Help needed on getting rid of STARTPAG.RE virus

I have been struggling to remove an infestation of Troj_STARTPAG.RE from my computer system for most of this week. I have also seen evidence of SpySheriff, about:blank, and CWS on the system. I’ve read your READ ME FIRST article and have followed it, and have looked through various threads on how to remove these viruses, have tried many options suggested, and have had some success, but now need advise as to how to proceed further.

I’m running Windows XP Media Center Edition, version 2002,fully patched, HP Pavilion, AMD Athlon 64 3500+, 2.19 Ghz, 896MB RAM, with hard drive partitioned to C: and D:, and various removable drives for memory cards, etc. Software includes Trend Micro’s PC-Cillin suite with firewall. There is also a hardware firewall in my router.

Here’s what I’ve done so far:
In Normal Mode, I’ve run virus scans with PC-Cillin, which identifies Troj_STARTPAG.RE every time I open my IE browser and quarantines it. I’ve also run CounterSpy numerous times and it has identified the CWS virus and quarantined and deleted those, but they keep coming back. I also ran Norton's web-based virus scanner and it identified two files as being infected. I have also turned off System Restore. Hidden files, system files, and file extensions are viewable. The modem cable is disconnected from the machine.

I went into Safe Mode last night and did the following:
1. Ran services.msc to look for Network Security Service, Workstation Netlogon Service,and Remote Procedure Call (RPC) Helper. None of these were present.
2. Ran Ccleaner on Default Scan – it cleaned out files.
3. Ran Ad-Aware 1.06 – it found nothing.
4. Ran CounterSpy – it found instances of CWS and deleted them. Log attached.
5. Ran CWShredder – it found nothing.
6. Ran smitRem and allowed it to run Disk Cleanup. Log attached.
7. Ran HSremove – it found and deleted 8 files, but didn’t tell me what they were.
8. Ran CounterSpy again – it found nothing. Log attached.
9. Ran Ewido Security Suite – it found and quarantined 25 files. Log attached.
10. Ran CounterSpy again – it found nothing
11. Ran HijackThis – file attached.
(All logs mentioned above have been combined into one attached text file.)

The computer is still in Safe Mode at this time. I'm posting this from my office computer. I do apologize for one thing. I didn't notice until I reread the instructions prior to posting that HijackThis should have been run under Normal Mode (although I do remember seeing something in one of the threads to run it in Safe Mode). If you can review the HijackThis log (from Safe Mode) and tell me how to proceed from here, that would be great, but if you need a log from Normal Mode, I can run it and post it later tonight.

Thank you for your help.

gtiffany

 

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

 

Thank you, Shadow_Puter_Dude, for replying to my inquiry. I've also had input from another source on this problem and believe that it is almost corrected. Here's where I am at present:

Fixed the following two etries in HijackThis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing

Installed and ran cwsserviceremove.reg.
I rebooted and ran the online Panda ActiveScan and it found two infections:
Adware:adware/spysheriff No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcco.exe

ActiveScan did not give me a choice to clean or delete the entries. I then ran CounterSpy and Ad-Aware, but neither found any indication of infection. I then ran Ewido Security Suite and it found the mfcco.exe file and deleted it. The SpySheriff instance is apparently still in the registry.

I then re-ran HijackThis. I have appended the ActiveScan report and the Ewido report to the beginning of the latest HijackThis scan for your review. What additional suggestions do you have?

gtiffany

 

Please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post both logs as attachments

 

As requested, I downloaded, extracted, and ran the Qoologic2.bat. The log file is attached.

I also downloaded and extracted the rktool.bat file, rebooted to Safe Mode, and ran it. The log file from that is attached also.

Please let me know what else, if anything, needs to be done.

Thank you.

gtiffany

 

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

As requested, I ran KillBox and deleted the specified file. I then booted to Safe Mode and looked for the specified file, but it was not there. I ran CCleaner and deleted the contents of C:\Windows\Prefetch, then ran cleanmgr and deleted the specified files.

I re-booted to Normal Mode, ran CCleaner again and then ran WinPFind. The log is attached.

One question that I neglected to ask in my previous post -- you had me run RKFiles Tool. When it ran, I saw a notice that it was adding a file called strings.exe to my Startup folder. What is that program and why is it needed?

Thank you.

 

That log looks fine. Please post a fresh HijackThis log.

 

I ran a new HijackThis scan. The log is attached.

 

Your HijackThis log is clean. How is your system running?

 

My computer seems to be running fine. I haven't noticed any anomalies in the past few days. Hopefully, it's fixed.

Thank you for your help.

gtiffany