Virus hampering boot on Windows Vista
Solved/Closed
ErieE
Posts
37
Registration date
Thursday March 27, 2014
Status
Member
Last seen
April 15, 2014
-
Mar 29, 2014 at 07:07 PM
2011N2 Posts 13352 Registration date Saturday January 29, 2011 Status Security contributor Last seen December 24, 2016 - May 14, 2014 at 03:13 AM
2011N2 Posts 13352 Registration date Saturday January 29, 2011 Status Security contributor Last seen December 24, 2016 - May 14, 2014 at 03:13 AM
Related:
- Virus hampering boot on Windows Vista
- Kmspico windows 10 - Download - Other
- Boot camp assistant download - Download - Virtualization
- Hiren boot cd 17.2 iso download - Download - Backup and recovery
- Blackmagic disk speed test windows - Download - Diagnosis and monitoring
- Goose virus - Download - Other
103 responses
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Apr 23, 2014 at 02:47 PM
Apr 23, 2014 at 02:47 PM
Hello,
OK, so, when you remove the folder of Speed Cleaner, it reappear just after a reboot of the computer ?
Gabriel.
OK, so, when you remove the folder of Speed Cleaner, it reappear just after a reboot of the computer ?
Gabriel.
I replied to this question but when I hit submit, it was not accepted. Sorry if you get two replies
Actually SearchProtect reappreard.
Speed Cleaner does not run as it used to. I only found these indications of it in the Quarantine section of ZHP when I ran a search:
1. Speed Cleaner. DIR
2. Speed Cleaner. exe. config.
Under the # 1 are all the files I deleted manually a few days ago. Shall I eliminate these files?
Could Speed Cleaner be buried in the registry? If so, where should I look?
Actually SearchProtect reappreard.
Speed Cleaner does not run as it used to. I only found these indications of it in the Quarantine section of ZHP when I ran a search:
1. Speed Cleaner. DIR
2. Speed Cleaner. exe. config.
Under the # 1 are all the files I deleted manually a few days ago. Shall I eliminate these files?
Could Speed Cleaner be buried in the registry? If so, where should I look?
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Apr 25, 2014 at 05:52 PM
Apr 25, 2014 at 05:52 PM
Hello,
OK, two possibilities :
- A planified task reintalle the programs after their removing.
- A protection (as Avast) prevents the suppression.
Run again ZHPDiag, we will see the planified tasks.
Otherwise, I will give you another tool which maybe solve the problem.
Gabriel.
OK, two possibilities :
- A planified task reintalle the programs after their removing.
- A protection (as Avast) prevents the suppression.
Run again ZHPDiag, we will see the planified tasks.
Otherwise, I will give you another tool which maybe solve the problem.
Gabriel.
This was run with Avast enabled. I got two reports on Note Pad. Between them there was an error message in French. I couldn't get it copied before it went off. All I got was -- Violation d'acces a'--. I did not get the rest of it and I don't know how to put the accent marks in. Sorry, I am not familiar with French.
http://speedy.sh/6DkSn/ZHPDiagapril-26-first-run.txt
http://speedy.sh/mvtCN/ZHPDiagapril-26-second-run.txt
I clicked on Full Options. Am I supposed to click on Search?
http://speedy.sh/6DkSn/ZHPDiagapril-26-first-run.txt
http://speedy.sh/mvtCN/ZHPDiagapril-26-second-run.txt
I clicked on Full Options. Am I supposed to click on Search?
Didn't find the answer you are looking for?
Ask a question
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Apr 28, 2014 at 06:35 AM
Apr 28, 2014 at 06:35 AM
Hello,
OK it's better. :)
Please run again Shrotcut_Module, as the last time : https://ccm.net/forum/affich-746882-virus-hampering-boot-on-windows-vista#15
Verify it is up to date after running it.
Gabriel.
OK it's better. :)
Please run again Shrotcut_Module, as the last time : https://ccm.net/forum/affich-746882-virus-hampering-boot-on-windows-vista#15
Verify it is up to date after running it.
