Spyware/Virus Problem

I am having a problem with my computer.

The symptons include:
-resetting the default home page in Explorer this seems to change between 1-3 pages
-I have a win min end task error when I try to restart or shutdown
-new favorite websites are added to my list. (it is the same four every time)
-I was getting a .dll error when restarting.

I run windows XP and think I got hit before I put all the security patches in place. I just recently upgraded.

I have done all the steps up to 4 in the following thread: http://forums.majorgeeks.com/showthread.php?t=35407

Steps 5 and 6 are new to me and I am not sure I understand how all that works. When I ran all the steps mentioned in the thread above, only the trend micro scan found anything. It found 3 viruses which where then deleted. Adaware SE also found 13 negligible threats which were also deleted. I am a little unsure as to how to proceed from this point. I have run hijackthis, but am unsure how to interpret the results and use them.

This seems like quite an involved process and I am wondering whether it might be easier to format the drive and reload everything. I have never loaded XP on my own though, so this should be taken into consideration as well.

Thanks in advance for your help.

keyser

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

here is my log file.

As I mentioned above, I have completed steps 1-4 in the thread you mentioned and am a little confused that I have completed the highjack this step correctly.

Also after we get this problem corrected, is there anyway to verify that my system is secure?

Thanks.

Keyser

 

I have looked at your log it looks fine to me except for the "Party Poker" is this something you use or know what it is?

Are you still experiencing problems after complete the steps in the sticky thread?

 

I had done all 6 steps at the thread listed below and thought that I had gotten rid of all my problems. I hadn't noticed any new symptons, but I wanted to go back throught the steps a second time and make sure I hadn't missed anything. When I started with house call I immediately had a new (or old problem). Here are the results of the second time.

I have followed steps 1-4 at this thread:

http://forums.majorgeeks.com/showthread.php?t=35407

Here are the results I obtained:

Housecall

Found: TROJ STRTPAGE.U
non-cleanable, c:\\WINNT\system32\ndtmlrocdr.dll

deleted

Symantec Virus Scanner

0 files infected

Stinger

nothing

Adaware SE

nothing critical only 2 negligible items, deleted both (I can provide their exact names and location if necessary)

Spybot SD

CoolWWWSearch.WinProc32 C:\WINNT\system32\favico.dat

delete/fixed

CWSShredder

none infected
0 restored
CWS not found

Kill2Me

No signs of it, but look2me was removed if present

About:Buster

No Ads found on this system
attempted clean of temp folder
pages reset done

second scan got same results

HS Remove

8 items removed

I was wondering if anyone can help me figure out why these steps were ineffective the first time and what I might be able to do to fix it. Some other pertinent information was that I ran hijack this and deleted the suspect files, I then post the new Hijack this file and someone replied and said that it looked ok to him.

Thanks in advance for your help with this vexing problem.

Keyser

 

My apologies for creating a new thread. I created a new thread because the other one did not contain much information and I thought it might be confusing to anyone trying to help me.

There is a problem because I had cleaned everything and used hijack this to solve all the problems. However, when I went to run another scan I had another virus, which was detected by housecall. It seems to me that this was probably another regeneration and not a new infection as I haven't really done anything with the computer since I cleaned it. I thought that I probably hadn't really solved the old problem, and this was a continuation of it. I provided the old information along with the new as I assumed that all these things that are occuring are part of a larger problem.

Thanks for your help in advance.

Keyser

 

Here is the hijack this log. Thank you so much for you help.

 

The first file is says it is associated with Secureexam Student 4.10.00. This is a program that I have installed on my computer.

The second file I cannot find. The I have just recently installed Roller Coaster Tycoon 3. So maybe that is what it is.

Partypoker is an online game I play.

As far as problems that I am having:

I haven't experienced any problems since the initial clean. I wanted to be sure that everything was "clean", and re-ran micro trend housecall. When I did that, it found a virus called TROJ STRTPAGE.U. I deleted that file and then continued with the cleaning process detailed at http://forums.majorgeeks.com/showthread.php?t=35407. I completed through step 4 and then posted my HJT log, which is what you just looked at. The results of my second cleaning process are detailed below. I have tried to minimize my use of the infected/trouble computer so as to mimimize any reinfection (I have a second computer). This is why possibly I haven't experienced many symptons after the initial cleaning.

As far as what started all this: I was running Windows NT and decided to upgrade to XP. When I did, I thought that the installation process also went and got all the updates. I was severely mistaken, and that is when I became infected. The symptons that I began to experience where:
1) unknown programs were installed
2) my homepage was changed (and changed back after trying to change it)
3) my favorites list had things added to it
4) My automatic updates setting kept getting changed to off.


Now there are some files that I don't recognize, but I am not sure whether they might have always been there. Also in my C:\WINNT there are several folders that are strange looking like: $hf_mig$ and $NtServicePackUninstall$.

Thanks again for all your assistance and time.

Keyser

 

I believe that partypoker is relatively safe. I have been using it for quite a while and have not had any problems. This major infection occurred long after I had installed and used partypoker and this infection did not seem to coincide with any software upgrades required by partypoker.

Yes, I think that there are no problems. I hope that we have gotten rid of them. I will use the computer some and then run through the cleaning steps and make sure there are no signs of an infection.

Thanks again so much for your time and help.

Keyser

 

Yes from time to time. I assumed it was as they added new features/services.