Virus/Malware infection help, Browser Hijacked

[simran]

I think I got a virus on my computer as now I cant access some of the things. First of all today while browsing this window popped to activate and install some xp antivirus program.......which just looked dodgy to me, so since there was no cancel button to get rid of this thing without installing it I killed it through processes.
This window pops up when I restart the computer (picture attached below 'Anti virus XP message')

Next thing I notice a while later my desktop had a weird looking background picture that I cant get rid of because the the option where you can change your wall paper etc is not there anymore. By the way I use windows XP home operating system.

I have attached a picture of my desktop how it looks. And that is not the wallpaper I had set and it wont let me get rid of it! (picture 'desktop pic'). By the way to be exact it had a white background but I changed the theme to XP so now its blue with that message.

A scan using AVG showed no threats found, but during the scan there are these changes (attached pic below 'AVG SCAN')

A scan using Spybot search and destroy (attached pic below). Afterwards I clicked on fix selected problems. The program froze and stopped responding. So I killed the process did the scan again and it did same froze and stopped responding. (pic 'spybot search and destroy').

so I decided to download new updates and new version (1.6.0.31). This time it found 2 different new problems which were not there before. And one of the programs which were there before when it froze I.e. coolwwwsearch.svchost32 was not there anymore. So anyway after I clicked on fix, this time it managed to work without freezing. Yay!. I took a screenshot of the files in recovery section (pic 'Spybot Problems Fixed').

I have another Spyware program which I used previously but the licence has expired so even though it will scan I cannot delete/fix any problems found until I pay for the new licence!! I took a screenshot of the scan. In here there were 2 problems which I did not see in Spybot (pic labelled 'spy doctor')

So anyway after Spybot fixed those problems I can change my wallpaper and things again. But I think my browser is still having a hijack issue. As when I go to google search, and click on a search link it does not take me to the actual page but to some link as follows or something:

http://castlesurvival.info/search.php?aid=13866&said=61-v2test7&keyword=browser hijacking&ipr=&rej=1


Another thing is I tried to download Anti Malware, SuperAntiSpyware Home Edition Free Version. But those links do not seem to be working. Neither is the link for Hijackthis. (lucky I had one downloaded previously which I had not deleted and the version was 2.0.2). Are the links actually infact not working or this related to that browser hijack problem? No idea.

Oh and Also attaching my HijackThis log in my second post. (already used up the maximum 5 attachments allowed for this.

Please please please help me fix this problem and get my laptop back in good health.

thank you for all those who help me. God bless you.

 

[simran]

as promised.....im uploading the picture from the result scan of spydoctor program and the Hijack This log.

thanks.

 

[etchhh]

...

ok , try to use Alt+Crtl+Del , if it shows the "Your Task Manager has been closed by your Adminstrator" -which i'm almost sure of-, then u have a Virus and its a dangerous one , u can simply use the common solution which is format and replace ur windows with a fresh copy

if you can see the Task manager running , try to see the running processes , and choose terminate the processes u not sure of , if u suspect any xx.exe running process then try to End it , and then u can open ur start menu -> run .. then type msconfig ... then from startup tab chose the xx.exe u were suspecting , then remove it

also search ur PC for the xx.exe file -- and delete it --> restart

it may work ,, reply if u need extra help man

 

[tw0rld]

Not yet removed

Those programs didn't delete the virus. The virus is configured to run at startup. therefore whatever fixes you made will be negated at startup.

Did you follow these instructions; https://www.techspot.com/vb/topic109461.html
Do not install another firewall and Anti-virus program if you already have one installed, however you may replace them with another if you wish.

What the heck I'll just help you with this log.
Run HJT again and check the following, then click fix checked.

O4 - HKLM\..\Run: [lphc3f8j0eaaa] C:\WINDOWS\system32\lphc3f8j0eaaa.exe
O4 - HKLM\..\Run: [inrhc7f8j0eaaa] C:\Documents and Settings\Henaa\Local Settings\Temp\.ttBD.tmp.exe
C:\WINDOWS\system32\lphc3f8j0eaaa.exe
Browse to this directory[/COLOR] C:\Documents and Settings\Henaa\Local Settings\Temp\.ttBD.tmp.exe, and delete this file; .ttBD.tmp.exe

Go here to fix your desktop; http://amiworks.co.in/talk/how-to-remove-antivirus-xp-2008/

I still want you to follow the instructions above. Please post logs.
Post logs

 

[simran]

You are right it dint delete the virus.....This morning when I turned on my computer it popped up that annoying XP antivirus message and my broswer was still being redirected when I clicked on the search link. None of the links of the anti spyware program as suggested here would work when I clicked on it.

SO anyway tried downloading them through another computer and saved on a USB and then and then transfered and installed both the malware and the antispyware program on here to run. And wow did it find alot of those trojans etc. I then clicked on remove/fix etc and now things are working as before or so I think. And that annoying pop up does not show when I start my computer.

I have attached all the logs below. By the way When I ran the malware detection program it said some of the things could not be deleted (attached a pic below).