Gabriel.
I can't get Short_Module to run. I tried to download it again. I was unable to install it. It just ran. I watched it run. It said there were several viruses and then it reported them to Google. I did not tell it to do that.
Should I install what I have left of the first time we used short_Module. There is no exe file to run. There is a quarantine file and a file with the dll's in it
Nothing like you said to look for.
What shall I do now.
Should I install what I have left of the first time we used short_Module. There is no exe file to run. There is a quarantine file and a file with the dll's in it
Nothing like you said to look for.
What shall I do now.
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Apr 28, 2014 at 05:16 PM
Apr 28, 2014 at 05:16 PM
Hi,
There is no report at the root of C: drive ?
Gabriel.
There is no report at the root of C: drive ?
Gabriel.
No. I tried to delete the app and then download it again. I got most of it off. All that is left is a protect_module. It will not let me delete it as an admin. I did check task manager and it is running under processes.
Is it safe for me to stop the process?
What am I doing wrong?
Is it safe for me to stop the process?
What am I doing wrong?
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Apr 28, 2014 at 05:33 PM
Apr 28, 2014 at 05:33 PM
It's strange.
You've ran Shortcut_Module and clicked on Clean ?
Gabriel.
You've ran Shortcut_Module and clicked on Clean ?
Gabriel.
Yes. I am positive I did that. What was unusual was that I could not install it on the desktop like you said. It looked like it was "floating" on top of the desktop.
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Apr 29, 2014 at 04:27 AM
Apr 29, 2014 at 04:27 AM
Hello,
OK, and do you remember if it worked properly, till the end ?
Gabriel.
OK, and do you remember if it worked properly, till the end ?
Gabriel.
I don't know. I have only used Shortcut_Module three times. I can tell you it worked differently the times I ran it yesterday than the first time you had me run it. That time I was able to find the report and there was nothing about submitting the "viruses" to Google.
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
May 1, 2014 at 02:37 PM
May 1, 2014 at 02:37 PM
Hello,
It's very strange because the title of the report is the good, but it's not a report Shortcut_Module...
Run again ZHPDiag, we will see if we there is Bing and always Speed Cleaner.
Gabriel.
It's very strange because the title of the report is the good, but it's not a report Shortcut_Module...
Run again ZHPDiag, we will see if we there is Bing and always Speed Cleaner.
Gabriel.
I am sending everything ZHP gave me. Some may be the same but I am taking no chances. Here is what I got.
http://speedy.sh/gKuAd/TestsZHPDiag.txt
http://speedy.sh/jVQKE/ZHPADSReport.txt
http://speedy.sh/bdyVM/ZHPDiag.txt
http://speedy.sh/GEBdH/ZHPDiagmay-1-first-run.txt
http://speedy.sh/RMrEU/ZHPDiagMay-1-second-run.txt
Avast was disabled.
http://speedy.sh/gKuAd/TestsZHPDiag.txt
http://speedy.sh/jVQKE/ZHPADSReport.txt
http://speedy.sh/bdyVM/ZHPDiag.txt
http://speedy.sh/GEBdH/ZHPDiagmay-1-first-run.txt
http://speedy.sh/RMrEU/ZHPDiagMay-1-second-run.txt
Avast was disabled.
I never mentioned this but after the Dell splash screen the next screen is titled Windows Boot Manager. You may have known that anyway.
I cannot believe I never noticed this as I stared at that screen for such long times but neither can I believe that it just appeared yesterday so I just don't know. But the title is now Windows Boot Manager followed by Microsoft Windows Vista and Memory Diagnostics as choices. I get to Vista by selecting the first one and pressing Enter.
Sorry for the omission.
I cannot believe I never noticed this as I stared at that screen for such long times but neither can I believe that it just appeared yesterday so I just don't know. But the title is now Windows Boot Manager followed by Microsoft Windows Vista and Memory Diagnostics as choices. I get to Vista by selecting the first one and pressing Enter.
Sorry for the omission.
