Scorpion Saver Won't go away Windows 7 Home Professional

[Maurice Naggar]

Sorry, but this don't look right.

The OTL.exe should have been the same place - as before -

C:\Users\computer doctor\Downloads

Please go back and reread carefully my last writeup on the OTL FIX procedure.

It does not look right, because I think you did not do just right. You likely zagged somewhere instead of zig.

[WhiteriverSpike]

Is this the right one?

OTL.Txt

[WhiteriverSpike]

Would it be ok to start this whole sequence over, I'd like to print out all your instructions and go from there.

Unfortunately, I'm out of toner now and will have to go to the city tomorrow and pick some up then start

over.

[Maurice Naggar]

Hello,

All that you need to do is this part here, per the directions below. There is a file attached that you must Save to your system, the Desktop ---- the same area that you saved OTL.exe

This just calls for you to paste the contents of that file, and do a Fix.

Temporarily disable your antivirus program and close any programs that you started.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

http://www.bleepingcomputer.com/forums/index.php?showtopic=114351

SAVE the attached file OTLWHITE.txt and to your DESKTOP

Start NOTEPAD

Open the OTLWHITE.txt that you saved

Copy ALL the lines to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Please double-click OTL.exe to run it. (Note: If you are running on Windows 7/8 or Vista, right-click on the file and choose Run As Administrator).

Right click in the Custom fix block box (under the aqua-blue bar) and choose Paste. <<< *****

Close any browser(s) windows that may be open.

Using your mouse, click on the red-lettered button RUN FIX <<< ******** !!!!

Once you see a message box "Fix complete! Click OK to open the fix log."

Click the OK button

The log will open in Notepad (your default text editor).

Save the log. Attach that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes.

In this case, after the reboot, navigate to the C:\_OTL\MovedFiles folder, and look for the .LOG file, and ATTACH that document into your reply.

OTLWHITE.txt

[WhiteriverSpike]

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EA1C467F-C493-44F8-85C1-DFF97B990FB1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA1C467F-C493-44F8-85C1-DFF97B990FB1}\ not found.
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3153924&CUI=UN36052674811346013&UM=2&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl
Use Chrome's Settings page to change the HomePage.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ConduitFloatingPlugin_jonjajmpblmjkhjemkalbddhodlehkfg not found.
File  not found.
========== FILES ==========
File\Folder C:\Users\computer doctor\AppData\Local\Temp\CT3153924 not found.
File\Folder C:\Program Files\DealPly not found.
File\Folder C:\Program Files\Level Quality Watcher not found.
File\Folder C:\ProgramData\VisualBee not found.
File\Folder C:\ProgramData\Conduit not found.
File\Folder C:\Users\computer doctor\AppData\Local\Conduit not found.
File\Folder C:\Program Files\Conduit not found.
File\Folder C:\Windows\tasks\Dealply.job not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: computer doctor
->Temp folder emptied: 61141123 bytes
->Temporary Internet Files folder emptied: 2284010 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 186277312 bytes
->Google Chrome cache emptied: 6857173 bytes
->Flash cache emptied: 4735 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 32868 bytes
RecycleBin emptied: 7345030 bytes
 
Total Files Cleaned = 252.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: computer doctor
->Flash cache emptied: 0 bytes
 
User: Default
 
User: Default User
 
User: Public
 
User: UpdatusUser
 
Total Flash Files Cleaned = 0.00 mb
 
 
[EMPTYJAVA]
 
User: All Users
 
User: computer doctor
->Java cache emptied: 0 bytes
 
User: Default
 
User: Default User
 
User: Public
 
User: UpdatusUser
 
Total Java Files Cleaned = 0.00 mb
 
Restore point Set: OTL Restore Point
 
OTL by OldTimer - Version 3.2.69.0 log created on 12092013_103901

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

[WhiteriverSpike]

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.09.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16428
computer doctor :: COMPUTERDOCTOR [administrator]

Protection: Enabled

12/9/2013 10:59:59 AM
mbam-log-2013-12-09 (10-59-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 222151
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

[WhiteriverSpike]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x86
Ran by computer doctor on Mon 12/09/2013 at 11:08:59.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-3096931636-4125460045-518681182-1000\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 12/09/2013 at 11:11:58.23
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

[WhiteriverSpike]

