Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91521 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Scorpion Saver Virus [Solved]


  • This topic is locked This topic is locked
74 replies to this topic

#16 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 14 November 2013 - 10:58 PM

Hi jhurst,

bullseye_zpse9eaf36e.gif Manage Add-Ons in Internet Explorer

  • Locate the ietoolsbutton.jpg in the upper right hand corner of the Internet Explorer browser window.
  • Left click, then choose Manage add-ons > Toolbars and Extensions
  • Locate the following add-ons (if present)
    • GetSavin
    • ScorpionSaver
  • Select the add-on, and click the Disable button.
  • Do this for each entry present, then close

=========================

bullseye_zpse9eaf36e.gif To Reset Internet Explorer Settings

  • Close all Internet Explorer and Windows Explorer windows that are currently open.
  • Open Internet Explorer.
  • Click the Tools button ietoolsbutton.jpg, and then click Internet Options.
  • Click the Privacy tab.
  • Locate the Pop-up Blocker section.
  • Ensure there is a check mark present.
  • Click Apply, and then click OK.
  • Close Internet Explorer.

=========================

bullseye_zpse9eaf36e.gif Reboot

=========================

Update pop-up status


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

    Advertisements

Register to Remove


#17 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 15 November 2013 - 10:30 AM

Thank you for your reply.  I will perform the suggested tasks this evening.  I did notice that there is a ScorpionSaver program that is present in my program list in Control Panel.  It indicates that the program was created on 11/13/13.  I know that I had tried to delete this program out of the program list prior to posting on the WhatthTech site.  It appears to be back again however.

 

Should this be a concern or should we try to delete again?



#18 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 15 November 2013 - 10:32 AM

Yes, remove it from the programs list prior to running the other steps outlined.


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#19 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 15 November 2013 - 09:17 PM

Good evening.

 

I attempted to remove the ScorpionSaver program from my program list.  I received an error message as I was deleting the file that stated:

Could not delete key:

\software\wow.6432node\Microsoft\Windows|CurrentVersion\Explorer\BrowserHelperObjects

 

I also checked in the IE Manage Add On's.  Neither the GetSavin or ScorpionSaver programs are listed there.  The pop-up blocker option is checked.



#20 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 15 November 2013 - 10:50 PM

Hi jhurst,

 

bullseye_zpse9eaf36e.gif MiniToolBox

Please download MiniToolBox, save it to your desktop and run it.
Right click and select "Run as Administrator".

Check-mark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

=========================

 

 

In your next post please provide the following:

  • Result.txt

 

 


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#21 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 16 November 2013 - 07:39 AM

MiniToolBox by Farbar  Version: 13-07-2013
Ran by JOHN (administrator) on 16-11-2013 at 08:34:44
Running from "C:\Users\JOHN\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

 

========================= IP Configuration: ================================

Intel® 82579V Gigabit Network Connection = Local Area Connection 2 (Connected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : HURST
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hsd1.ga.comcast.net.

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : hsd1.ga.comcast.net.
   Description . . . . . . . . . . . : Intel® 82579V Gigabit Network Connection
   Physical Address. . . . . . . . . : 4C-72-B9-D1-AF-79
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e93e:bb93:550d:3185%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.104(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, November 15, 2013 10:02:20 PM
   Lease Expires . . . . . . . . . . : Sunday, November 17, 2013 8:27:42 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 223113913
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-EE-0A-6D-4C-72-B9-D1-AF-79
   DNS Servers . . . . . . . . . . . : 75.75.75.75
                                       75.75.76.76
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.hsd1.ga.comcast.net.:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hsd1.ga.comcast.net.
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:3007:29eb:e781:53a6(Preferred)
   Link-local IPv6 Address . . . . . : fe80::3007:29eb:e781:53a6%14(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  cdns01.comcast.net
Address:  75.75.75.75

Name:    google.com
Addresses:  2607:f8b0:4002:c07::8b
   74.125.21.102
   74.125.21.100
   74.125.21.138
   74.125.21.139
   74.125.21.113
   74.125.21.101

Pinging google.com [74.125.196.113] with 32 bytes of data:
Reply from 74.125.196.113: bytes=32 time=12ms TTL=45
Reply from 74.125.196.113: bytes=32 time=12ms TTL=45