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
May 2, 2014 at 12:05 PM
May 2, 2014 at 12:05 PM
Hello,
OK, two things.
1/ Run again ZHPFix with this lines and post the report :
Script ZHPFix
O2 - BHO: RrSavings - {10AD2C61-0898-4348-8600-14A342F22AC3} . (...) -- C:\Program Files\Rr Savings\RrSavings.dll
O23 - Service: yewimmxqbs32 (yewimmxqbs32) . (...) - C:\Program Files\002\yewimmxqbs32.exe
O42 - Logiciel: RrSavings - (.RrSavings.) [HKLM] -- {3566FB70-E722-4182-8266-815EAE862998}
[HKCU\Software\RrSavings]
[HKLM\Software\LevelQualityWatcher]
O43 - CFD: 4/17/2014 - 10:05:36 PM - [0.517] ----D C:\Program Files\002
O43 - CFD: 4/30/2014 - 10:46:57 AM - [2.892] ----D C:\Program Files\Rr Savings
O43 - CFD: 4/30/2014 - 10:47:46 AM - [1.280] ----D C:\Program Files\RrFilter
O43 - CFD: 11/7/2013 - 2:33:49 PM - [1.300] ----D C:\ProgramData\SpyAlert
O90 - PUC: "07BF6653227E2814286618E5EA689289" . (.RrSavings.) -- c:\Windows\Installer\{3566FB70-E722-4182-8266-815EAE862998}\icon64.ico
[HKLM\Software\LevelQualityWatcher]
O2 - BHO: RrSavings - {10AD2C61-0898-4348-8600-14A342F22AC3} . (...) -- C:\Program Files\Rr Savings\RrSavings.dll
O23 - Service: yewimmxqbs32 (yewimmxqbs32) . (...) - C:\Program Files\002\yewimmxqbs32.exe
O42 - Logiciel: RrSavings - (.RrSavings.) [HKLM] -- {3566FB70-E722-4182-8266-815EAE862998}
[HKCU\Software\RrSavings]
[HKLM\Software\LevelQualityWatcher]
O43 - CFD: 4/17/2014 - 10:05:36 PM - [0.517] ----D C:\Program Files\002
O43 - CFD: 4/30/2014 - 10:46:57 AM - [2.892] ----D C:\Program Files\Rr Savings
O43 - CFD: 4/30/2014 - 10:47:46 AM - [1.280] ----D C:\Program Files\RrFilter
O43 - CFD: 11/7/2013 - 2:33:49 PM - [1.300] ----D C:\ProgramData\SpyAlert
O90 - PUC: "07BF6653227E2814286618E5EA689289" . (.RrSavings.) -- c:\Windows\Installer\{3566FB70-E722-4182-8266-815EAE862998}\icon64.ico
[HKLM\Software\LevelQualityWatcher]
[MD5.DEABB07BC9B0009D826D2CA04C43F90F] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe [4693792] [PID.3612]
[MD5.EFAAE131121B7AD73CBA0FECC0B5A277] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\UI\bin\cltmngui.exe [3037472] [PID.2316]
G1 - GCS: Preference [User Data\Default] http://search.conduit.com
G0 - GCSP: Preference [User Data\Default][HomePage] http://search.conduit.com
O20 - AppInit_DLLs: . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
O23 - Service: Search Protect by Conduit Service (CltMngSvc) . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe
O42 - Logiciel: Search Protect - (.Conduit.) [HKLM] -- SearchProtect
O61 - LFC: 5/1/2014 - 7:44:47 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat [210462]
O61 - LFC: 5/1/2014 - 7:44:47 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat [1952]
O61 - LFC: 5/1/2014 - 7:44:47 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\UI\rep\UIRepository.dat [4366]
[HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
C:\Program Files\SearchProtect
C:\Users\owner\AppData\Local\SearchProtect
C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
C:\Program Files\SearchProtect\UI\bin\cltmngui.exe
[MD5.DEABB07BC9B0009D826D2CA04C43F90F] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe [4693792] [PID.3612]
[MD5.EFAAE131121B7AD73CBA0FECC0B5A277] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\UI\bin\cltmngui.exe [3037472] [PID.2316]
G1 - GCS: Preference [User Data\Default] http://search.conduit.com
G0 - GCSP: Preference [User Data\Default][HomePage] http://search.conduit.com
