Virus or something else?

  jasg 13:39 05 Jun 09
Locked

Ok this is a complicated one so will explain in stages,

Windows XP Pro service pack 2. Internet explorer 8 and outlook 2000, latest firefox.

1st symptom.

Lost sound for music and games, op system notifications ok. Noticed windows audio service had stopped and had to be restarted manually each time PC started. Fixed by setting the service to restart on 1st, 2nd, 3rd failure etc.

2nd google searches get redirected to miscellanious websiites, does not matter if firefox or IE used.

3rd outlook opens but as soon as mail opens immeadiately closes down. Originally used Outlook express but changed to outlook to try and cure but no change.

4 IE 6 Closes within 30 secs of opening fixed this by loadind IE8, seems stable now.

I have run dozens of virus scans using 10 different scanners and although things found and fixed nothing helped with this. Including- Avast, nero, avg, macfee and others.

I have run several spyware/malware scans using which seems dozens of different scanners, results as per the virus scans. Including malwarebytes, adaware, spybot, combofix, hijackthis (nothing obvious shown), macfee, and others.

As an addittion what ever the infection is it also seems to block access to certain security websites.

I have also tried safe mode for all the scans and made sure they are totally upto date.to no effect.

Now after nearly four days trying to fix this and a stinking headache as a result does anyone have any idea as to what to try next? I am seriously condisdering a total format although if I can i obviously want to avoid it.

With thanks in anticipation of someone having a brainwave!

  GANDALF <|:-)> 13:43 05 Jun 09

superantispyware, free version? click here AV scanners will not help.

G

  GANDALF <|:-)> 13:44 05 Jun 09

ps..you may have to download onto anther computer and copy onto a memory stick.

G

  jasg 13:49 05 Jun 09

Tried it no help.

  GANDALF <|:-)> 14:13 05 Jun 09

No point faffing about....reformat.

G

  mfletch 15:12 05 Jun 09

Here is one to try its very good,

DrWeb-CureIt

Please Download DrWeb-CureIt from here click here & save it to your desktop.

1/ Double-click on drweb-cureit.exe and then click Start
2/ An information notice will appear, click OK.
3/ This starts a short scan that will scan the files currently running in memory.

PS/ If you get a prompt to buy the full version just exit out of the window DrWeb will still work.

4/ If or when something is found, click the Yes button when it asks you if you want to cure it.

5/ Once the short scan has finished and your Back at the main window, select the Complete scan button and then click the Green arrow to start the scan,

6/ Click Yes to all if it asks if you want to cure/move any file(s).

7/ When the scan is done.

8/ In the Dr.Web CureIt menu on top left, click File and choose Save report list

9/ Save the DrWeb.csv report to your Desktop

10/ Exit Dr.Web Cureit and Reboot the computer.

  jasg 13:54 06 Jun 09

MFLETCH thanks for the link its slow but it did find a few things that the others missed. It solved the outlook issue so just the redirects to sort now!

Many Thanks

  kidsis 14:58 06 Jun 09

can you let us see the hijack this report so we can see if anything looks iffy.

  mfletch 15:47 06 Jun 09

A log would be good to look at,

HijackThis 2.0.2 click here


Download and do a quick scan with the free version of this,

MBAM/ Malwarebytes/ Antimalware click here

Let us know what it finds.

  jasg 16:21 06 Jun 09

Cheers for the help guys hijackthis log below. 2 or maybe 3 parts!

Part 1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:11:03, on 06/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\WINDOWS\System32\rmctrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

  jasg 16:22 06 Jun 09

Part 2

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = click here
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\WINDOWS\System32\rmctrl.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com

This thread is now locked and can not be replied to.

Nintendo Switch review: Hands-on with the intuitive modular console and its disappointing games…

1995-2015: How technology has changed the world in 20 years

Method Studios' title sequence for BBC series Taboo is truly unsettling

Best Pages for iOS tips | How to use Pages for iPad & iPhone: 6 simple tips to get more out of…