Jump to content

help with scorpionsaver


Recommended Posts

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

 

Next,

 

There is evidence of ZeroAccess Rootkit infection, we have to deal with that first...

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.


The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan

Make sure that everything is checked, and click Remove Selected on any found items. <<---- Very important

 

Post the produced log

 

fixlist.txt

Link to post
Share on other sites

FRST has removed ZeroAccess entries so we make good progress, continue please:

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report in next reply

 

Let me know if you have any remaining issues or concerns..

Link to post
Share on other sites

You can simply delete that entry from ESET, As you`ve mentioned ScorpionSaver we need to search your system for unwanted entries...

 

Please download SystemLook from the following link below and save it to your Desktop. Use the correct version 32bit or 64bit.

 

http://jpshortstuff.247fixes.com/SystemLook_x64.exe      <<-   64 bit….

 

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe  <<-  32 bit

 


Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
 
:filefind*adpeak*Adpeak.**Scorpion*Scopion.*:folderfind*Scorpion**adpeak*:regfind*Scorpion*Scorpion*adpeak*adpeak
 
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log

 

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Simply navigate to that entry that eset flagged and delete it...

 

Next,

 

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Reg :Reg

    :Reg[-HKEY_CURRENT_USER\Software\AppDataLow\Software\Scorpion Saver][-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\scorpionsaver.com][-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\scorpionsaver.com][-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\scorpionsaverjs.info][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\8F71DB22-A8DF-4C0D-A26C-2142A9317F6A][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\8F71DB22-A8DF-4C0D-A26C-2142A9317F6A][-HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Saver][-HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Scorpion Saver][-HKEY_USERS\S-1-5-21-1954505751-3442210741-1621610202-1001\Software\AppDataLow\Software\Scorpion Saver][-HKEY_USERS\S-1-5-21-1954505751-3442210741-1621610202-1001\Software\Microsoft\Internet Explorer\DOMStorage\scorpionsaver.com][-HKEY_USERS\S-1-5-21-1954505751-3442210741-1621610202-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\scorpionsaver.com][-HKEY_USERS\S-1-5-21-1954505751-3442210741-1621610202-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\scorpionsaverjs.info][-HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Scorpion Saver]:FilesC:\Documents and Settings\Eric Hustedt\AppData\Local\Temp\AdpeakProxyr.logC:\Documents and Settings\Eric Hustedt\AppData\Local\Temp\AdpeakRegisterLSP.ini.logC:\Users\Eric Hustedt\AppData\Local\Temp\AdpeakProxyr.log    C:\Users\Eric Hustedt\AppData\Local\Temp\AdpeakRegisterLSP.ini.logC:\Windows\Temp\AdpeakProxy.logC:\Windows\Temp\AdpeakProxyr.logC:\Documents and Settings\Eric Hustedt\AppData\Local\Microsoft\Internet Explorer\DOMStore\KBW3PVTA\static.scorpionsaver[1].xmlC:\Documents and Settings\Eric Hustedt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4FWK3PS1\tv-classic-scorpionsaver[1].jsC:\Documents and Settings\Eric Hustedt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4DMYJ4M4\tv-classic-scorpionsaver[1].jsC:\Documents and Settings\Eric Hustedt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZNNZLIUI\scorpionsaver-removal[1].htmC:\Documents and Settings\Eric Hustedt\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\NISW9DPT\static.scorpionsaver[1].xmlC:\Documents and Settings\Eric Hustedt\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\YR6ODIP5\f.scorpionsaverjs[1].xmlC:\Documents and Settings\Eric Hustedt\Favorites\Computer\Please help me get rid of Scorpion Saver - Malware Removal Help - Malwarebytes Forum.urlC:\Documents and Settings\Eric Hustedt\Favorites\Computer\Remove Scorpion Saver pop-up ads (Virus Removal Guide).urlC:\Users\Eric Hustedt\AppData\Local\Microsoft\Internet Explorer\DOMStore\KBW3PVTA\static.scorpionsaver[1].xmlC:\Users\Eric Hustedt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4FWK3PS1\tv-classic-scorpionsaver[1].jsC:\Users\Eric Hustedt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4DMYJ4M4\tv-classic-scorpionsaver[1].jsC:\Users\Eric Hustedt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZNNZLIUI\scorpionsaver-removal[1].htmC:\Users\Eric Hustedt\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\NISW9DPT\static.scorpionsaver[1].xmlC:\Users\Eric Hustedt\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\YR6ODIP5\f.scorpionsaverjs[1].xmlC:\Users\Eric Hustedt\Favorites\Computer\Please help me get rid of Scorpion Saver - Malware Removal Help - Malwarebytes Forum.urlC:\Users\Eric Hustedt\Favorites\Computer\Remove Scorpion Saver pop-up ads (Virus Removal Guide).url:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Kevin....
 