O20 - AppInit_DLLs: . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
O23 - Service: Search Protect by Conduit Service (CltMngSvc) . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe
O42 - Logiciel: Search Protect - (.Conduit.) [HKLM] -- SearchProtect
O61 - LFC: 5/1/2014 - 7:46:23 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat [210462]
O61 - LFC: 5/1/2014 - 7:46:23 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat [1952]
O61 - LFC: 5/1/2014 - 7:46:23 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\UI\rep\UIRepository.dat [4366]
[HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
C:\Program Files\SearchProtect
C:\Users\owner\AppData\Local\SearchProtect
C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
C:\Program Files\SearchProtect\UI\bin\cltmngui.exe
O42 - Logiciel: Speed Cleaner - (.OneBit IT.) [HKLM] -- {3A196B37-3F16-40B8-B0D2-E43333ACCE8D}
O42 - Logiciel: Speed Cleaner - (.OneBit IT.) [HKLM] -- {541ac74f-d2f8-4430-9f75-45fae734edac}
2/ - Download MBAM by clicking " Free Download Version".
- Save it on your desktop.
- Double- click the downloaded file to launch the installation process (if the firewall asks for permission to connect to Malwarebytes, accept)
- Once the software is installed and running, go to the "Review " tab.
- Select Review "Custom" and then click Check Now.
- Select all drives and all exam options (including search rootkits).
- Ensure that Process as malicious detections is selected for PUP and PUM.
- Click Start exam.
- If an update is shown click Update Now and then wait for the review
- Once the review is completed , make sure that the action Quarantine is selected for all elements detected.
- Click Apply actions. If asked to restart the PC, do it.
- In the Review tab, click Export Log = > text file (txt). Otherwise, go to the history tab and Application logs.
- Paste the report.
Gabriel.
OK, two things.
1/ Run again ZHPFix with this lines and post the report :
Script ZHPFix
O2 - BHO: RrSavings - {10AD2C61-0898-4348-8600-14A342F22AC3} . (...) -- C:\Program Files\Rr Savings\RrSavings.dll
O23 - Service: yewimmxqbs32 (yewimmxqbs32) . (...) - C:\Program Files\002\yewimmxqbs32.exe
O42 - Logiciel: RrSavings - (.RrSavings.) [HKLM] -- {3566FB70-E722-4182-8266-815EAE862998}
[HKCU\Software\RrSavings]
[HKLM\Software\LevelQualityWatcher]
O43 - CFD: 4/17/2014 - 10:05:36 PM - [0.517] ----D C:\Program Files\002
O43 - CFD: 4/30/2014 - 10:46:57 AM - [2.892] ----D C:\Program Files\Rr Savings
O43 - CFD: 4/30/2014 - 10:47:46 AM - [1.280] ----D C:\Program Files\RrFilter
O43 - CFD: 11/7/2013 - 2:33:49 PM - [1.300] ----D C:\ProgramData\SpyAlert
O90 - PUC: "07BF6653227E2814286618E5EA689289" . (.RrSavings.) -- c:\Windows\Installer\{3566FB70-E722-4182-8266-815EAE862998}\icon64.ico
[HKLM\Software\LevelQualityWatcher]
O2 - BHO: RrSavings - {10AD2C61-0898-4348-8600-14A342F22AC3} . (...) -- C:\Program Files\Rr Savings\RrSavings.dll
O23 - Service: yewimmxqbs32 (yewimmxqbs32) . (...) - C:\Program Files\002\yewimmxqbs32.exe
O42 - Logiciel: RrSavings - (.RrSavings.) [HKLM] -- {3566FB70-E722-4182-8266-815EAE862998}
[HKCU\Software\RrSavings]
[HKLM\Software\LevelQualityWatcher]
O43 - CFD: 4/17/2014 - 10:05:36 PM - [0.517] ----D C:\Program Files\002
O43 - CFD: 4/30/2014 - 10:46:57 AM - [2.892] ----D C:\Program Files\Rr Savings
O43 - CFD: 4/30/2014 - 10:47:46 AM - [1.280] ----D C:\Program Files\RrFilter
O43 - CFD: 11/7/2013 - 2:33:49 PM - [1.300] ----D C:\ProgramData\SpyAlert
