Another scorpion saver infected user

[ChopMeat]

I've read a lot of the posts here and followed the instructions, but I'm thinking that wasnt smart, as we're warned (repeatedly!) not to do anything we're not told to...

 

So - I'm looking to get bailed out. Here's what I've done:

 

- Installed malwarebytes and ran

- Uninstalled Scorpionsaver (rebooted)

- Ran adwcleaner (I'll post the logfile report (AdwCleaner[s0].txt) are attached)

- Re-ran malwarebytes

- Ran Farbar Recovery Scan Tool (FRST.TXT and Addition.txt are attached)

 

Thanks.

Addition.txt

AdwCleanerS0.txt

FRST.txt

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Re-scan with AdwCleaner and Malwarebytes.

MrC

[ChopMeat]

I did that, I've attached the FixLog.txt file.

 

I do see a program in my Startup file list called "Background Container". It contains Conduit in the file path location. That's what tells me I've still got it (not sure if I'm right).

Fixlog.txt

[ChopMeat]

When I launch firefox, I am getting a popup with "srvsinfo.com?xxxxxx" in the URL. I'm also getting embedded ads.

 

I see rundll32 launched - however I don't see scorpionsaver installed.

 

What is my next step?

[MrCharlie]

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

Then re-scan with FRST (check the box for the Addition text), post the logs.

(Conduit is not part of scorpion saver)

MrC

[ChopMeat]

All are attached (too long for posting)

Addition.txt

FRST.txt

RKreport0_S_12052013_190011.txt

[MrCharlie]

Please uninstall ArcadeFrontier (HKCU) from your add/remove programs if possible.


Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
 

[V1][sUSP PATH] ArcadeFrontier.job : C:\Users\PANGO\AppData\Local\ArcadeFrontier\veragent.exe [7] -> FOUND
[V1][sUSP PATH] FWGames Updater.job : C:\Users\PANGO\AppData\Local\FreeWorkz\Updater.exe [-] -> FOUND
[V2][sUSP PATH] ArcadeFrontier : C:\Users\PANGO\AppData\Local\ArcadeFrontier\veragent.exe [7] -> FOUND
[V2][sUSP PATH] FWGames Updater : C:\Users\PANGO\AppData\Local\FreeWorkz\Updater.exe [-] -> FOUND

Now click Delete on the right hand column under Options

-------------

Download the attached fixlist.txt to the same folder as FRST.
Run FRST.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download a fresh copy of AdwCleaner and run it
Update Malwarebytes and........

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[ChopMeat]

Thanks so much! I no longer see embedded ads popping when navigating to websites. PC seems to be running well. Files are attached.

 

A couple last questions/concerns:

- I see the following entries for startup programs - all are disabled, but I'd think they'd have been removed - is this a concern?

• Background Container - Command = "C:\windows\syswow64\rundll32,exe" "...AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll", DllRun
• Three other entries - SearchProtect, SearchProtectAll, and SearchProtection - pointing to an exe of cltmng.exe and SearchProtection.exe
• There's one process running I'm not familiar with - RtVOsd.exe - is this familiar?

 

Regardless - thanks very much for the help!

mbam-log-2013-12-06 (08-01-13).txt

Fixlog.txt

[MrCharlie]

Looks like you used the wrong fixlist.txt, use the one in this post:

https://forums.malwarebytes.org/index.php?showtopic=137763&p=761130

MrC

[ChopMeat]

Looks like you used the wrong fixlist.txt, use the one in this post:

https://forums.malwarebytes.org/index.php?showtopic=137763&p=761130

MrC

 

Sorry about that. I reran with the corrected fixlist.txt file. I still do see the startup programs.