Ping statistics for 74.125.196.113:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 12ms, Maximum = 12ms, Average = 12ms
Server:  cdns01.comcast.net
Address:  75.75.75.75

Name:    yahoo.com
Addresses:  98.139.183.24
   98.138.253.109
   206.190.36.45

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=80ms TTL=47
Reply from 206.190.36.45: bytes=32 time=82ms TTL=47

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 80ms, Maximum = 82ms, Average = 81ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=4ms TTL=128
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 4ms, Average = 3ms
===========================================================================
Interface List
 13...4c 72 b9 d1 af 79 ......Intel® 82579V Gigabit Network Connection
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.104     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.104    276
    192.168.1.104  255.255.255.255         On-link     192.168.1.104    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.104    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.104    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.104    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 14     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 14     58 2001::/32                On-link
 14    306 2001:0:9d38:6ab8:3007:29eb:e781:53a6/128
                                    On-link
 13    276 fe80::/64                On-link
 14    306 fe80::/64                On-link
 14    306 fe80::3007:29eb:e781:53a6/128
                                    On-link
 13    276 fe80::e93e:bb93:550d:3185/128
                                    On-link
  1    306 ff00::/8                 On-link
 14    306 ff00::/8                 On-link
 13    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/15/2013 11:35:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 13135

Error: (11/15/2013 11:35:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 13135

Error: (11/15/2013 11:35:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/15/2013 11:35:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12137

Error: (11/15/2013 11:35:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 12137

Error: (11/15/2013 11:35:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/15/2013 11:35:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 11138

Error: (11/15/2013 11:35:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 11138

Error: (11/15/2013 11:35:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/15/2013 11:35:28 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 10140

System errors:
=============
Error: (11/16/2013 08:31:38 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume Windows.

Error: (11/16/2013 08:31:12 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume Windows.

Error: (11/15/2013 10:02:46 PM) (Source: Service Control Manager) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error:
%%1053

Error: (11/15/2013 10:02:46 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.

Error: (11/15/2013 10:02:16 PM) (Source: Service Control Manager) (User: )
Description: The ASPI32 service failed to start due to the following error:
%%2

Error: (11/15/2013 07:29:01 PM) (Source: Service Control Manager) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error:
%%1053

Error: (11/15/2013 07:29:01 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.

Error: (11/15/2013 07:28:29 PM) (Source: Service Control Manager) (User: )
Description: The ASPI32 service failed to start due to the following error:
%%2

Error: (11/15/2013 02:51:26 PM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume Windows.

Error: (11/15/2013 02:50:58 PM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume Windows.

Microsoft Office Sessions:
=========================
Error: (11/15/2013 11:35:31 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 13135

Error: (11/15/2013 11:35:31 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 13135

Error: (11/15/2013 11:35:31 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/15/2013 11:35:30 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12137

Error: (11/15/2013 11:35:30 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 12137

Error: (11/15/2013 11:35:30 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/15/2013 11:35:29 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 11138

Error: (11/15/2013 11:35:29 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 11138

Error: (11/15/2013 11:35:29 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/15/2013 11:35:28 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 10140

