3 files named control.exe and remove scorpian saver

laptop- dell 1300 inspiron winxp sp3
Trying to remove scorpian saver and found 3 files named control.exe-they appeared briefly in task manager while starting up computer.

control.exe folder-i386
control.exe folder-windows\system32
control.exe folder-windows\system32\dllcache

all files are signed by microsoft

I’ve run av scan, complete and antimalwarebytes, complete, but no viruses or malware shows up in scans.

Jen

http://forum.avast.com/index.php?topic=53253.0

i’ve run avast vs and malwarebytese scans again. nothing was found, however i am still not able to remove scorpian saver through the add/remove programs.

We need OTL and aswMBR logs

here is otl.

extras.txt

Hi lets see what the result of this is :slight_smile:

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3153924&CUI=UN61525315436021668&UM=2
FF - prefs.js..browser.search.defaultthis.engineName: "Connect DLCS Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3153924&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Connect DLCS Customized Web Search"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3153924&SearchSource=13"
FF - prefs.js..extensions.enabledItems: {aad50c91-b136-49d9-8b30-0e8d3ead63d0}:3.21.0.1
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3153924&SearchSource=2&CUI=SB_CUI&UM=UM_ID&q="
[2013/12/30 23:34:42 | 000,000,000 | ---D | M] (Connect DLCS Community Toolbar) -- C:\Documents and Settings\VTXJENNY\Application Data\Mozilla\Firefox\Profiles\4adcnj6d.default\extensions\{aad50c91-b136-49d9-8b30-0e8d3ead63d0}
[2013/12/30 23:37:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\VTXJENNY\Application Data\Mozilla\Firefox\Profiles\t1j26eed.default\extensions\ScorpionSaver@jetpack
[2013/11/21 14:31:22 | 000,000,927 | ---- | M] () -- C:\Documents and Settings\VTXJENNY\Application Data\Mozilla\Firefox\Profiles\4adcnj6d.default\searchplugins\conduit.xml
O3 - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\Toolbar\WebBrowser: (no name) - {AAD50C91-B136-49D9-8B30-0E8D3EAD63D0} - No CLSID value found.
O3 - HKU\S-1-5-21-450396268-126927664-501062578-1007\..\Toolbar\WebBrowser: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No CLSID value found.
O4 - HKU\.DEFAULT..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect" File not found
O4 - HKU\S-1-5-18..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect" File not found
[2014/01/05 21:06:38 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\VTXJENNY\PrivacIE
[2014/01/05 20:57:50 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\VTXJENNY\IETldCache
[2013/12/30 23:43:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\Connect_DLCS
[2013/12/30 23:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Conduit
[2013/12/30 23:42:57 | 000,000,000 | ---D | C] -- C:\Program Files\Connect_DLCS
[2013/12/30 23:41:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\NativeMessaging
[2013/12/30 23:40:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SearchProtect
[2013/12/30 23:40:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\cache
[2013/12/30 23:39:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\genienext
[2013/12/30 23:39:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\CRE
[2013/12/30 23:39:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\Conduit
[2013/12/30 23:39:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\My Documents\Mobogenie
[2013/12/30 23:39:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\Mobogenie
[2013/12/30 23:39:47 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2013/12/30 23:38:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VTXJENNY\Local Settings\Application Data\SearchProtect
[2014/01/10 09:19:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CDB
[2013/12/31 07:03:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Conduit

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

sorry i am so slow, but all of this is unfamiliar.
my computer hung up while running the fix.
I am writing this from my other computer,
and have not tried to re-boot the other one.
please tell what I should do.

Stop OTL
Temporarily uninstall MBAM and then run the OTL fix again please

sorry , am having problems with the laptop.
I will post it as soon as I can get it up and running.

OK
finally have scan

AdwCleaner should clear the residue, let me know how the computer is behaving when it has completed

ok, it is running now, and already running better

I have questions…

  1. if I have other drives on my network, will they be infected with the same thing?
  2. should I delete backups of the infected computer and make new backups?
  3. why didn’t the av and malware scans find this infection?

problem…
AppName: aswmbr.exe AppVer: 0.9.9.1771 ModName: ntdll.dll
ModVer: 5.1.2600.6055 Offset: 000192f9

C:\DOCUME~1\VTXJENNY\LOCALS~1\Temp\2dc_appcompat.txt

i could not copy all the error message, and when i sent to MS, then the aswmbr.exe closed

AswMBR is not needed and it does sometimes fail to run for no apparent reason, so it is not a problem

1. if I have other drives on my network, will they be infected with the same thing? 2. should I delete backups of the infected computer and make new backups? 3. why didn't the av and malware scans find this infection?
  1. Very unlikely
  2. It would be prudent to do that
  3. These are not viruses as such but potentially unwanted programmes. New ones are released almost daily so it is hard to keep up. Avast only checks for PUP’s on a bootscan or unless specifically checked. Putting the system to Hardened mode : Aggressive will block most of them

Have you run AdwCleaner yet ?

i am running it again, hope it does nt crash again.

it crashed again, at the same place…is there somewhere that a copy of the report sent to MS is on my computer so I can send you a copy of it. There are 55 .dll listed, and a bunch of other stuff.

i am running chkdisk to see if there are errors
on the disk, and will try to run AswMBR.exe again.

i have tried to run AdwCleaner.exe at least 4 times. i did the chkdsk, disconeccted from the internet, turned off avast and turned off avast service, but it would still crash at the same spot.

i saved the log file, but i see that it is empty.