 

Here's the output of the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-12-2013

Ran by PANGO at 2013-12-06 08:52:50 Run:3

Running from C:\Users\PANGO\Desktop

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

FF Extension: FreeWorkz  - C:\Users\PANGO\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\links@freeworkz.com

FF Extension: ArcadeFrontier - C:\Users\PANGO\AppData\Roaming\Mozilla\Firefox\Profiles\occec0q0.default-1366303395288\Extensions\{1a68cbde-3e4c-4fae-bf49-af5ab9868e53}

CHR Plugin: (FreeWorkz Addon) - C:\Users\PANGO\AppData\Local\Google\Chrome\User Data\Default\Extensions\edogkopmmbiomlflahmmpchnobahleib\npFreeWorkzGC.dll No File

CHR Extension: (FreeWorkz) - C:\Users\PANGO\AppData\Local\Google\Chrome\User Data\Default\Extensions\edogkopmmbiomlflahmmpchnobahleib

Task: {EE7C45A0-F358-4648-B294-A95192FE5153} - \BackgroundContainer Startup Task No Task File

Task: {2DA246E8-220C-4A19-888E-531CF72EE7DC} - System32\Tasks\FWGames Updater => C:\Users\PANGO\AppData\Local\FreeWorkz\Updater.exe [2012-05-30] ()

BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File

BHO-x32: ArcadeFrontier Addon - {6C8DB2EC-499B-4897-A784-0E3186C97E9D} - C:\Users\PANGO\AppData\Local\ArcadeFrontier\ArcadeFrontier.dll No File

C:\Windows\Tasks\ArcadeFrontier.job

C:\Users\PANGO\AppData\Local\ArcadeFrontier

C:\Windows\System32\Tasks\ArcadeFrontier

C:\Users\PANGO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ArcadeFrontier

C:\Users\PANGO\Downloads\ArcadeFrontierGames.exe

C:\Users\PANGO\Downloads\ArcadeFrontierGames(2).exe

C:\Users\PANGO\Downloads\ArcadeFrontierGames(1).exe

*****************

C:\Users\PANGO\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\links@freeworkz.com => Moved successfully.

C:\Users\PANGO\AppData\Roaming\Mozilla\Firefox\Profiles\occec0q0.default-1366303395288\Extensions\{1a68cbde-3e4c-4fae-bf49-af5ab9868e53} not found.

C:\Users\PANGO\AppData\Local\Google\Chrome\User Data\Default\Extensions\edogkopmmbiomlflahmmpchnobahleib\npFreeWorkzGC.dll not found.

CHR Extension: (FreeWorkz) - C:\Users\PANGO\AppData\Local\Google\Chrome\User Data\Default\Extensions\edogkopmmbiomlflahmmpchnobahleib directory not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EE7C45A0-F358-4648-B294-A95192FE5153} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EE7C45A0-F358-4648-B294-A95192FE5153} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BackgroundContainer Startup Task => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2DA246E8-220C-4A19-888E-531CF72EE7DC} => Key not found.

C:\Windows\System32\Tasks\FWGames Updater not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FWGames Updater => Key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C8DB2EC-499B-4897-A784-0E3186C97E9D} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{6C8DB2EC-499B-4897-A784-0E3186C97E9D} => Key not found.

"C:\Windows\Tasks\ArcadeFrontier.job" => File/Directory not found.

"C:\Users\PANGO\AppData\Local\ArcadeFrontier" => File/Directory not found.

"C:\Windows\System32\Tasks\ArcadeFrontier" => File/Directory not found.

"C:\Users\PANGO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ArcadeFrontier" => File/Directory not found.

C:\Users\PANGO\Downloads\ArcadeFrontierGames.exe => Moved successfully.

C:\Users\PANGO\Downloads\ArcadeFrontierGames(2).exe => Moved successfully.

C:\Users\PANGO\Downloads\ArcadeFrontierGames(1).exe => Moved successfully.

==== End of Fixlog ====

[MrCharlie]

 

I still do see the startup programs.

OK..what programs and where??? In your task manager?? (ctrl + alt + del)

MrC

[ChopMeat]

Sorry - when I enter msconfig, and check startup programs. I see those items, disabled.

[MrCharlie]

ComboFix is good at deleting items like that:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[ChopMeat]

Mr C - Thank you SO MUCH for the help. You can be sure a contribution is on its way via PayPal.

 

To follow up on the last questions I had - I couldn't seem to eliminate the last few disabled programs from startup, so I deleted their keys from the registry, and voila, all good.

 

Again, thanks for the time, you can close this post.

[MrCharlie]

OK.....

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.