=========================== Installed Programs ============================

Adobe AIR (Version: 3.6.0.6090)
Adobe Common File Installer (Version: 1.00.002)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (Version: 11.9.900.117)
Adobe Help Center 2.1 (Version: 2.1)
Adobe Photoshop Elements 2.0 (Version: 2.0)
Adobe Premiere Elements 3.0 (Version: 3.0.0)
Adobe Premiere Elements 3.0 Templates (Version: 1.0.0)
Adobe Reader XI (11.0.02) (Version: 11.0.02)
Adobe Shockwave Player 12.0 (Version: 12.0.0.112)
Apple Application Support (Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (Version: 2.1.3.127)
Base CRM For Outlook 1.1.0.1 [JOHN] (Version: 1.1.0.1)
Bonjour (Version: 3.0.0.10)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (Version: 1.7.2.11)
Canon Internet Library for ZoomBrowser EX (Version: 1.6.3.9)
Canon MOV Decoder (Version: 1.5.0.7)
Canon MOV Encoder (Version: 1.3.1.3)
Canon MovieEdit Task for ZoomBrowser EX (Version: 3.4.1.9)
Canon Utilities Digital Photo Professional 3.8 (Version: 3.8.1.0)
Canon Utilities EOS Utility (Version: 2.8.1.0)
Canon Utilities PhotoStitch (Version: 3.1.22.46)
Canon Utilities Picture Style Editor (Version: 1.7.0.0)
Canon Utilities WFT Utility (Version: 3.5.1.1)
Canon Utilities ZoomBrowser EX (Version: 6.5.1.15)
Canon ZoomBrowser EX Memory Card Utility (Version: 1.3.0.4)
Citrix Online Launcher (Version: 1.0.135)
Citrix online plug-in - web (Version: 12.1.44.1)
Citrix online plug-in (DV) (Version: 12.1.44.1)
Citrix online plug-in (HDX) (Version: 12.1.44.1)
Citrix online plug-in (USB) (Version: 12.1.44.1)
Citrix online plug-in (Web) (Version: 12.1.44.1)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
CrashPlan (Version: 3.5.2)
Dropbox (Version: 2.4.6)
Google Chrome (Version: 65.96.32811)
Google Earth Plug-in (Version: 7.1.1.1888)
Google Update Helper (Version: 1.3.21.165)
GoToMeeting 5.9.0.1216 (Version: 5.9.0.1216)
High-Definition Video Playback (Version: 7.3.10900.8.0)
iCloud (Version: 3.0.2.163)
Intel® Network Connections 17.4.95.0 (Version: 17.4.95.0)
Intel® Processor Graphics (Version: 9.17.10.2932)
iTunes (Version: 11.0.5.5)
Java 7 Update 17 (64-bit) (Version: 7.0.170)
Java 7 Update 17 (Version: 7.0.170)
Java Auto Updater (Version: 2.1.9.0)
Java™ 6 Update 31 (Version: 6.0.310)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.40303)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.40308)
Mozilla Firefox 20.0 (x86 en-US) (Version: 20.0)
Mozilla Maintenance Service (Version: 20.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Nero 10 Menu TemplatePack Basic (Version: 10.6.10000.0.0)
Nero 10 Movie ThemePack Basic (Version: 10.6.10000.1.0)
Nero BurnRights 10 (Version: 4.4.10300.1.100)
Nero Control Center 10 (Version: 10.6.13000.0.11)
Nero ControlCenter 10 Help (CHM) (Version: 10.5.10000)
Nero Core Components 10 (Version: 2.0.19800.9.10)
Nero CoverDesigner 10 (Version: 5.6.10500.3.100)
Nero DiscSpeed 10 (Version: 6.4.10400.0.100)
Nero Express 10 (Version: 10.6.10600.4.100)
Nero InfoTool 10 (Version: 7.4.10200.0.100)
Nero Kwik Media (Version: 1.6.16800.75.100)
Nero Multimedia Suite 10 Essentials (Version: 10.5.10400)
Nero Recode 10 (Version: 4.10.10600.4.100)
Nero StartSmart 10 (Version: 10.6.10400.2.100)
Nero Update (Version: 11.0.10022.15.0)
Nero Vision 10 (Version: 7.4.10800.7.100)
NirSoft BlueScreenView
Norton Security Suite (Version: 20.4.0.40)
Realtek High Definition Audio Driver (Version: 6.0.1.6710)
ScanWizard 5
SES Driver (Version: 1.0.0)
swMSM (Version: 12.0.0.1)
TSST OEM Content (Version: 10.0.10300.0.0)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (Version: 3)
WebInterpoint (Version: 8.2.1)
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM  (01/19/2011 1.0.0009.0) (Version: 01/19/2011 1.0.0009.0)

**** End of log ****



#22 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 16 November 2013 - 09:28 AM