O90 - PUC: "07BF6653227E2814286618E5EA689289" . (.RrSavings.) -- c:\Windows\Installer\{3566FB70-E722-4182-8266-815EAE862998}\icon64.ico
[HKLM\Software\LevelQualityWatcher]
[MD5.DEABB07BC9B0009D826D2CA04C43F90F] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe [4693792] [PID.3612]
[MD5.EFAAE131121B7AD73CBA0FECC0B5A277] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\UI\bin\cltmngui.exe [3037472] [PID.2316]
G1 - GCS: Preference [User Data\Default] http://search.conduit.com
G0 - GCSP: Preference [User Data\Default][HomePage] http://search.conduit.com
O20 - AppInit_DLLs: . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
O23 - Service: Search Protect by Conduit Service (CltMngSvc) . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe
O42 - Logiciel: Search Protect - (.Conduit.) [HKLM] -- SearchProtect
O61 - LFC: 5/1/2014 - 7:44:47 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat [210462]
O61 - LFC: 5/1/2014 - 7:44:47 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat [1952]
O61 - LFC: 5/1/2014 - 7:44:47 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\UI\rep\UIRepository.dat [4366]
[HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
C:\Program Files\SearchProtect
C:\Users\owner\AppData\Local\SearchProtect
C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
C:\Program Files\SearchProtect\UI\bin\cltmngui.exe
[MD5.DEABB07BC9B0009D826D2CA04C43F90F] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe [4693792] [PID.3612]
[MD5.EFAAE131121B7AD73CBA0FECC0B5A277] - (.Conduit - Search Protect by Conduit.) -- C:\Program Files\SearchProtect\UI\bin\cltmngui.exe [3037472] [PID.2316]
G1 - GCS: Preference [User Data\Default] http://search.conduit.com
G0 - GCSP: Preference [User Data\Default][HomePage] http://search.conduit.com
O20 - AppInit_DLLs: . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
O23 - Service: Search Protect by Conduit Service (CltMngSvc) . (.Conduit - Search Protect by Conduit.) - C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe
O42 - Logiciel: Search Protect - (.Conduit.) [HKLM] -- SearchProtect
O61 - LFC: 5/1/2014 - 7:46:23 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat [210462]
O61 - LFC: 5/1/2014 - 7:46:23 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat [1952]
O61 - LFC: 5/1/2014 - 7:46:23 PM ---A- . (...) -- C:\Users\owner\AppData\Local\SearchProtect\UI\rep\UIRepository.dat [4366]
[HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
C:\Program Files\SearchProtect
C:\Users\owner\AppData\Local\SearchProtect
C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
C:\Program Files\SearchProtect\UI\bin\cltmngui.exe
O42 - Logiciel: Speed Cleaner - (.OneBit IT.) [HKLM] -- {3A196B37-3F16-40B8-B0D2-E43333ACCE8D}
O42 - Logiciel: Speed Cleaner - (.OneBit IT.) [HKLM] -- {541ac74f-d2f8-4430-9f75-45fae734edac}
2/ - Download MBAM by clicking " Free Download Version".
- Save it on your desktop.
- Double- click the downloaded file to launch the installation process (if the firewall asks for permission to connect to Malwarebytes, accept)
- Once the software is installed and running, go to the "Review " tab.
- Select Review "Custom" and then click Check Now.
- Select all drives and all exam options (including search rootkits).
- Ensure that Process as malicious detections is selected for PUP and PUM.
- Click Start exam.
- If an update is shown click Update Now and then wait for the review
- Once the review is completed , make sure that the action Quarantine is selected for all elements detected.
