Virus hampering boot on Windows Vista

Solved/Closed
Report
Posts
37
Registration date
Thursday March 27, 2014
Status
Member
Last seen
April 15, 2014
-
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
-
My laptop Windows Vista opens to a gray screen with the words Microsoft windows Vista at the top and Memory diagnostic tool at the bottom. Memory diagnostic tool said no errors. Ran diagnostic on F12 key -- said no problem. Ran Avast anti virus -- found nothing. The only way to open computer is to select Microsoft Windows Vista -- select Enter and wait through numerous beeps. I got instructions from Ambucias to download ZHPDiag2, start a new topic in virus-security and send the URL from the test.

HTML link<a href="http://speedy.sh/rqd5z/ZHPDiag.txt">Download at SpeedyShare</a>

download link http://speedy.sh/rqd5z/ZHPDiag.txt


I hope this is what you need. It still installed with mostly French so I had to guess a little.

103 replies

Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Hello,

OK, so, when you remove the folder of Speed Cleaner, it reappear just after a reboot of the computer ?

Gabriel.
I replied to this question but when I hit submit, it was not accepted. Sorry if you get two replies

Actually SearchProtect reappreard.

Speed Cleaner does not run as it used to. I only found these indications of it in the Quarantine section of ZHP when I ran a search:

1. Speed Cleaner. DIR

2. Speed Cleaner. exe. config.

Under the # 1 are all the files I deleted manually a few days ago. Shall I eliminate these files?

Could Speed Cleaner be buried in the registry? If so, where should I look?
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Hello,

OK, two possibilities :

- A planified task reintalle the programs after their removing.

- A protection (as Avast) prevents the suppression.

Run again ZHPDiag, we will see the planified tasks.
Otherwise, I will give you another tool which maybe solve the problem.

Gabriel.
I don't know the meaning of planified task Is reintalle part of planified task or is it another word?
When I run ZHP do I disable Avast?
This was run with Avast enabled. I got two reports on Note Pad. Between them there was an error message in French. I couldn't get it copied before it went off. All I got was -- Violation d'acces a'--. I did not get the rest of it and I don't know how to put the accent marks in. Sorry, I am not familiar with French.

http://speedy.sh/6DkSn/ZHPDiagapril-26-first-run.txt

http://speedy.sh/mvtCN/ZHPDiagapril-26-second-run.txt

I clicked on Full Options. Am I supposed to click on Search?
You Probably don't need it but I ran ZHP with Avast disabled and got this
http://speedy.sh/M4VtA/ZHPDiagapril26-avast-disabled.txt
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Hello,

OK it's better. :)

Please run again Shrotcut_Module, as the last time : https://ccm.net/forum/affich-746882-virus-hampering-boot-on-windows-vista#15

Verify it is up to date after running it.

Gabriel.
I can't get Short_Module to run. I tried to download it again. I was unable to install it. It just ran. I watched it run. It said there were several viruses and then it reported them to Google. I did not tell it to do that.

Should I install what I have left of the first time we used short_Module. There is no exe file to run. There is a quarantine file and a file with the dll's in it

Nothing like you said to look for.

What shall I do now.
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Hi,

There is no report at the root of C: drive ?

Gabriel.
No. I tried to delete the app and then download it again. I got most of it off. All that is left is a protect_module. It will not let me delete it as an admin. I did check task manager and it is running under processes.

Is it safe for me to stop the process?

What am I doing wrong?
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
It's strange.

You've ran Shortcut_Module and clicked on Clean ?

Gabriel.
Yes. I am positive I did that. What was unusual was that I could not install it on the desktop like you said. It looked like it was "floating" on top of the desktop.
OK. I found this file but it does not say what I saw after the first run and it it does not look like you said it should
http://speedy.sh/EwbF9/Shortcut-Module.txt
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Hello,

OK, and do you remember if it worked properly, till the end ?

Gabriel.
I don't know. I have only used Shortcut_Module three times. I can tell you it worked differently the times I ran it yesterday than the first time you had me run it. That time I was able to find the report and there was nothing about submitting the "viruses" to Google.
This may be the report you need. It has the right date.

http://speedy.sh/GE8SH/Shortcut-Module-28-04-2014-18-20-19.txt
Something has happened and I don't know what. Avast said it blocked an infection: URL : MAL
URL h_d_khb09w com_xuiow_?g was the message.

When I click on Google Chrome, I get Bing. I have never used Bing.

