Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: TboneDaddy on March 04, 2014, 06:37:50 PM
-
I've been fighting with malware for a couple weeks on my Windows 7 laptop. The (corporate issued) Symantec Endpoint Protection has been notifying me repeatedly (sometimes a couple times a minute) that an "Adware.BL" risk has been identified, always in a file with a name like "DWH****.tmp", and always located in the ...\AppData\Local\Temp folder. The files get analyzed and quarantined, but I continue to get notified.
Doing some research, it appears that this may be caused by ScorpionSaver. I find in my Programs and Features section of the Control Panel, that two programs, ScorpionSaver and ScorpionSaver Services are installed, but when I try to uninstall them, I get the message: The feature you are trying to use is on a network resource that is unavailable. It is trying to search the c:\\temp\\ folder for either the file named "InstallServices64.msi" (for ScorpionSaver Services) or "t.msi" (for Scorpion Saver), and will not allow me to remove either program. I've searched my files for anything called "scorpion", or similar, without luck.
I found this listing on the forum from a few months ago:
http://forum.avast.com/index.php?topic=144530.30 (http://forum.avast.com/index.php?topic=144530.30)
I'm hoping someone can help me. Thanks!
-
http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0)
-
Need help removing Scorpion Saver Malware
this is done in the viruses and worms forum section
at top in that forum section you find a Logs to assist in cleaning malware guide, follow it and attach Malwarebytes and OTL logs
-
and here is the Malwarebytes log
-
It looks like the OTL logs did not post earlier
-
Also, thanks in advance for your help, and sorry that I didn't find the right Forum topic earlier. Do I need to do something to move this thread to the right topic?
-
Do I need to do something to move this thread to the right topic?
you should have started a new in the viruses and worms section and attached logs there....as said in the guide
but now we continue here ;)
malware experts are notified.....they should be online soon and assist you
-
No, I can have someone come here.
Just a question though. Did you crash recently (Last Month)?
[2014/03/04 09:18:37 | 985,170,680 | ---- | M] () -- C:\Windows\MEMORY.DMP
Also, any reason for the VMWare software on your PC? (Virtual Machines)?
Edit: Pondus has notified someone for you. Also, if you have crashed recently, the log might be helpful if they ask for it.
-
your Malwarebytes log is from yesterday?
update Malwarebytes and run quick scan....
or maybe you are located in US ;D sorry
-
No, that log is from yesterday. Do run a quick scan.
-
No, that log is from yesterday. Do run a quick scan.
according to this ....he is in yesterday ;D
http://www.timeanddate.no/tidssoner/tidsforskjell-resultat?iso=20140304T00&p1=2566&p2=77
-
To me it looks like these things need to be fixex.
But please do nothing until someone with more knowledge about OTL confirms it.
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekkosearch.mystart.com/TOOLBARNAMESPACE/?source=86adbc52&tbp=rbox&toolbarid=blekkotb_soc&u=20120429A2C64D7BA0AC8A0C73222ED5&q={searchTerms}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{639050A6-4142-476E-80FA-C259708AD7F9}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN15906891533133182&UM=2
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN42652793601729096&UM=2&SearchSource=3&q={searchTerms}"
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&SearchSource=2&CUI=UN42652793601729096&UM=2&q="
FF - user.js - File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-21-138233441-1584739199-929701000-24510..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe File not found
O4 - HKU\S-1-5-21-138233441-1584739199-929701000-24510..\Run: [Adobe Reader Synchronizer] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe" File not found
O4 - HKU\S-1-5-21-138233441-1584739199-929701000-24510..\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O8:[b]64bit:[/b] - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} http://support.lenovo.com/Resources/Lenovo/AutoDetect/acpirexe.cab (IASRunner Class)
O16 - DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} https://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab (Reg Error: Key error.)
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} https://caswism.infra.cinfin.com/auth/CCALogin.CAB (CCAWebLogin Control)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)
O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18 - Protocol\Handler\gopher - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msdaipp - No CLSID value found
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O30 - LSA: Security Packages - (wsauth) - File not found
-
Hi there, it appears that this may be a second tab opening is that correct ?
You will need to uninstall either Avast or Norton as two AV's is not good
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekkosearch.mystart.com/TOOLBARNAMESPACE/?source=86adbc52&tbp=rbox&toolbarid=blekkotb_soc&u=20120429A2C64D7BA0AC8A0C73222ED5&q={searchTerms}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{639050A6-4142-476E-80FA-C259708AD7F9}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN15906891533133182&UM=2
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>
FF - prefs.js..CT3306061.browser.search.defaultthis.engineName: "true"
FF - prefs.js..browser.search.defaultthis.engineName: "Connect DLC 5 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN42652793601729096&UM=2&SearchSource=3&q={searchTerms}"
[2012/04/27 12:14:16 | 000,081,104 | ---- | M] () (No name found) -- C:\Users\tbolyard\AppData\Roaming\mozilla\firefox\profiles\yy1gh2jd.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}.xpi
[2011/08/18 10:03:46 | 000,088,908 | ---- | M] () (No name found) -- C:\Users\tbolyard\AppData\Roaming\mozilla\firefox\profiles\yy1gh2jd.default\extensions\{d47a9f51-8281-43fa-f450-f28ef8735e9a}.xpi
[2012/07/23 15:35:51 | 000,702,524 | ---- | M] () (No name found) -- C:\Users\tbolyard\AppData\Roaming\mozilla\firefox\profiles\yy1gh2jd.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
[2013/11/26 15:23:40 | 000,001,003 | ---- | M] () -- C:\Users\tbolyard\AppData\Roaming\mozilla\firefox\profiles\jnx73x9d.default-1344878952716\searchplugins\conduit.xml
O4 - HKU\.DEFAULT..\RunOnce: [tril_scp] c:\econfig\tril_scp.bat ()
O4 - HKU\S-1-5-18..\RunOnce: [tril_scp] c:\econfig\tril_scp.bat ()
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-19..\RunOnce: [tril_scp] c:\econfig\tril_scp.bat ()
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [tril_scp] c:\econfig\tril_scp.bat ()
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
[2013/12/02 23:34:11 | 000,000,000 | ---D | M] -- C:\Users\tbolyard\AppData\Roaming\SpeedyPC Software
[2013/11/09 15:05:28 | 000,000,000 | ---D | M] -- C:\Users\tbolyard\AppData\Roaming\TaxCut
:Commands
[resethosts]
[emptytemp]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
To me it looks like these things need to be fixex.