Hi jhurst,

bullseye_zpse9eaf36e.gif Chkdsk in Vista/7

You must run the command prompt as an administrator or in an "elevated mode".
  • Start menu,  in the search bar type "cmd"
  • Right-click the cmd icon,  select "run as administrator"
    • If you have user account control (UAC) set up it may prompt you to accept that action.
  • Then type in "chkdsk /f" (make note of the space between chkdsk and /)
  • The disk must be locked. If chkdsk cannot lock the drive, a message appears that asks you if you want to check the drive the next time you restart the computer, select Yes, and reboot.
=========================

bullseye_zpse9eaf36e.gif To view results log:
  • Open the Start Menu, and type eventvwr.msc in the search box and press enter.
  • If prompted by UAC, then click on Yes (Windows 7) or Continue (Vista).
  • In the left pane of Event Viewer, double click on Windows Logs to expand it, then right click on Application and click on Find.
  • Copy and paste Chkdsk into the line, and click on Find Next.
  • You will now see the system log for the scan results of Check Disk (chkdsk).
  • In the right had menu select copy, open notepad and paste the chkdsk results into notepad
  • Post in your next reply.
=========================

bullseye_zpse9eaf36e.gif Reboot

=========================

In your next post please provide the following:
  • chkdsk results
  • How is the computer running

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#23 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 16 November 2013 - 06:05 PM

Hello.  I have tried to post the eventvwr.msc log below.  I believe I copied it correctly.  A couple items to note:

 

1) ScorpionSaver program has been removed from Program list - should we still be concerned with key "wow.6432node" that would not delete?

2) ScorpionSaver Ad pop-up and GetSavin Ad pop-ups do not seem to be effecting IE at present.  IE Browser seems to be running fine.

3) about:blank appears in IE URL section when a new tab is opened in IE.  I've read reports of this being related to a virus.  Is that accurate information.

 

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          11/16/2013 1:38:56 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      HURST
Description:

Checking file system on C:
The type of the file system is NTFS.
Volume label is Windows.

A disk check has been scheduled.
Windows will now check the disk.                        

CHKDSK is verifying files (stage 1 of 3)...
  167424 file records processed.                                        

File verification completed.
  347 large file records processed.                                  

  0 bad file records processed.                                    

  0 EA records processed.                                          

  60 reparse records processed.                                     

CHKDSK is verifying indexes (stage 2 of 3)...
  215998 index entries processed.                                       

Index verification completed.
  0 unindexed files scanned.                                       

  0 unindexed files recovered.                                     

CHKDSK is verifying security descriptors (stage 3 of 3)...
  167424 file SDs/SIDs processed.                                       

Cleaning up 461 unused index entries from index $SII of file 0x9.
Cleaning up 461 unused index entries from index $SDH of file 0x9.
Cleaning up 461 unused security descriptors.
Security descriptor verification completed.
  24288 data files processed.                                          

CHKDSK is verifying Usn Journal...
  36062864 USN bytes processed.                                           

Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

 243889151 KB total disk space.
  97298328 KB in 134555 files.
     77208 KB in 24289 indexes.
         0 KB in bad sectors.
    277307 KB in use by the system.
     65536 KB occupied by the log file.
 146236308 KB available on disk.

      4096 bytes in each allocation unit.
  60972287 total allocation units on disk.
  36559077 allocation units available on disk.

Internal Info:
00 8e 02 00 88 6c 02 00 10 84 04 00 00 00 00 00  .....l..........
c6 04 00 00 3c 00 00 00 00 00 00 00 00 00 00 00  ....<...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.micro...08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-11-16T18:38:56.000000000Z" />
    <EventRecordID>28304</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>HURST</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.
Volume label is Windows.

A disk check has been scheduled.
Windows will now check the disk.                        

CHKDSK is verifying files (stage 1 of 3)...
  167424 file records processed.                                        

File verification completed.
  347 large file records processed.                                  

  0 bad file records processed.                                    

  0 EA records processed.                                          

  60 reparse records processed.                                     

CHKDSK is verifying indexes (stage 2 of 3)...
  215998 index entries processed.                                       

Index verification completed.
  0 unindexed files scanned.                                       

  0 unindexed files recovered.                                     

CHKDSK is verifying security descriptors (stage 3 of 3)...
  167424 file SDs/SIDs processed.                                       

Cleaning up 461 unused index entries from index $SII of file 0x9.
Cleaning up 461 unused index entries from index $SDH of file 0x9.
Cleaning up 461 unused security descriptors.
Security descriptor verification completed.
  24288 data files processed.                                          

CHKDSK is verifying Usn Journal...
  36062864 USN bytes processed.                                           

Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

 243889151 KB total disk space.
  97298328 KB in 134555 files.
     77208 KB in 24289 indexes.
         0 KB in bad sectors.
    277307 KB in use by the system.
     65536 KB occupied by the log file.
 146236308 KB available on disk.