Something is wrong. Can you help?
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Hello,

It's very strange because the title of the report is the good, but it's not a report Shortcut_Module...

Run again ZHPDiag, we will see if we there is Bing and always Speed Cleaner.

Gabriel.
I am sending everything ZHP gave me. Some may be the same but I am taking no chances. Here is what I got.

http://speedy.sh/gKuAd/TestsZHPDiag.txt

http://speedy.sh/jVQKE/ZHPADSReport.txt

http://speedy.sh/bdyVM/ZHPDiag.txt

http://speedy.sh/GEBdH/ZHPDiagmay-1-first-run.txt

http://speedy.sh/RMrEU/ZHPDiagMay-1-second-run.txt

Avast was disabled.
I never mentioned this but after the Dell splash screen the next screen is titled Windows Boot Manager. You may have known that anyway.

I cannot believe I never noticed this as I stared at that screen for such long times but neither can I believe that it just appeared yesterday so I just don't know. But the title is now Windows Boot Manager followed by Microsoft Windows Vista and Memory Diagnostics as choices. I get to Vista by selecting the first one and pressing Enter.

Sorry for the omission.
By the way, Speed Cleaner is on the machine. I can delete manually but it reappears/
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Hello,

OK, two things.

1/ Run again ZHPFix with this lines and post the report :

Script ZHPFix
O2 - BHO: RrSavings - {10AD2C61-0898-4348-8600-14A342F22AC3} . (...) -- C:\Program Files\Rr Savings\RrSavings.dll
O23 - Service: yewimmxqbs32 (yewimmxqbs32) . (...) - C:\Program Files\002\yewimmxqbs32.exe
O42 - Logiciel: RrSavings - (.RrSavings.) [HKLM] -- {3566FB70-E722-4182-8266-815EAE862998}
[HKCU\Software\RrSavings]
[HKLM\Software\LevelQualityWatcher]
O43 - CFD: 4/17/2014 - 10:05:36 PM - [0.517] ----D C:\Program Files\002
O43 - CFD: 4/30/2014 - 10:46:57 AM - [2.892] ----D C:\Program Files\Rr Savings
O43 - CFD: 4/30/2014 - 10:47:46 AM - [1.280] ----D C:\Program Files\RrFilter
O43 - CFD: 11/7/2013 - 2:33:49 PM - [1.300] ----D C:\ProgramData\SpyAlert
O90 - PUC: "07BF6653227E2814286618E5EA689289" . (.RrSavings.) -- c:\Windows\Installer\{3566FB70-E722-4182-8266-815EAE862998}\icon64.ico
[HKLM\Software\LevelQualityWatcher]
O2 - BHO: RrSavings - {10AD2C61-0898-4348-8600-14A342F22AC3} . (...) -- C:\Program Files\Rr Savings\RrSavings.dll
O23 - Service: yewimmxqbs32 (yewimmxqbs32) . (...) - C:\Program Files\002\yewimmxqbs32.exe
O42 - Logiciel: RrSavings - (.RrSavings.) [HKLM] -- {3566FB70-E722-4182-8266-815EAE862998}
[HKCU\Software\RrSavings]
[HKLM\Software\LevelQualityWatcher]
O43 - CFD: 4/17/2014 - 10:05:36 PM - [0.517] ----D C:\Program Files\002
O43 - CFD: 4/30/2014 - 10:46:57 AM - [2.892] ----D C:\Program Files\Rr Savings
O43 - CFD: 4/30/2014 - 10:47:46 AM - [1.280] ----D C:\Program Files\RrFilter
O43 - CFD: 11/7/2013 - 2:33:49 PM - [1.300] ----D C:\ProgramData\SpyAlert
O90 - PUC: "07BF6653227E2814286618E5EA689289" . (.RrSavings.) -- c:\Windows\Installer\{3566FB70-E722-4182-8266-815EAE862998}\icon64.ico
[HKLM\Software\LevelQualityWatcher]
[MD5.DEABB07BC9B0009D826D2CA04C43F90F] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe [4693792] [PID.3612]
[MD5.EFAAE131121B7AD73CBA0FECC0B5A277] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\UI\bin\cltmngui.exe [3037472] [PID.2316]
G1 - GCS: Preference [User Data\Default] http://search.conduit.com
G0 - GCSP: Preference [User Data\Default][HomePage] http://search.conduit.com
O20 - AppInit_DLLs: . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
O23 - Service: Search Protect by Conduit Service (CltMngSvc) . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe
O42 - Logiciel: Search Protect - (.Conduit.) [HKLM] -- SearchProtect
O61 - LFC: 5/1/2014 - 7:44:47 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat [210462]
O61 - LFC: 5/1/2014 - 7:44:47 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat [1952]
O61 - LFC: 5/1/2014 - 7:44:47 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\UI\rep\UIRepository.dat [4366]
[HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
C:\Program Files\SearchProtect
C:\Users\owner\AppData\Local\SearchProtect
C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
C:\Program Files\SearchProtect\UI\bin\cltmngui.exe
[MD5.DEABB07BC9B0009D826D2CA04C43F90F] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe [4693792] [PID.3612]
[MD5.EFAAE131121B7AD73CBA0FECC0B5A277] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\UI\bin\cltmngui.exe [3037472] [PID.2316]
G1 - GCS: Preference [User Data\Default] http://search.conduit.com
G0 - GCSP: Preference [User Data\Default][HomePage] http://search.conduit.com
O20 - AppInit_DLLs: . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
O23 - Service: Search Protect by Conduit Service (CltMngSvc) . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe
O42 - Logiciel: Search Protect - (.Conduit.) [HKLM] -- SearchProtect
O61 - LFC: 5/1/2014 - 7:46:23 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat [210462]
O61 - LFC: 5/1/2014 - 7:46:23 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat [1952]
O61 - LFC: 5/1/2014 - 7:46:23 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\UI\rep\UIRepository.dat [4366]
[HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
C:\Program Files\SearchProtect
C:\Users\owner\AppData\Local\SearchProtect
C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
C:\Program Files\SearchProtect\UI\bin\cltmngui.exe
O42 - Logiciel: Speed Cleaner - (.OneBit IT.) [HKLM] -- {3A196B37-3F16-40B8-B0D2-E43333ACCE8D}
O42 - Logiciel: Speed Cleaner - (.OneBit IT.) [HKLM] -- {541ac74f-d2f8-4430-9f75-45fae734edac}