# AdwCleaner v3.014 - Report created 09/12/2013 at 11:17:06
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : computer doctor - COMPUTERDOCTOR
# Running from : C:\Users\computer doctor\Desktop\malwarebytes\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\computer doctor\AppData\Roaming\Mozilla\Firefox\Profiles\j9ul3tgz.default-1386607865649\prefs.js ]


-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\computer doctor\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : icon_url
Deleted : search_url
Deleted : suggest_url
Deleted : keyword

*************************

AdwCleaner[R0].txt - [5469 octets] - [08/12/2013 16:16:54]
AdwCleaner[R1].txt - [1091 octets] - [08/12/2013 18:45:25]
AdwCleaner[R2].txt - [1384 octets] - [09/12/2013 11:16:21]
AdwCleaner[s0].txt - [5279 octets] - [08/12/2013 16:19:13]
AdwCleaner[s1].txt - [1153 octets] - [08/12/2013 18:46:50]
AdwCleaner[s2].txt - [1217 octets] - [09/12/2013 11:17:06]

########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [1277 octets] ##########
 

[Maurice Naggar]

Hello,

Your system should be in fine shape at this point. Ready to wrap this up ?

Close all open browsers at this point.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Start Internet Explorer

Using Internet Explorer browser only, go to BitDefender Quickscan website:

http://quickscan.bitdefender.com

and click "Start Scan".

Observe your browser in case it shows a notice/message bar to allow download and installation of a tool.

Allow the download and install of qsax.cab from BitDefender. Right-click the IE info bar and select Install to install the BitDefender quick scan module.

If prompted, reply yes to allow it to run.

Press the Allow button and follow prompts.

Press the "Start Scan" once more.

You'll see the EULA in a pop-up window. Click the I accept & then the OK button

Note: The FAQ is here --> http://quickscan.bitdefender.com/faq/

and that QuickScan has no removal capability.

The site boasts a 60-second scan. Do have patience as it likely will take longer.

It may seem to stall at moments, but have patience; it will move on.

You'll see a progress bar at top right of window.

Hopefully you will see a No infections found in the bar-winddow. Press the View Log button.

The log report will show in your text editor. Save the log.

Do a Select ALL, Copy. Then paste contents into your next reply.

When all done, Re-Enable your antivirus program.

[WhiteriverSpike]

Bitdefender QuickScan

Fast & free online virus scanner

Find out if your computer is clean
It only takes a few seconds

Scan now

Did you know that...
A virus can “ransack” computers, permanently deleting critical files or folders?

 

100%

No infection found.

Good news! We found no active infections on your PC
Keep it clean with The New Bitdefender Internet Security!

Free download

or Download a Free Trial

automatically start install after download

[WhiteriverSpike]

Looks like it's all good!

 

Appreciate all you help and especially your patience.

[Maurice Naggar]

Very well. Start with this to cleanup after the tools I had you use:

First, close any open work documents & any open work apps.

Download & Save OTC to your desktop and then run it

http://oldtimer.geekstogo.com/OTC.exe

Click "Yes" to beginning the Cleanup process and remove these components, including this application.

You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Delete these if still present:

Silentrunners.vbs

OTLWHITE.txt

JRT.exe

To remove AdwCleaner:

Double click on AdwCleaner.exe to run the tool.

Click on Uninstall

Confirm with yes

You may go to your Control Panel >> Programs and Features {{ Windows-key+R keys >> appwiz.cpl }}

Look for BitDefender Quickscan

select it and Uninstall

Close Control Panel when done.

I would urge you to practice daily these tips:

Pay close attention when installing 3rd-party programs.

It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you cancel the install and not use the free software.

Get and put in place our beta Anti-Exploit

http://www.malwarebytes.org/products/antiexploit/

Safer practices & malware prevention

Have a hardware router between the incoming internet-modem and your computer.

Use a Standard user account rather than an administrator-rights account when "surfing" the web.

See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

Check in at http://windowsupdate.microsoft.com]Windows Update and install any Important Updates offered.

Make certain that Automatic Updates is enabled.

How to configure and use Automatic Updates in Windows

http://support.microsoft.com/kb/306525

Check on other update issues as well, by getting, installing and using Secunia Personal Software Inspector (PSI) on a monthly basis.

See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Download, install, and keep updated Spyware Blaster (free): http://www.brightfort.com/spywareblaster.html

(all Protections should be enabled at all times)

Tutorial for Spywareblaster: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

http://www.bleepingcomputer.com/tutorials/use-spywareblaster-to-protect-your-computer/

I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm

That would help to keep your browser away from known spyware/malware sites.