      4096 bytes in each allocation unit.
  60972287 total allocation units on disk.
  36559077 allocation units available on disk.

Internal Info:
00 8e 02 00 88 6c 02 00 10 84 04 00 00 00 00 00  .....l..........
c6 04 00 00 3c 00 00 00 00 00 00 00 00 00 00 00  ....&lt;...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
  </EventData>
</Event>



#24 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 16 November 2013 - 11:02 PM

Hi jhurst,

Thank you, the log is the correct one.

1. That is a registry key, we do not want to remove a key. Was there any additional information when you received that notice?
2. :thumbup:
3.It can be, but not in every case.

=========================

Try this to address the about:blank issue.

bullseye_zpse9eaf36e.gif Reset Homepage in Internet Explorer

Open Internet Explorer >Tools >Internet Option >General.

InternetExplorerResetHomepage_zpsf28d672

You have two options:

  • One is to set homepage as a blank page.
  • The other is to set a certain website as the homepage. ( www.google.com )
  • Then click OK to save the change.

=========================

bullseye_zpse9eaf36e.gif Reboot

=========================

In your next post please provide the following:


  • Check status of about:blank

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#25 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 17 November 2013 - 07:48 AM

Good morning.  Thank you for your reply and assistance.

 

1) When removing ScorpionSaver from my program list, it seemed to go through the process of uninstalling and then I received the following error message that was displayed as a Windows pop-up with the following description:

 

Could not delete key:

\software\wow.6432node\Microsoft\Windows|CurrentVersion\Explorer\BrowserHelperObjects

 

2) I followed you instructions to re-set the about: blank to my home page when opening a new tab.  It seems to be functioning properly.

 

3) No more Ad pop-ups at present however I did see the following file in my "C:\temp\ScorpionSaver.msi" folder.  Should I be concerned or should this be removed?

 

Thank you...


    Advertisements

Register to Remove


#26 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 17 November 2013 - 09:40 AM

Hi jhurst,
 
Let's see if there is an entry still listed in the Registry. It's very important that you do not make any changes in the Registry until I give instructions to do so.
  • Click the Start menu, in the "Search programs and files" field type "regedit" (without quotes)
  • In the left hand menu under Programs locate regedit, right click on it and select "Run as Administrator"
  • If a UAC windows opens select Yes.
  • In the Registry Editor window, expand the HKEY_LOCAL_MACHINE key
  • Expand each key until you have opened to the Browser Helper Objects key
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
  • Located under the Browser Helper Objects will be a listing of CLSID (long number, letter combinations contained within { } brackets)
  • Left click on each one until you locate the one for ScorpionSaver.
  • Then left click and choose Copy Key Name, paste the entire key name in your next reply.
    • Sample: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
  • Close the Registry

=========================
 
bullseye_zpse9eaf36e.gif Empty Temp Folder
  • Close all open applications.
  • Click the Start button.
  • In the Search programs and files box, enter Disk Cleanup and press Enter.
  • Locate Disk Cleanup in the list and double-click to open. Wait for the window to open.
  • Select (check) these choices.
    • Downloaded Program Files
    • Temporary Internet Files
    • Offline webpages
    • Recycle Bin
    • Temporary files
    • Thumbnails
    Note: Setup Log Files and System error memory dump files should be left un-checked.
  • Click OK. Click Delete Files.
  • The window will close when done.
=========================

bullseye_zpse9eaf36e.gif Reboot

=========================

In your next post please provide the following:
  • Registry key
  • Check and see if the temp file is gone

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#27 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 17 November 2013 - 12:43 PM

Hello OCD - I was unable to locate the file in the Registry location that you had listed.  I went ahead and ran a search of my registry using the word "scorpionsaver"  There were multiple entries that were returned.  I have copied each key for your review.  I have not deleted anything from the registry.