- Click Apply actions. If asked to restart the PC, do it.
- In the Review tab, click Export Log = > text file (txt). Otherwise, go to the history tab and Application logs.
- Paste the report.
Gabriel.
OK I will do it. I could at least get to Google Chrome yesterday. Today I it always reverts to Bing. If I click on Internet Explorer, Google not Chrome comes up but you cannot do any searches on it.
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
May 2, 2014 at 02:00 PM
May 2, 2014 at 02:00 PM
OK, do ZHPFix and MBAM then tell me.
Gabriel.
Gabriel.
Well, I did the first instruction. Speed Cleaner is now re-installed.
You will get two reports because I ran the first as me and it would not deal with a couple of apps so I switched to admin.
The first is the one I ran as me.
Rapport de ZHPFix 2014.3.25.5 par Nicolas Coolman, Update du 25/03/2014
Fichier d'export Registre :
Run by owner at 5/2/2014 6:15:10 PM
High Elevated Privileges : OK
Windows Vista Home Premium Edition, 32-bit Service Pack 1 (Build 6001)
Recycle Bin emptied (13mn AMs)
========== Software ==========
REMOVES: RrSavings
ABSENT Uninstall Process: c:\progra~1\searchprotect\main\bin\uninstall.exe
REMOVES: Speed Cleaner
ABSENT Uninstall Process: c:\programdata\package cache\{541ac74f-d2f8-4430-9f75-45fae734edac}\speedcleanersetup.exe
========== Process memory ==========
REMOVES Reboot: Memory Process: C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
REMOVES Reboot: Memory Process: C:\Program Files\SearchProtect\UI\bin\cltmngui.exe
========== Registry keys ==========
REMOVES: CLSID BHO: {10AD2C61-0898-4348-8600-14A342F22AC3}
REMOVES:³ Service: yewimmxqbs32
REMOVES: HKCU\Software\RrSavings
REMOVES: HKLM\Software\LevelQualityWatcher
ERROR: [HKLM\Software\Classes\Installer\Products\\07BF6653227E2814286618E5EA689289]
REMOVES:³ Service: CltMngSvc
REMOVES:³ HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc
REMOVES:³ HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
========== Preferences browser ==========
NOW Chrome File: C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Preferences
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
NOW Chrome File: C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Preferences
ABSENT Chrome Site: http://search.conduit.com
========== Folders ==========
REMOVES Reboot:** C:\Program Files\002
REMOVES Reboot:** C:\Program Files\Rr Savings
REMOVES Reboot:** C:\Program Files\RrFilter
REMOVES Reboot:** C:\ProgramData\SpyAlert
REMOVES Reboot:** c:\program files\searchprotect
REMOVES Reboot:** c:\users\owner\appdata\local\searchprotect
========== Files ==========
REMOVES Reboot: c:\program files\rr savings\rrsavings.dll
REMOVES Reboot: c:\program files\002\yewimmxqbs32.exe
REMOVES Reboot: c:\program files\searchprotect\main\bin\cltmngsvc.exe
========== Summary ==========
2 : Process memory
8 : Registry keys
6 : Folders
3 : Files
4 : Software
8 : Preferences browser
End of clean in 41mn AMs
========== Path to file report ==========
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R1].txt - 4/7/2014 5:08:53 PM [2833]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R2].txt - 4/12/2014 4:49:19 PM [1955]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R2]april 12.txt - 4/12/2014 4:53:33 PM [1955]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R4].txt - 4/13/2014 2:40:40 PM [1928]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R4]april13.txt - 4/13/2014 2:43:42 PM [1928]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R6].txt - 5/2/2014 6:15:24 PM [2913]
You will get two reports because I ran the first as me and it would not deal with a couple of apps so I switched to admin.
The first is the one I ran as me.