Get notified when the MVPS HOSTS file is updated

http://winhelp2002.mvps.org/updates.htm

Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

Having a total image backup of your system stored on DVD/CD is highly important.

Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if a disaster hits.

Consider using Web of Trust WOT add-on for your browser(s)

http://www.mywot.com/en/download

http://www.mywot.com/en/faq/add-on

Take extreme care if you share USB-flash/thumb drives from other people {even from friends, roommates, relatives}

Don't plug in an unknown flash/thumb drive into your PC.

IF you must do so, hold down the SHIFT-key when you insert the drive.

Scan any file with your Antivirus prior to opening or using.

I wish you well.

Cheers.

[WhiteriverSpike]

Thought everything was fixed! I switched to standard user?

Now,

I have no email account anymore.

 

Bookmarks & history are gone.

 

Everything on the desktop is gone except for the recycle bin, shortcut to firefox, shortcut to quicktime player and shortcut to google chrome.

 

Downloads folder is empty.

 

Pictures are gone.

 

Tried system restore back to 12/08/2013 same thing.

 

[WhiteriverSpike]

Update:

When I log in as administrator everything that was missing as noted above is ok.

Logging in as standard user and everthing is lost!

 

Downloaded latest update from Malwarebytes-ran quick scan:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.11.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16476
computer doctor :: COMPUTERDOCTOR [administrator]

Protection: Enabled

12/10/2013 10:34:46 PM
mbam-log-2013-12-10 (22-34-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 269724
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

Downloaded latest from Windows Update

 

Quick Scan in Microsoft Security Essentials=No threats.

[Maurice Naggar]

Hello,

I would not be using "system restore" at this point to even go backwards in time. The system is clean of malware.

Tell me, what is your email-client program?

and what is the difference in between using one login-account and the standard user ?

The same email-client program is using the same email-database-store.

As to desktop shortcuts, you can manually put back by recreating any needed shortcut.

Tell me, how long have you had the "standard" user account?

When did you create it ?

IF you created that in the past 1,2, 3 days then that would be a brand new Windows "user" account and would be expected to have no shortcuts on the desktop ( other than the bare default).

[WhiteriverSpike]

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarde...log-page_7.html

 

The above was in your last comment, day before yesterday #37 at 07:48, when I switched to Standard user account is when the problem started which was yesterday.

 

Windows Live Mail is the client program.

 

When the computer starts up two icons appear, one administrator and one standard user. Clicking on administrator gives me access to everything just as before. Clicking on standard user is when everything disappears. I guess it's that big a deal for me to use administrator.

[Maurice Naggar]

Hello Whiteriver,

Your infection is cured. We should wrap this up now. I am sorry that you had all the trouble with your attempt with a standard user.

I gave you before the cleanup details, on the tools.

Suggestions that you should follow:

Get and put in place our beta Anti-Exploit

http://www.malwarebytes.org/products/antiexploit/

Safer practices & malware prevention

Have a hardware router between the incoming internet-modem and your computer.

Use a Standard user account rather than an administrator-rights account when "surfing" the web.

See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

Check in at http://windowsupdate.microsoft.com]Windows Update and install any Important Updates offered.

Make certain that Automatic Updates is enabled.

How to configure and use Automatic Updates in Windows

http://support.microsoft.com/kb/306525

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you cancel the install and not use the free software.

Check on other update issues as well, by getting, installing and using Secunia Personal Software Inspector (PSI) on a monthly basis.

See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Download, install, and keep updated Spyware Blaster (free): http://www.brightfort.com/spywareblaster.html

(all Protections should be enabled at all times)

Tutorial for Spywareblaster: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

http://www.bleepingcomputer.com/tutorials/use-spywareblaster-to-protect-your-computer/

I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm

That would help to keep your browser away from known spyware/malware sites.

Get notified when the MVPS HOSTS file is updated

http://winhelp2002.mvps.org/updates.htm

Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

Having a total image backup of your system stored on DVD/CD is highly important.

Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if a disaster hits.

Consider using Web of Trust WOT add-on for your browser(s)

http://www.mywot.com/en/download

http://www.mywot.com/en/faq/add-on

Take extreme care if you share USB-flash/thumb drives from other people {even from friends, roommates, relatives}

Don't plug in an unknown flash/thumb drive into your PC.

IF you must do so, hold down the SHIFT-key when you insert the drive.

Scan any file with your Antivirus prior to opening or using.

I wish you well.

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.