Need help removing Scorpion Saver Malware

I’ve been fighting with malware for a couple weeks on my Windows 7 laptop. The (corporate issued) Symantec Endpoint Protection has been notifying me repeatedly (sometimes a couple times a minute) that an “Adware.BL” risk has been identified, always in a file with a name like “DWH****.tmp”, and always located in the …\AppData\Local\Temp folder. The files get analyzed and quarantined, but I continue to get notified.

Doing some research, it appears that this may be caused by ScorpionSaver. I find in my Programs and Features section of the Control Panel, that two programs, ScorpionSaver and ScorpionSaver Services are installed, but when I try to uninstall them, I get the message: The feature you are trying to use is on a network resource that is unavailable. It is trying to search the c:\temp\ folder for either the file named “InstallServices64.msi” (for ScorpionSaver Services) or “t.msi” (for Scorpion Saver), and will not allow me to remove either program. I’ve searched my files for anything called “scorpion”, or similar, without luck.

I found this listing on the forum from a few months ago:
http://forum.avast.com/index.php?topic=144530.30

I’m hoping someone can help me. Thanks!

http://forum.avast.com/index.php?topic=53253.0

Need help removing Scorpion Saver Malware
this is done in the [b]viruses and worms[/b] forum section

at top in that forum section you find a Logs to assist in cleaning malware guide, follow it and attach Malwarebytes and OTL logs

and here is the Malwarebytes log

It looks like the OTL logs did not post earlier

Also, thanks in advance for your help, and sorry that I didn’t find the right Forum topic earlier. Do I need to do something to move this thread to the right topic?

Do I need to do something to move this thread to the right topic?
you should have started a new in the viruses and worms section and attached logs there....as said in the guide

but now we continue here :wink:
malware experts are notified…they should be online soon and assist you

No, I can have someone come here.

Just a question though. Did you crash recently (Last Month)?

[2014/03/04 09:18:37 | 985,170,680 | ---- | M] () – C:\Windows\MEMORY.DMP

Also, any reason for the VMWare software on your PC? (Virtual Machines)?

Edit: Pondus has notified someone for you. Also, if you have crashed recently, the log might be helpful if they ask for it.

your Malwarebytes log is from yesterday?
update Malwarebytes and run quick scan…

or maybe you are located in US ;D sorry

No, that log is from yesterday. Do run a quick scan.

according to this …he is in yesterday ;D

http://www.timeanddate.no/tidssoner/tidsforskjell-resultat?iso=20140304T00&p1=2566&p2=77

To me it looks like these things need to be fixex.
But please do nothing until someone with more knowledge about OTL confirms it.

IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekkosearch.mystart.com/TOOLBARNAMESPACE/?source=86adbc52&tbp=rbox&toolbarid=blekkotb_soc&u=20120429A2C64D7BA0AC8A0C73222ED5&q={searchTerms}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{639050A6-4142-476E-80FA-C259708AD7F9}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN15906891533133182&UM=2
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN42652793601729096&UM=2&SearchSource=3&q={searchTerms}"
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&SearchSource=2&CUI=UN42652793601729096&UM=2&q="
FF - user.js - File not found
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-21-138233441-1584739199-929701000-24510..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe File not found
O4 - HKU\S-1-5-21-138233441-1584739199-929701000-24510..\Run: [Adobe Reader Synchronizer] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe" File not found
O4 - HKU\S-1-5-21-138233441-1584739199-929701000-24510..\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O8:[b]64bit:[/b] - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} http://support.lenovo.com/Resources/Lenovo/AutoDetect/acpirexe.cab (IASRunner Class)
O16 - DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} https://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab (Reg Error: Key error.)
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} https://caswism.infra.cinfin.com/auth/CCALogin.CAB (CCAWebLogin Control)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}  (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)
O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18 - Protocol\Handler\gopher - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msdaipp - No CLSID value found
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O30 - LSA: Security Packages - (wsauth) -  File not found

Hi there, it appears that this may be a second tab opening is that correct ?

You will need to uninstall either Avast or Norton as two AV’s is not good

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekkosearch.mystart.com/TOOLBARNAMESPACE/?source=86adbc52&tbp=rbox&toolbarid=blekkotb_soc&u=20120429A2C64D7BA0AC8A0C73222ED5&q={searchTerms}
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\..\SearchScopes\{639050A6-4142-476E-80FA-C259708AD7F9}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN15906891533133182&UM=2
IE - HKU\S-1-5-21-138233441-1584739199-929701000-24510\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>
FF - prefs.js..CT3306061.browser.search.defaultthis.engineName: "true"
FF - prefs.js..browser.search.defaultthis.engineName: "Connect DLC 5 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN42652793601729096&UM=2&SearchSource=3&q={searchTerms}"
[2012/04/27 12:14:16 | 000,081,104 | ---- | M] () (No name found) -- C:\Users\tbolyard\AppData\Roaming\mozilla\firefox\profiles\yy1gh2jd.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}.xpi
[2011/08/18 10:03:46 | 000,088,908 | ---- | M] () (No name found) -- C:\Users\tbolyard\AppData\Roaming\mozilla\firefox\profiles\yy1gh2jd.default\extensions\{d47a9f51-8281-43fa-f450-f28ef8735e9a}.xpi
[2012/07/23 15:35:51 | 000,702,524 | ---- | M] () (No name found) -- C:\Users\tbolyard\AppData\Roaming\mozilla\firefox\profiles\yy1gh2jd.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
[2013/11/26 15:23:40 | 000,001,003 | ---- | M] () -- C:\Users\tbolyard\AppData\Roaming\mozilla\firefox\profiles\jnx73x9d.default-1344878952716\searchplugins\conduit.xml
O4 - HKU\.DEFAULT..\RunOnce: [tril_scp] c:\econfig\tril_scp.bat ()
O4 - HKU\S-1-5-18..\RunOnce: [tril_scp] c:\econfig\tril_scp.bat ()
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-19..\RunOnce: [tril_scp] c:\econfig\tril_scp.bat ()
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [tril_scp] c:\econfig\tril_scp.bat ()
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
[2013/12/02 23:34:11 | 000,000,000 | ---D | M] -- C:\Users\tbolyard\AppData\Roaming\SpeedyPC Software
[2013/11/09 15:05:28 | 000,000,000 | ---D | M] -- C:\Users\tbolyard\AppData\Roaming\TaxCut

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

You would be correct. Most of that is rubbish. Lol, you missed the .DMP file from the Memory. However.

Pondus, it’s noon in British Columbia right now

I’m behind on responding, sorry.

  1. yes, I did crash earlier today. It happened as I was installing Avast!
  2. I am in the US (eastern time)
  3. the Malwarebytes log was from yesterday, I had hoped that was recent enough. I can re-scan
  4. I can uninstall Avast, but not Symantec (corporate controlled). On the other hand, the file quarantining has stopped ever since I installed Avast - should I?
  5. Double checking - should I run the OTL Fix now?

More properly - which set of commands do you want me to run for the OTL Fix?

  1. not necessary now
  2. never install more then one AV
  3. follow essexboys instructions

Follow Essex from now on. Solution to that. If you like Avast! more, ask them about getting a subscription to Avast! for your computers.

I was not certain if the OTL Fix ran correctly - it appeared that a reboot was supposed to happen automatically, but it never did. Regardless, here is the output from the “quickscan” after the boot (was it really supposed to take over 30 min?)

Here are the logs from ADWCleaner