for "*Scorpion*"
C:\Users\Dan\Music\iTunes\iTunes Media\Music\Lucy Kaplansky\Flesh And Bone\01 Scorpion.m4a --a---- 3774307 bytes [18:04 15/01/2011] [00:51 13/10/2007] 0BA6F8BB0C335F410CBCF262298DBA9B
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2N723IB3\Scorpion-Saver-Firefox-extensions[1].jpg --a---- 25025 bytes [06:15 26/11/2013] [06:15 26/11/2013] 9C0C4339E5CCDC60CF609D34978394F6
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\Scorpion-Saver-Ads[1].jpg --a---- 51488 bytes [06:15 26/11/2013] [06:15 26/11/2013] 32A62E588393EE456B50E1C2080A6FDB
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\Scorpion-Saver-Chrome-extensions[1].jpg --a---- 32883 bytes [06:15 26/11/2013] [06:15 26/11/2013] 8303A4A8C9E0555328077D36C6070C83
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\Scorpion-Saver-uninstall[1].jpg --a---- 37224 bytes [06:15 26/11/2013] [06:15 26/11/2013] A7D150A57463C176789140F02694BF97
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\scorpion-saver[1].png --a---- 1342 bytes [06:11 26/11/2013] [06:11 26/11/2013] C51DCB4776983987646A297AF0F32917
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AXWAKI9U\scorpion-saver_1[1].png --a---- 206434 bytes [06:11 26/11/2013] [06:11 26/11/2013] E4B3DED31FE89CF8A7DE68C0D6B9BF03
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PWPR6J5P\scorpion-saver-removal[1].htm --a---- 50873 bytes [06:15 26/11/2013] [06:15 26/11/2013] 4D69F8154549CDABD5A3497D048BB8AC
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PWPR6J5P\Scorpion-Saver-virus[1].jpg --a---- 75200 bytes [06:15 26/11/2013] [06:15 26/11/2013] 1E534421E00DAF6496C47663B4FFDD86
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\4OHD9248\f.scorpionsaverjs[1].xml --a---- 13 bytes [00:47 27/11/2013] [00:57 27/11/2013] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
C:\_OTM\MovedFiles\11282013_093800\C_Users\Dan\Favorites\Remove Scorpion Saver pop-up ads (Virus Removal Guide).url --a---- 4057 bytes [06:19 26/11/2013] [06:19 26/11/2013] D0AB194617D3DF9D922A294E250CE16E
C:\_OTM\MovedFiles\11302013_102802\C_temp\ScorpionSaver.msi --a---- 3182592 bytes [14:40 28/11/2013] [23:42 29/11/2013] 59A6501D0C16BD6C8E56A09DDA0CB4BD
C:\_OTM\MovedFiles\11302013_113201\C_Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VYP3T8JW\remove-scorpion-saver[1].htm --a---- 106404 bytes [05:03 30/11/2013] [05:03 30/11/2013] 332C10DE83880E41CF7B01B09A93933D

Searching for "*adpeak*"
C:\FRST\Quarantine\AdpeakProxy.dll --a---- 338944 bytes [19:54 24/11/2013] [15:18 16/10/2013] 85FB18C4B0665C24E6BAA502837011A5
C:\FRST\Quarantine\AdpeakProxy64.dll --a---- 439296 bytes [19:54 24/11/2013] [15:18 16/10/2013] 78857BF5996E9BC8E82C1B671CBF85E6

========== folderfind ==========

Searching for "*Scorpion*"
C:\Users\Dan\Music\iTunes\iTunes Media\Music\Scorpions d------ [02:39 12/01/2011]
C:\Users\Dan\Music\New Music from Scott\Music\Scorpions d------ [18:32 09/01/2011]

Searching for "*adpeak*"
No folders found.

========== regfind ==========

Searching for "*Scorpion*"
No data found.

Searching for "*adpeak*"
No data found.

Searching for "Scorpion"
[HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Saver]

Searching for "adpeak"
No data found.

-= EOF =-

 

 

========== REGISTRY ==========
 
OTM by OldTimer - Version 3.1.21.0 log created on 11302013_123111
 

Link to post
Share on other sites
dcw182

dcw182

Posted
Posted

Kevin,  

I REALLY appreciate all the time you spend helping those of us out, who are clueless at what to do when a virus strikes us.  I read this entire article and followed it for myself, as I have the Scorpion virus and it was becoming so bad I finally had to address it.  It seems (I have to use that word lightly with this virus) I have gotten rid of it thanks to you!  But I want to confirm I'm okay, as you are clearly knowledgable in this stuff.  I did the Revo Uninstaller, AdwCleaner, Malwarebytes, System Look, OTM.exe and everything went exactly as you said it would.  It appears I'm good to go.  But to be sure, I rebooted twice, and redid the above one more time.  I did try the NirSoft uninstaller but was unable to unzip it, so I skipped that, as maybe I only needed to do that if the Scorpion Saver showed up in my programs after all this, and it did not.  Am I safe?  Do I need to do anything else?

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Ok as the nuisance is finally gone we can clean up;

 

We need to remove FRST, first it is very important to deal with its Quarantine folder using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful. 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

Uninstall adwcleaner.exe

  •   Please close all open programs and internet browsers.
  •   Double click on adwcleaner.exe to run the tool.
  •   Click on Uninstall
  • Click Yes at Would you like to Uninstall Adwcleaner

 

Next,

 

  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

 

Any tools/logs remaining on the Desktop or downloads folder can be deleted.

 

Let me know if those steps complete, also if you are ok to close out..

fixlist.txt

Link to post
Share on other sites
dcw182

dcw182

Posted
Posted

Kevin, I am new to this, as this is my first virus.  Is that last post for me or am I confusing things by writing on this forum?  May I start a new forum with you?  If so, how do I do that?

If you want me to also 'clean up' my computer, I have done so much downloading and stuff I've gotten confused.  What is FRST?  I'm not sure I used that program.

debbie

Link to post
Share on other sites
Danimal1969

Danimal1969

Posted
  • Author
Posted

Kevin,

The registry entry was:

[HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Saver]

I've ran mbam and system look (searching for adpeak and scorpion) several times over the last few days and nothing new has shown up, just the quarantined and "moved" files.

I will do as you have recommended tonight when I get home. But I have one question. I understand why we want to delete the frst quarantined files, but why delete all the utilities we used? Aren't they good programs to have ready for future use? I mean CCleaner and adwcleaner both appear to have some pretty good uses.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Danimal1969,

 

If you prefer to keep any of the tools we have used that is your choice, I only give the option to remove because I asked you to d/l and use them. Let me know when you are done and we can close out...

 

Thank you,

 

Kevin.....

 

dcw182,

 

You should not post into another users thread, that is against forum rules and can cause issues and confusion for all concerned. Please open your own thread, a helper who has time will respond when available....

Link to post
Share on other sites
Danimal1969

Danimal1969

Posted
  • Author
Posted

Danimal1969,

 

If you prefer to keep any of the tools we have used that is your choice, I only give the option to remove because I asked you to d/l and use them. Let me know when you are done and we can close out...

 

Thank you,

 

Kevin.....

 

 

I think I will keep a few of them, so thank you.

 

I ran the fixit file and that took care of the quarantined stuff in FRST. One last question, how do I delete the "moved" files in the OTM program with risking a reinfection? Will deleting the program do that?

 

Thanks,

Dan

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.