 

I also checked the temp file after performing a disc clean-up reboot and the ScorpionSaver file remains in the "C:\temp\ScorpionSaver.msi" directory

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\422332B5-F3A6-47F6-93EF-792299EF24DC

Name - (Default)

Type - REG_SZ

Data - Scorpionsaver

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\422332B5-F3A6-47F6-93EF-792299EF24DC\InProcServer32

Name - (Default)

Type - REG_SZ

Data - C:\Program File(x86)\ScorpionSaver\IECore.dll

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}

Name - (Default)

Type - REG_SZ

Data - Scorpionsaver

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}\InProcServer32

Name - (Default)

Type - REG_SZ

Data - C:\Program File(x86)\ScorpionSaver\IECore.dll

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CD07F81309AB63E4D8592E422645EB73

Name - 8BA5CD9129705784F8B198C6A5C96EEA

Type - REG_SZ

Data - 01:\Software\AppDataLow\Software\ScorpionSaver\key

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8BA5CD9129705784F8B198C6A5C96EEA\SourceList

Name - PackageName

Type - REG_SZ

Data - scorpionsaver_20131010.msi

 

 

HKEY_USERS\S-1-5-21-3611002179-1742434191-2402041160-1002\Software\Adpeak, Inc.\ScorpionSaver

Name - (Default)

Type - REG_SZ

Data - (value not set)

 

 

HKEY_CLASSES_ROOT\Installer\Products\8BA5CD9129705784F8B198C6A5C96EEA\SourceList

Name - PackageName

Type - REG_SZ

Data - scorpionsaver_20131010.msi

 

 

HKEY_CLASSES_ROOT\SOFTWARE\Wow6432Node\CLSID\422332B5-F3A6-47F6-93EF-792299EF24DC

Name - (Default)

Type - REG_SZ

Data - Scorpionsaver

 

 

HKEY_CLASSES_ROOT\SOFTWARE\Wow6432Node\CLSID\422332B5-F3A6-47F6-93EF-792299EF24DC\InProcServer32

Name - (Default)

Type - REG_SZ

Data - C:\Program File(x86)\ScorpionSaver\IECore.dll

 

 

HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}

Name - (Default)

Type - REG_SZ

Data - Scorpionsaver

 

 

HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}\InProcServer32

Name - (Default)

Type - REG_SZ

Data - C:\Program File(x86)\ScorpionSaver\IECore.dll

 

 

HKEY_CURRENT_USER\Software\Adpeak, Inc.\ScorpionSaver

Name - (Default)

Type - REG_SZ

Data - (value not set)



#28 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 17 November 2013 - 10:47 PM

Hi jhurst,

Thank you for the detailed information.
 

ScorpionSaver file remains in the "C:\temp\ScorpionSaver.msi"


According to the last MBAM log this was removed so let's run it again and see what the report shows.

=========================

bullseye_zpse9eaf36e.gif Malwarebytes' Anti-Malware

Locate Malwarebytes' Anti-Malware (it should be on your desktop).
If not, download it here
  • Right click and select "Run as Administrator" mbam-setup.exe and follow the prompts to run the program..
  • Once the program has loaded, select the Update tab to get the latest updates before performing the scan.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Do Not Delete anything this time around.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
=========================

bullseye_zpse9eaf36e.gif Reboot

=========================

bullseye_zpse9eaf36e.gif TFC

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
    • Vista, Windows 7 & 8 Right click and select "Run as Administrator"
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
=========================

In your next post please provide the following:
  • MBAM log
  • Results of the above steps

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#29 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 18 November 2013 - 08:09 PM

Good evening.  I have run the Malwarebytes program and posted the log below.  I also ran the TFC prgram as suggested.  I couldn't find a log for this scan.  I did check the C:\temp\ folder and the ScorpionSaver.msi file is still present.

 

Thanks for your assistance.

 

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.18.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
JOHN :: HURST [administrator]

Protection: Enabled

11/18/2013 8:30:22 PM
MBAM-log-2013-11-18 (20-49-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215376
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\temp\ScorpionSaver.msi (Adware.Adpeak) -> No action taken.

(end)



#30 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 18 November 2013 - 08:25 PM

Hi jhurst,

 

Go ahead and re-run MBAM, this time select to remove items found, then reboot and check for the ScorpionSaver file in the temp folder.

 

Report back with findings


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users