Three Programs I Can't Remove

Try the below registry patch but I would expect your system is still infected with problem files and this may not really do much. You really need to Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal


Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixhsa.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixhsa.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

 

You're welcome! But are you really sure you are clean! In most cases just deleting these registry keys does not get rid of all the stuff HSA hijackers put on a PC. In fact much of the stuff they put on your PC is very capable of respawning the whole infection.

 

That's what I expected.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Did you do step # 2 in the READ ME FIRST Getting Prepared section. You have one of those services running?

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crwy.exe

 

Your OS and IE versions are way out of date and represent a major security risk. This is also a major contributor to why you are having problems. After we fix your current problems, you MUST get your updates. We will do this later.

Besides having HSA hijacker issues (which you could have solved using the Generic Solution sticky thread), you have Virtumundo problems. We need to remove this first. My procedure below will also try removing some of the HSA problems but they will more than likely return with new names and processes. That is to be expected. But we need to fix Virumundo first.

It is critcial that you never have any browsers running (not even the one you are reading now) when using HJT. You had the below running:
C:\Program Files\Internet Explorer\iexplore.exe

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

Please print these instructions out for use in Safe Mode with no networking and DO NOT RUN any browsers while doing these steps.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at. Iit should look like this

• At this point press enter one time.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\ddccc.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\cccdd.*
​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pyzho.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pyzho.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pyzho.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pyzho.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pyzho.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pyzho.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0597D537-86A0-08BE-1BB8-7597D9D9FE0A} - C:\WINDOWS\atlel.dll
O2 - BHO: Class - {07DCAC36-045B-45B8-22CE-A449FF8F0C93} - (no file)
O2 - BHO: Class - {1BB06227-02D6-8AE4-475A-58D02CC66F9A} - (no file)
O2 - BHO: (no name) - {2ECC0E95-435F-646C-368F-766F51423169} - (no file)
O2 - BHO: Class - {484B2848-1231-3BD6-DC66-3F78BFEFE9D5} - C:\WINDOWS\atlel.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\ddccc.dll
O2 - BHO: Class - {71849A64-EB27-1029-8F9D-70E8D4CF1707} - (no file)
O2 - BHO: Class - {B1004A43-1178-458D-80E6-5DEC6D7C205B} - (no file)
O2 - BHO: Class - {B796330F-1896-180C-7DA0-0653EAC8A2E4} - (no file)
O4 - HKLM\..\Run: [appul32.exe] C:\WINDOWS\appul32.exe
O4 - HKLM\..\Run: [addgp.exe] C:\WINDOWS\system32\addgp.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O20 - Winlogon Notify: ddccc - C:\WINDOWS\System32\ddccc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crwy.exe

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Now please attach a new HJT log from normal mode.

YOU MUST NOT REBOOT OR POWER DOWN AT THIS POINT! You must just wait for then next steps. If you reboot or power down the symptoms and problem files will mutate making my next steps uesless. Make sure you indicate to me that you understand this and that you are not rebooting or shutting your PC down.

 

You neglected to acknowledge my request:

Also you are still running C:\Program Files\Internet Explorer\iexplore.exe while using HJT. YOU MUST REMEMBER to exit browsers before using HJT.

It also looks like you did not follow my previous steps properly because all the items including Virtumundo are still there. Please run them again and make sure you follow them exactly. Did you forget to select lines and click Fix in HijackThis?