But please do nothing until someone with more knowledge about OTL confirms it.
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekkosearch.mystart.com/TOOLBARNAMESPACE/?source=86adbc52&tbp=rbox&toolbarid=blekkotb_soc&u=20120429A2C64D7BA0AC8A0C73222ED5&q={searchTerms}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{639050A6-4142-476E-80FA-C259708AD7F9}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN15906891533133182&UM=2
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN42652793601729096&UM=2&SearchSource=3&q={searchTerms}"
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&SearchSource=2&CUI=UN42652793601729096&UM=2&q="
FF - user.js - File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-21-138233441-1584739199-929701000-24510..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe File not found
O4 - HKU\S-1-5-21-138233441-1584739199-929701000-24510..\Run: [Adobe Reader Synchronizer] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe" File not found
O4 - HKU\S-1-5-21-138233441-1584739199-929701000-24510..\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O8:[b]64bit:[/b] - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} http://support.lenovo.com/Resources/Lenovo/AutoDetect/acpirexe.cab (IASRunner Class)
O16 - DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} https://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab (Reg Error: Key error.)
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} https://caswism.infra.cinfin.com/auth/CCALogin.CAB (CCAWebLogin Control)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)
O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18 - Protocol\Handler\gopher - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msdaipp - No CLSID value found
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O30 - LSA: Security Packages - (wsauth) - File not found
You would be correct. Most of that is rubbish. Lol, you missed the .DMP file from the Memory. However.
Pondus, it's noon in British Columbia right now
-
I'm behind on responding, sorry.
1) yes, I did crash earlier today. It happened as I was installing Avast!
2) I am in the US (eastern time)
3) the Malwarebytes log was from yesterday, I had hoped that was recent enough. I can re-scan
4) I can uninstall Avast, but not Symantec (corporate controlled). On the other hand, the file quarantining has stopped ever since I installed Avast - should I?
5) Double checking - should I run the OTL Fix now?
-
More properly - which set of commands do you want me to run for the OTL Fix?
-
3. not necessary now
4. never install more then one AV
5. follow essexboys instructions
-
4) I can uninstall Avast, but not Symantec (corporate controlled). On the other hand, the file quarantining has stopped ever since I installed Avast - should I?
Follow Essex from now on. Solution to that. If you like Avast! more, ask them about getting a subscription to Avast! for your computers.
-
I was not certain if the OTL Fix ran correctly - it appeared that a reboot was supposed to happen automatically, but it never did. Regardless, here is the output from the "quickscan" after the boot (was it really supposed to take over 30 min?)
-
Here are the logs from ADWCleaner
-
OK, I think I followed all the steps suggested, except perhaps for the timing of uninstalling Avast -- I didn't do that until all the other steps were completed because I could not find a method to do so. Finally after a google search, I found the link to the Avast Uninstall Tool, which I had to run in Safe Mode.
I really appreciate all your help on this forum, unfortunately, ScorpionSaver is still showing in my Programs and Features (although SS Services is gone now). And I'm still getting notice from Symantec that it is finding and quarantining files.
Suggestions?
-
It has returned in Firefox so I will use a different analysis tool to check other areas
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please copy and paste log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
-
Here are the FRST files. Thanks again for your help!
-
Download the attached fixlist.txt to the same location as FRST
Run FRST and press fix
A log will be generated on completion please post that
-
Sorry about the delay, I was on the road yesterday. Here is the fixlog file.
-
No problem, is it still appearing ? If so where
-
Symantec is still capturing and quarantining files in c:\Users\...\AppData\Local\Temp\.
Also, ScorpionSaver still shows up in Control Panel and refuses to uninstall.
-
Try this link here ;
https://forums.malwarebytes.org/index.php?showtopic=138064
I hope this helps !
PS. There seems to be a solution here :
http://www.tomshardware.com/answers/id-1904102/remove-scorpion-saver.html
-
All that remains as far as I can see is the uninstall entry
So the temp file would tend to suggest something else
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
So after running ComboFix (which took nearly an hour, including after the reboot), here is the output log.
BTW, Symantec must have restarted immediately after the reboot, because it started capturing errors even before ComboFix was finished, however when I looked at it's status just before sending this, it shows as "disabled".
-
Hmm not a great deal there are you still getting the alerts ? If so do they occur when you are running a specific programme ?
-
Well, maybe we have some success. I rebooted a second time (after my last reply), and finally ScorpionSaver is no longer in my Programs & Features list. I also have had no Symantec notices yet (only been up for five minutes), but it looks hopeful. I'll re-post if there are any further problems, but THANK YOU SO MUCH for all your help!
-
Let me know please and when you are happy I will remove the tools and tidy up
-
Well, it's a new week and the Scorpion has come back with a vengeance - I've logged several hundreds of risk files in Symantec since Friday. (I tried looking at the Risk Log in Endpoint Protection, and it was taking so long for the log to finish populating that I went ahead and sent this note anyway).
What is the next option?
-
Could you run a fresh OTL scan please. Are you synching any files with google drive or the like ?