Author Topic: 3 files named control.exe and remove scorpian saver  (Read 13276 times)

0 Members and 1 Guest are viewing this topic.

redboots

  • Guest
3 files named control.exe and remove scorpian saver
« on: January 10, 2014, 06:13:26 PM »
laptop- dell 1300 inspiron winxp sp3
Trying to remove scorpian saver and found 3 files named control.exe-they appeared briefly in task manager while starting up computer.

control.exe  folder-i386
control.exe  folder-windows\system32
control.exe  folder-windows\system32\dllcache

all files are signed by microsoft

I've run av scan, complete and antimalwarebytes, complete, but no viruses or malware shows up in scans.

Jen


redboots

  • Guest
Re: 3 files named control.exe and remove scorpian saver
« Reply #2 on: January 10, 2014, 08:37:47 PM »
i've run avast vs and malwarebytese scans again.  nothing was found, however i am still not able to remove scorpian saver through the add/remove programs.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37190
Re: 3 files named control.exe and remove scorpian saver
« Reply #3 on: January 10, 2014, 08:44:12 PM »
We need OTL and aswMBR logs


redboots

  • Guest
Re: 3 files named control.exe and remove scorpian saver
« Reply #4 on: January 10, 2014, 09:22:15 PM »
here is otl.

redboots

  • Guest
Re: 3 files named control.exe and remove scorpian saver
« Reply #5 on: January 10, 2014, 09:26:24 PM »
extras.txt

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: 3 files named control.exe and remove scorpian saver
« Reply #6 on: January 10, 2014, 09:38:16 PM »
Hi lets see what the result of this is :)

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3153924&CUI=UN61525315436021668&UM=2
FF - prefs.js..browser.search.defaultthis.engineName: "Connect DLCS Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3153924&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Connect DLCS Customized Web Search"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3153924&SearchSource=13"
FF - prefs.js..extensions.enabledItems: {aad50c91-b136-49d9-8b30-0e8d3ead63d0}:3.21.0.1
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3153924&SearchSource=2&CUI=SB_CUI&UM=UM_ID&q="
[2013/12/30 23:34:42 | 000,000,000 | ---D | M] (Connect DLCS Community Toolbar) -- C:\Documents and Settings\VTXJENNY\Application Data\Mozilla\Firefox\Profiles\4adcnj6d.default\extensions\{aad50c91-b136-49d9-8b30-0e8d3ead63d0}
[2013/12/30 23:37:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\VTXJENNY\Application Data\Mozilla\Firefox\Profiles\t1j26eed.default\extensions\ScorpionSaver@jetpack
[2013/11/21 14:31:22 | 000,000,927 | ---- | M] () -- C:\Documents and Settings\VTXJENNY\Application Data\Mozilla\Firefox\Profiles\4adcnj6d.default\searchplugins\conduit.xml
O3 - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\Toolbar\WebBrowser: (no name) - {AAD50C91-B136-49D9-8B30-0E8D3EAD63D0} - No CLSID value found.
O3 - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\Toolbar\WebBrowser: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No CLSID value found.
O4 - HKU\.DEFAULT..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect" File not found
O4 - HKU\S-1-5-18..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect" File not found
[2014/01/05 21:06:38 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\VTXJENNY\PrivacIE
[2014/01/05 20:57:50 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\VTXJENNY\IETldCache
[2013/12/30 23:43:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\Connect_DLCS
[2013/12/30 23:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Conduit
[2013/12/30 23:42:57 | 000,000,000 | ---D | C] -- C:\Program Files\Connect_DLCS
[2013/12/30 23:41:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\NativeMessaging
[2013/12/30 23:40:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SearchProtect
[2013/12/30 23:40:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\cache
[2013/12/30 23:39:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\genienext
[2013/12/30 23:39:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\CRE
[2013/12/30 23:39:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\Conduit
[2013/12/30 23:39:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\My Documents\Mobogenie
[2013/12/30 23:39:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\Mobogenie
[2013/12/30 23:39:47 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2013/12/30 23:38:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\SearchProtect
[2014/01/10 09:19:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CDB
[2013/12/31 07:03:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Conduit

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

redboots

  • Guest
Re: 3 files named control.exe and remove scorpian saver
« Reply #7 on: January 10, 2014, 10:08:49 PM »
sorry i am so slow, but all of this is unfamiliar.
 my computer hung up while running the fix.
I am writing this from my other computer,
and have not tried to re-boot the other one.
please tell what I should do.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: 3 files named control.exe and remove scorpian saver
« Reply #8 on: January 10, 2014, 10:53:52 PM »
Stop OTL
Temporarily uninstall MBAM and then run the OTL fix again please

redboots

  • Guest
Re: 3 files named control.exe and remove scorpian saver
« Reply #9 on: January 10, 2014, 11:09:05 PM »
sorry , am having problems with the laptop. 
I will post it as soon as I can get it up and running.

redboots

  • Guest
Re: 3 files named control.exe and remove scorpian saver
« Reply #10 on: January 10, 2014, 11:36:11 PM »
OK
finally have scan

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: 3 files named control.exe and remove scorpian saver
« Reply #11 on: January 10, 2014, 11:41:38 PM »
AdwCleaner should clear the residue, let me know how the computer is behaving when it has completed

redboots

  • Guest
Re: 3 files named control.exe and remove scorpian saver
« Reply #12 on: January 10, 2014, 11:51:49 PM »
ok, it is running now, and already running better

I have questions....
1. if I have other drives on my network, will they be infected with the same thing?
2. should I delete backups of the infected computer and make new backups?
3. why didn't the av and malware scans find this infection?


redboots

  • Guest
Re: 3 files named control.exe and remove scorpian saver
« Reply #13 on: January 11, 2014, 12:03:36 AM »
problem....
AppName: aswmbr.exe    AppVer: 0.9.9.1771    ModName: ntdll.dll
ModVer: 5.1.2600.6055    Offset: 000192f9

C:\DOCUME~1\VTXJENNY\LOCALS~1\Temp\2dc_appcompat.txt


redboots

  • Guest
Re: 3 files named control.exe and remove scorpian saver
« Reply #14 on: January 11, 2014, 12:07:26 AM »
i could not copy all the error message, and when i sent to MS, then the aswmbr.exe closed