Merry Christmas to all the terrific gurus at Seven Forums.
JACEE: Thanks for your continuing encouragement.
COTTONBALL: I appreciate your help. Infused with lots of coffee and leftover Christmas Eve Rum Cake for breakfast, I ran System Look this morning per your suggestion and I am attaching the report. I will get to your other suggestion after fetching more java. Again, many thanks!
Gotcha!Since ScorpionSaver uses a service to run, let's also get a list of started services using the Command Prompt...
Please do the following:
Go to Start > All Programs > Accessories > Command Prompt
At the Command Prompt, copy/paste the following text inside the code box, and press: Enter
To copy the text contained/produced in the Command Prompt, click on the small command icon in the top left corner, and then choose:Code:net start
Edit > Select All
Once again, Edit > Copy
Next, open Notepad, and paste the text to it.
Please post the text in your reply.
To close the Command Prompt, use the [X], or type in: exit Press: Enter
It's attached.
Merry, Merry & Happy, Happy!
Merry Christmas, Florida Rene!
Will get back with instructions later today...need some uninterrupted time.
Hope you have a USB pen/flash drive available, if not, an SD Card, since we are going to do some 'surgery' from outside of Windows.
Thanks for your patience.
No...Thanks are due TO YOU!
Yes, I have a flash drive Kingston with 14 GB available. FYI, I am talking to you via my backup machine Xena. It's my main computer, ZIVA, that had the infections. Via LAN, ZIVA can see partition e:\ on XENA (only e:), but XENA can't see any on ZIVA because I'm not yet smart enough to figure out how to do it.
I appreciate all your help, but please take today to be with family and favored friends.
Florida Rene,
Please read the info that follows, so you can have an idea of what you need to do, in the sequence presented. You may also want to print these instructions so you do not have to go back and forth to access them. Do this when you have the time, as it may take a while, and needs done in one attempt.
So, here we go…
On a clean computer:
Please download the Farbar Recovery Scan Tool:
Download > Farbar Recovery Scan Tool Download
This time, save it to the USB flash drive.
Note: You need to select the version of FRST compatible with your system: 64-bit
Still on the clean computer, press the Windows key and the R key at the same time.
At the Run prompt, type in notepad, and press: Enter
Please copy/paste the contents of the code box below into Notepad and save it on the flash drive as: fixlist.txt
Use the Safely Remove icon on the bottom right of the Taskbar to remove the USB flash drive. We will use the drive containing FRST and the fixlist.txt later.Code:start C:\Program Files\ScorpionSaver Services\AdpeakProxy.exe C:\Program Files\ScorpionSaver Services c:\Program Files (x86)\ScorpionSaver C:\MATS\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}\FileBackup\c\Program Files (x86)\ScorpionSaver end
On the problem computer:
Name the file as: scorp.reg
Change the Save as Type to: All Files
Save on the
Keep the scorp.reg on the Desktop, and we will use it later.Code:REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\F5D333A8-C748-4686-AE0A-9E008F670C22] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MATS\WindowsInstaller\{9B65F9A3-9D24-452A-B6EF-1457D65E4259} [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders] "c:\Program Files (x86)\ScorpionSaver\"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C19AC53289098045B06B0DD1D37CBAB] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23D9E9D21B4E77E41B9F50DD22F24E20] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23EEA1F105A7F45449974D9B95E7AC89] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\26982796A8AFD1246B95E00265A95BF9] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\42D92D0D75AFEF74297E03876C8D9D33] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50FFE845C555A6E4BADB7CB7A145BFEB] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7B7B13B037A7C2A42AC3E3EAF14D7107] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D05B2942E9CC80499F397F6114DFB35] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8591B8948E1C4A04F90505B3CDEE8555] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8D841C5FEC311624CB88D49DB3884FA7] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD746BF3B3B3FD8409B86604BA85982A] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F355F0DB7A2E3A14B8E7A568FBA25937] [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\services\WinSock2\Parameters\AppId_Catalog\049970F0] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\services\WinSock2\Parameters\AppId_Catalog\049970F0] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\AppId_Catalog\049970F0] [-HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Scorpion Saver] [-HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Scorpion Saver]
Please download the installer for Registry Backup:
Downlaod > Registry Backup Download
Save to the Desktop.
Right-click on tweaking.com_registry_backup_setup.exe and select: Run as Administrator
Follow the prompts for a default installation.