Link to post
Share on other sites

You can simply delete that entry from ESET,

 

 

 

 

You cannot delete from ESET.

 

Hence my question. It wasn't clear if you wanted me to find the entry and delete it from ESET or find the entry from ESET and delete it.

 

Everything seems to be working fine. Should I be free from Scorpion now?

I believe I know how I got it - from a bad Quicktime installer.

 

Is there something I should be using to prevent such an infection?

 

Thanks for all your help!!

Link to post
Share on other sites

Apologies for confusion over the ESET entry. ESET only returns a log telling you the navigational address such entries, you therefore follow that address via your system. eg Start > Computer > D:\ > etc etc etc.....

 

Yep you should be free of Scorpion Saver as we find and remove all known entries from your system. To keep such nuisances out you must have a good security system, always keep it up to date and be very aware of what you download and where you surf etc.

 

Many free to use programs and applications will come bundled with unwanted extras and adware, it is usually possible to use an advanced option to install as opposed to the default option. That way it maybe possible to untick unwanted extras etc. Just be careful, never take anything for granted.

 

Always a good idea to do research, use Google to check if free programs you want may have a history, either good or bad. I will give you my own security set up, maybe that will be useful to you.

 

We continue first:

 

We need to remove FRST, first it is very important to deal with its Quarantine folder using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful. 

 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

 

Any tools/logs remaining on the Desktop or downloads folder can be deleted.

 

Let me know if those two steps complete...

 

My own Security set up follows:

 

Windows own Firewall, Microsoft Security Essentials and Malwarebytes Pro. Windows FW and MSE are free, MB does also have a free version, however I prefer the pro version as it provides auto updates and realtime protection. Cost is about £20 for a lifetime license.

 

As an extra layer I also use WinPatrol, the free version is adeqaute for general home use. Available here: http://www.winpatrol.com/download.html

 

For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc....

Before using NoScript read from this link http://noscript.net/ makes it easy to understand....

 

Understanding Windows 7 Firewall - http://windows.microsoft.com/en-GB/windows7/Understanding-Windows-Firewall-settings

 

Understanding Microsoft Security Essentials - http://www.microsoft.com/en-gb/security/pc-security/mse.aspx

 

Understanding Malwarebytes, how to create an exclusion in MSE - http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162100entry162100

 

Understanding WinPatrol - http://www.winpatrol.com/features.html

 

I also use the Professional version of Sandboxie, I believe there is also free version available. Visit this link http://www.sandboxie.com/ for access to d/l, also make sure to use the "Help and FAQ" option to understand its uses, specifically how to run your browser sandboxed!.

 

Also read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

If no issues remain are we ok to close out..

 

Kevin

 

 

 

fixlist.txt

Link to post
Share on other sites

Try again, see what happen. Ensure to delete any previous fixlist.txt files if present...

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, post the log

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-12-2013 2

Ran by My Name t at 2013-12-07 19:21:25 Run:3

Running from C:\Users\My Name\Desktop\Clean

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

Start

DeletQuarantine:

End

*****************

==== End of Fixlog ====

FRST did update before I reran it with the fixlist.txt you sent.post-150590-0-30362800-1386465882_thumb.

Link to post
Share on other sites

Apologies, I now can see the mistake. I have missed a letter "e" from the script.... We try one more time, delete any previous fixlist.txt files you may have downloaded.

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful.

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

fixlist.txt

Link to post
Share on other sites

Is there any info in the logs I posted here that is private and I should be concerned about?

 

 

Not that i`m aware of....

 

As clean up is complete and you do not mention any remaining issues or concerns you should be good to go.

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Take care,

 

Kevin......

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.