Rapport de ZHPFix 2014.3.25.5 par Nicolas Coolman, Update du 25/03/2014
Fichier d'export Registre :
Run by owner at 5/2/2014 6:15:10 PM
High Elevated Privileges : OK
Windows Vista Home Premium Edition, 32-bit Service Pack 1 (Build 6001)
Recycle Bin emptied (13mn AMs)
========== Software ==========
REMOVES: RrSavings
ABSENT Uninstall Process: c:\progra~1\searchprotect\main\bin\uninstall.exe
REMOVES: Speed Cleaner
ABSENT Uninstall Process: c:\programdata\package cache\{541ac74f-d2f8-4430-9f75-45fae734edac}\speedcleanersetup.exe
========== Process memory ==========
REMOVES Reboot: Memory Process: C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
REMOVES Reboot: Memory Process: C:\Program Files\SearchProtect\UI\bin\cltmngui.exe
========== Registry keys ==========
REMOVES: CLSID BHO: {10AD2C61-0898-4348-8600-14A342F22AC3}
REMOVES:³ Service: yewimmxqbs32
REMOVES: HKCU\Software\RrSavings
REMOVES: HKLM\Software\LevelQualityWatcher
ERROR: [HKLM\Software\Classes\Installer\Products\\07BF6653227E2814286618E5EA689289]
REMOVES:³ Service: CltMngSvc
REMOVES:³ HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc
REMOVES:³ HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
========== Preferences browser ==========
NOW Chrome File: C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Preferences
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
NOW Chrome File: C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Preferences
ABSENT Chrome Site: http://search.conduit.com
========== Folders ==========
REMOVES Reboot:** C:\Program Files\002
REMOVES Reboot:** C:\Program Files\Rr Savings
REMOVES Reboot:** C:\Program Files\RrFilter
REMOVES Reboot:** C:\ProgramData\SpyAlert
REMOVES Reboot:** c:\program files\searchprotect
REMOVES Reboot:** c:\users\owner\appdata\local\searchprotect
========== Files ==========
REMOVES Reboot: c:\program files\rr savings\rrsavings.dll
REMOVES Reboot: c:\program files\002\yewimmxqbs32.exe
REMOVES Reboot: c:\program files\searchprotect\main\bin\cltmngsvc.exe
========== Summary ==========
2 : Process memory
8 : Registry keys
6 : Folders
3 : Files
4 : Software
8 : Preferences browser
End of clean in 41mn AMs
========== Path to file report ==========
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R1].txt - 4/7/2014 5:08:53 PM [2833]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R2].txt - 4/12/2014 4:49:19 PM [1955]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R2]april 12.txt - 4/12/2014 4:53:33 PM [1955]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R4].txt - 4/13/2014 2:40:40 PM [1928]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R4]april13.txt - 4/13/2014 2:43:42 PM [1928]
C:\Users\owner\AppData\Roaming\ZHP\ZHPFix[R6].txt - 5/2/2014 6:15:24 PM [2913]
Here is the second report I ran as admin. It asked if I wanted windows uninstaller deleted and a couple of others I do not remember.