Make sure the following option is selected: Open "Tweaking.com - Registry Backup" When Install Completes
Click: Next > Finish
At the program console, click on: Backup Now
Once the process completes, a notice is displayed as follows:
Successfull / Registry Files Backed Up
Close: Tweaking.com - Registry Backup
If all goes well, there is a folder created at the root of the hard drive named C:\RegBackup
Make sure the folder is there before you proceed!!
Save the downloaded file to the Desktop.
If RKill.exe does not run per instructions below, download and try to run RKill.com:
RKill Download
You only need to get one of the versions of RKill to run.
If your AntiVirus warns you about this tool, ignore the warning, or temporarily disable your AntiVirus.
Right-click on the downloaded RKill file and select: Run as Administrator
A black box briefly flashes and then disappears. This is normal and indicates the tool ran successfully.
After running the tool, do not reboot.
When the scan is done Notepad opens with the RKill report.
Do not reboot!!!!!!
Agree when it prompts you to merge the info into the Registry.
As the computer restarts, tap the F8 key until you get to the Advanced Boot Options menu
Use the arrow keys to select: Repair your computer
From there...
Select your language settings, and click: Next
Select your User account and click: OK (If you did not set a password, leave blank.)
On System Recovery Options, you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors
Command Prompt
Select: Command Prompt
At the Command Prompt window, type in notepad, and press: Enter
When Notepad opens, under the File menu select: Open
Select My Computer and find your flash drive letter, make note of it, and close Notepad.
At the Command Prompt window type x:\frst64 and press: Enter
Note: Replace letter x with the drive letter of your flash drive!!
FRST starts to run.
Accept the disclaimer.
At the program console, press the Fix button, only once, and wait.
When done, a report named fixlog.txt is created on the flash drive.
Click the Command Prompt window, type exit, and press: Enter
Back at System Recovery Options, press: Restart
Thanks!
Also, could you please open SuperAntiSpyware, go to its Control Panel, and look for its Scan Logs.
Please post the Scan Log for the run depicted on Post #110:
Virus Deletion Now Makes Internet Access Impossible
These ol' eyes are not what they use to be...or maybe it was the eggnog! The image was too difficult for me to read!!
Thanks!
Have you tried turning off your computer and your modem and router if you have one. Then turn them back in this order. 1. Modem, wait till all the lights are flashing correctly. 2. Router, same with the lights. 3. Computer.
COTTONBALL: Wow!...Thanks ever so much for all the time and professionalism you have devoted to helping me with this episode. Truly astonishing! I hope to carefully follow your directions today (in-between grandkids), one step at a time, slowly, because I am not nearly the expert that you obviously are.Also, could you please open SuperAntiSpyware, go to its Control Panel, and look for its Scan Logs.
Please post the Scan Log for the run depicted on Post #110:
Virus Deletion Now Makes Internet Access Impossible
These ol' eyes are not what they use to be...or maybe it was the eggnog! The image was too difficult for me to read!!
Thanks!
In the meantime, I went to SuperAntiSpyware and that log no longer exists. I guess it writes new logs over the old ones. So, via SnagIt, I converted the jpg file to a pdf. It is attached. You may have to enlarge it to read it. Let me know if that doesn't work for you and I'll try something else.
CRANKYPENGUIN: Posts by Indiana, Kaktus, Jacee, Golden and others enabled me to successfully get the infected machine back online and that works just fine right now. It's the residue cleanup and assurance that replication is no longer likely that I'm currently concerned with...and to that end, I will focus today on Cottonball's step-by-step procedure.
Cottonball...
I'm up to the ADVANCED BOOT OPTIONS on my problem machine. Everything has gone well, just as you outlined...and the RKill text file is attached.
But...I do NOT have "Repair Your Computer" as an option.
I see these options:
SafeIt's on the screen now and I have not made a selection. Which do I choose?
Safe with Networking
Safe with Command Prompt
Enable Boot Logging
Enable Low-Res Video
Last Known Good Configuration
Directory Services Restore Mode
Debugging Mode
Disable automatic restart on system failure
Disable Driver Signature Enforcement
Start Windows Normally
Last edited by Florida Rene; 26 Dec 2013 at 11:31.
Well, at long last, I figured it out...I think.
I opted for Safe with Command Prompt, and then continued. The fixlog report is attached.
I then rebooted "normally" and SuperAntiSpyware generated the pdf report that I've attached. Also, I updated MalwareBytes and now I'm running it in a full scan mode. I'll report what it unearths.
Quote