2/ - Download MBAM by clicking " Free Download Version".
- Save it on your desktop.
- Double- click the downloaded file to launch the installation process (if the firewall asks for permission to connect to Malwarebytes, accept)
- Once the software is installed and running, go to the "Review " tab.
- Select Review "Custom" and then click Check Now.
- Select all drives and all exam options (including search rootkits).
- Ensure that Process as malicious detections is selected for PUP and PUM.
- Click Start exam.
- If an update is shown click Update Now and then wait for the review
- Once the review is completed , make sure that the action Quarantine is selected for all elements detected.
- Click Apply actions. If asked to restart the PC, do it.
- In the Review tab, click Export Log = > text file (txt). Otherwise, go to the history tab and Application logs.
- Paste the report.

Gabriel.
OK I will do it. I could at least get to Google Chrome yesterday. Today I it always reverts to Bing. If I click on Internet Explorer, Google not Chrome comes up but you cannot do any searches on it.
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
OK, do ZHPFix and MBAM then tell me.

Gabriel.
Well, I did the first instruction. Speed Cleaner is now re-installed.

You will get two reports because I ran the first as me and it would not deal with a couple of apps so I switched to admin.

The first is the one I ran as me.

Rapport de ZHPFix 2014.3.25.5 par Nicolas Coolman, Update du 25/03/2014
Fichier d'export Registre :
Run by owner at 5/2/2014 6:15:10 PM
High Elevated Privileges : OK
Windows Vista Home Premium Edition, 32-bit Service Pack 1 (Build 6001)

Recycle Bin emptied (13mn AMs)

========== Software ==========
REMOVES: RrSavings
ABSENT Uninstall Process: c:\progra~1\searchprotect\main\bin\uninstall.exe
REMOVES: Speed Cleaner
ABSENT Uninstall Process: c:\programdata\package cache\{541ac74f-d2f8-4430-9f75-45fae734edac}\speedcleanersetup.exe

========== Process memory ==========
REMOVES Reboot: Memory Process: C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
REMOVES Reboot: Memory Process: C:\Program Files\SearchProtect\UI\bin\cltmngui.exe

========== Registry keys ==========
REMOVES: CLSID BHO: {10AD2C61-0898-4348-8600-14A342F22AC3}
REMOVES:³ Service: yewimmxqbs32
REMOVES: HKCU\Software\RrSavings
REMOVES: HKLM\Software\LevelQualityWatcher
ERROR: [HKLM\Software\Classes\Installer\Products\\07BF6653227E2814286618E5EA689289]
REMOVES:³ Service: CltMngSvc
REMOVES:³ HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc
REMOVES:³ HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect

========== Preferences browser ==========
NOW Chrome File: C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Preferences
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
NOW Chrome File: C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Preferences
ABSENT Chrome Site: http://search.conduit.com

========== Folders ==========
REMOVES Reboot:** C:\Program Files\002
REMOVES Reboot:** C:\Program Files\Rr Savings
REMOVES Reboot:** C:\Program Files\RrFilter
REMOVES Reboot:** C:\ProgramData\SpyAlert
REMOVES Reboot:** c:\program files\searchprotect
REMOVES Reboot:** c:\users\owner\appdata\local\searchprotect

========== Files ==========
REMOVES Reboot: c:\program files\rr savings\rrsavings.dll
REMOVES Reboot: c:\program files\002\yewimmxqbs32.exe
REMOVES Reboot: c:\program files\searchprotect\main\bin\cltmngsvc.exe


========== Summary ==========
2 : Process memory
8 : Registry keys
6 : Folders
3 : Files
4 : Software
8 : Preferences browser


End of clean in 41mn AMs

========== Path to file report ==========
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R1].txt - 4/7/2014 5:08:53 PM [2833]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R2].txt - 4/12/2014 4:49:19 PM [1955]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R2]april 12.txt - 4/12/2014 4:53:33 PM [1955]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R4].txt - 4/13/2014 2:40:40 PM [1928]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R4]april13.txt - 4/13/2014 2:43:42 PM [1928]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R6].txt - 5/2/2014 6:15:24 PM [2913]
Here is the second report I ran as admin. It asked if I wanted windows uninstaller deleted and a couple of others I do not remember.

Rapport de ZHPFix 2014.3.25.5 par Nicolas Coolman, Update du 25/03/2014
Fichier d'export Registre :
Run by Beth at 5/2/2014 6:24:15 PM
High Elevated Privileges : OK
Windows Vista Home Premium Edition, 32-bit Service Pack 1 (Build 6001)

Recycle Bin emptied (10mn AMs)

========== Software ==========
REMOVES: RrSavings
ABSENT Uninstall Process: c:\progra~1\searchprotect\main\bin\uninstall.exe
REMOVES: Speed Cleaner

========== Registry keys ==========
REMOVES Logiciel Key: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
REMOVES: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A196B37-3F16-40B8-B0D2-E43333ACCE8D}]
REMOVES: Service: yewimmxqbs32
REMOVES: Service: CltMngSvc

========== Elements of the registry data ==========
REMOVES AppInit: arch Protect by Conduit.) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll

========== Preferences browser ==========
NOW Chrome File: C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Preferences
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
NOW Chrome File: C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Preferences
ABSENT Chrome Site: http://search.conduit.com

========== Folders ==========
REMOVES:* C:\Program Files\002
REMOVES: C:\Program Files\RrFilter
REMOVES: C:\ProgramData\SpyAlert
REMOVES:* c:\program files\searchprotect
REMOVES: c:\users\owner\appdata\local\searchprotect

========== Files ==========
REMOVES Reboot: c:\program files\002\yewimmxqbs32.exe
REMOVES Reboot: c:\program files\searchprotect\main\bin\cltmngsvc.exe


========== Summary ==========
4 : Registry keys
1 : Elements of the registry data
5 : Folders
2 : Files
3 : Software
9 : Preferences browser


End of clean in 32mn AMs

========== Path to file report ==========
C:\Users\Beth\AppData\Roaming\ZHP\ZHPFix[R1].txt - 5/2/2014 6:24:25 PM [2075]
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Hello,

You can do MBAM.

Gabriel.
You may get this twice. All of my links that helped me get to things are gone. Anyway I downloaded MBAM. Unfortunately, the site was in French and Bing did not have a translate option. I think I guessed fairly well though. There are two logs because on the May second one, I could not find what you wanted. By the May 2 one, I did locate everything, I think, There were fairly long so I uploaded them.

http://speedy.sh/RMh3U/mbamMay3.txt

They were different so I will include both.

http://speedy.sh/SHWDg/mbamMay-2.txt

hope this gives you what you need
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Hello,

Yes it's OK for MBAM.
The account where you do all the manipulations, it is an administrateur account or a simple user ?

Gabriel.