Rapport de ZHPFix 2014.3.25.5 par Nicolas Coolman, Update du 25/03/2014
Fichier d'export Registre :
Run by Beth at 5/2/2014 6:24:15 PM
High Elevated Privileges : OK
Windows Vista Home Premium Edition, 32-bit Service Pack 1 (Build 6001)
Recycle Bin emptied (10mn AMs)
========== Software ==========
REMOVES: RrSavings
ABSENT Uninstall Process: c:\progra~1\searchprotect\main\bin\uninstall.exe
REMOVES: Speed Cleaner
========== Registry keys ==========
REMOVES Logiciel Key: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
REMOVES: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A196B37-3F16-40B8-B0D2-E43333ACCE8D}]
REMOVES: Service: yewimmxqbs32
REMOVES: Service: CltMngSvc
========== Elements of the registry data ==========
REMOVES AppInit: arch Protect by Conduit.) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
========== Preferences browser ==========
NOW Chrome File: C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Preferences
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
NOW Chrome File: C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Preferences
ABSENT Chrome Site: http://search.conduit.com
========== Folders ==========
REMOVES:* C:\Program Files\002
REMOVES: C:\Program Files\RrFilter
REMOVES: C:\ProgramData\SpyAlert
REMOVES:* c:\program files\searchprotect
REMOVES: c:\users\owner\appdata\local\searchprotect
========== Files ==========
REMOVES Reboot: c:\program files\002\yewimmxqbs32.exe
REMOVES Reboot: c:\program files\searchprotect\main\bin\cltmngsvc.exe
========== Summary ==========
4 : Registry keys
1 : Elements of the registry data
5 : Folders
2 : Files
3 : Software
9 : Preferences browser
End of clean in 32mn AMs
========== Path to file report ==========
C:\Users\Beth\AppData\Roaming\ZHP\ZHPFix[R1].txt - 5/2/2014 6:24:25 PM [2075]
Rapport de ZHPFix 2014.3.25.5 par Nicolas Coolman, Update du 25/03/2014
Fichier d'export Registre :
Run by Beth at 5/2/2014 6:24:15 PM
High Elevated Privileges : OK
Windows Vista Home Premium Edition, 32-bit Service Pack 1 (Build 6001)
Recycle Bin emptied (10mn AMs)
========== Software ==========
REMOVES: RrSavings
ABSENT Uninstall Process: c:\progra~1\searchprotect\main\bin\uninstall.exe
REMOVES: Speed Cleaner
========== Registry keys ==========
REMOVES Logiciel Key: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
REMOVES: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A196B37-3F16-40B8-B0D2-E43333ACCE8D}]
REMOVES: Service: yewimmxqbs32
REMOVES: Service: CltMngSvc
========== Elements of the registry data ==========
REMOVES AppInit: arch Protect by Conduit.) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
========== Preferences browser ==========
NOW Chrome File: C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Preferences
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
REMOVES Chrome Site: http://search.conduit.com
NOW Chrome File: C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Preferences
ABSENT Chrome Site: http://search.conduit.com
========== Folders ==========
REMOVES:* C:\Program Files\002
REMOVES: C:\Program Files\RrFilter
REMOVES: C:\ProgramData\SpyAlert
REMOVES:* c:\program files\searchprotect
REMOVES: c:\users\owner\appdata\local\searchprotect
========== Files ==========
REMOVES Reboot: c:\program files\002\yewimmxqbs32.exe
REMOVES Reboot: c:\program files\searchprotect\main\bin\cltmngsvc.exe
========== Summary ==========
4 : Registry keys
1 : Elements of the registry data
5 : Folders
2 : Files
3 : Software
9 : Preferences browser
End of clean in 32mn AMs
========== Path to file report ==========
C:\Users\Beth\AppData\Roaming\ZHP\ZHPFix[R1].txt - 5/2/2014 6:24:25 PM [2075]
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
May 3, 2014 at 02:00 AM
May 3, 2014 at 02:00 AM
Hello,
You can do MBAM.
Gabriel.
You can do MBAM.
Gabriel.
You may get this twice. All of my links that helped me get to things are gone. Anyway I downloaded MBAM. Unfortunately, the site was in French and Bing did not have a translate option. I think I guessed fairly well though. There are two logs because on the May second one, I could not find what you wanted. By the May 2 one, I did locate everything, I think, There were fairly long so I uploaded them.
http://speedy.sh/RMh3U/mbamMay3.txt
They were different so I will include both.
http://speedy.sh/SHWDg/mbamMay-2.txt
hope this gives you what you need
http://speedy.sh/RMh3U/mbamMay3.txt
They were different so I will include both.
http://speedy.sh/SHWDg/mbamMay-2.txt
hope this gives you what you need
2011N2
Posts
13352
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
May 4, 2014 at 10:21 AM
May 4, 2014 at 10:21 AM
Hello,
Yes it's OK for MBAM.
The account where you do all the manipulations, it is an administrateur account or a simple user ?
Gabriel.
Yes it's OK for MBAM.
The account where you do all the manipulations, it is an administrateur account or a simple user ?
Gabriel.