Please let me know if there are some nasties that still exist and I need to get rid of them.

thanks,
simran

 

[tw0rld]

By the way When i ran the malware detection program it said some of the things could not be deleted

The programs couldn't be deleted as something was accessing it, but when you restarted you system they were deleted. Look at the Message again;

Did you follow the instruction on how to repair you desktop?
It seems as if Malwarebytes fixed it. Let me know.

You need to update to xp sp3. sp2 is no longer supported, therefore it is highly at risk.

if you are still having problem with internet explore try this
RIES(IE6)

Tools > Internet Options > Programs tab > Click reset web Settings.

Also you need to install IE7. I suspect that you are in New Zealand so click the Appropriate link; http://www.microsoft.com/windows/products/winfamily/ie/worldwide.mspx, and/or install firefox; http://www.mozilla.com/en-US/firefox/?utm_id=Q108&utm_source=google&utm_medium=ppc&gclid=CKu0ouLO65UCFQVxFQodojUpgA

Keep me updated on the latest. I've gotta run.

 

[simran]

Yes thank you, the desktop has been fixed and also the browser doesnt have that redirect problem. Both were fixed when the malware and spyware program deleted those trojans etc.

I have now updated my firefox browser to the latest one and updated to IE7 also i am currently downloading the XP sp3.

I tried to cancel some programs during startup such as HP digital monitoring, daemon tools among other things to speed up the computer more during start up. When i uncheckd the boxes i get the following messages "An access denied error was returned while attempting to change a service, You may need to log on using an administrator account to make the specified changes". I dont know why i get this error, this is the only account on this computer and i have admin access. From what i remeber i dont think i have received such a message previously when i canceled programs during start up. M confused....has some account settings been changed due to that virus?

I have now installed SP3......just a note, during installation there were severalmemory reference errors and memory could not be read for some .exe files etc i would say for about 20 or so.......to each of the errors i clicked ok to and it let me continue with the installation. This other occur also pops up now when start my computer (attached pic 'error'). What is the error for?

As far as i see at the moment my system seems to be working fine other than still having that access denied error which I mentioned about in my previous post that also present prior to installing the XP SP3.

So i guess il continue using the system as is with the SP3, if i later find some functions and errors with applications then i am restoring my system to prior to installing SP3. Or do you you think i should restore my system before Sp3 now due to al these errors?

all this is quite confusing lol
simran

 

[tw0rld]

wlanapi.dll Error message is related to your wireless device driver. Xp sp3 comes with a file of the same name(wlanapi.dll), that is placedin the same directory during sp3 installation, therefore it replaced the one associated with your Wireless device, thus the error message. Microsoft suggest that anyone with this problem should update their network device driver with one that is Sp3 compatible.
More here; http://support.microsoft.com/kb/950720If you are unable to find a sp3 compatible driver I suggest that you rollback sp3 to sp2, by going to Start > control panel > Add/Remove Programs > click show updates >select sp3 > click remove. A system restore would also get the job done. A rollback via the control panel method is preffered, as system restore may or will restore corrupted files if any existed.

I tried to cancel some programs during startup such as HP digital monitoring, daemon tools among other things to speed up the computer more during start up. When i uncheckd the boxes i get the following messages "An access denied error was returned while attempting to change a service, You may need to log on using an administrator account to make the specified changes"

Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

This seems to be the reason for the access denied message that you are receiving.

Try this; Run RegEdit.
Under /HKLM/System/CurrentControlSet/Services/PML Driver HPZ12, click on Start at the right, and then change the Dword value from 2 (automatic) or 3 (I believe for manual) to 4 (for disabled).

Found information here; http://www.thinkdigit.com/forum/showthread.php?t=42704 At the bottom of the page.

 

[simran]

This forum is great !!!! :grinthumb.

I updated the driver for my wireless network adapter and changed the registry setting as suggested. Now I dont get that error message when I start the computer and also no access denied error message when I change settings for start up files

Just to be on the safe side I created another Hijackthis log. Can please someone have a look and let me know if there are any unknown programs etc running?

Otherwise I think the laptop is back on track. I have just been lazy and did not want to do a format of the hardrive as you can understand it will take hours reinstalling all software, although deleting malware etc is no short and easy task either. But I just need to sort out the files I have etc on C drive which ones I wana keep etc.

anyway thanks alot for all the help given

 

[tw0rld]

You are good to go. You have been very good in providing information on the various issues, thus you have gotten a favorable result.
I am glad I was able to help you.

 

[simran]

hope im not imagining things....but im pretty sure there was a post telling me to delete an entry based on my HJT log but its not there anymore?. I had quickly browsed this thread form uni......came home to look at what the entry was for and now i cant find it

i also done a scan using AVG and there are no viruses or anything but some changes that come up during the scan. Is it anything i should worry about or should be fixed? (pic attached)

thanks.

 

[tw0rld]

I did remove my previous post after looking it up once more, and found that it was legitimate. The scan results you are getting from AVG is only reflecting changes that have been made when you updated to sp3. It is nothing to worry about.
Install the latest version of AVG(8.0);http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=contentBody;mostPopTwoColWrap&cdlPid=10880275

 

[tw0rld]

This is the entry that I told you to delete

2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

This is associated with windows live messenger. HJT has shown that there are no files currently using this entry, therefore it can be safely deleted. If you have uninstalled Windows live messenger then you can go ahead and delete the entry.