Virus or something else?

  jasg 13:39 05 Jun 2009

Ok this is a complicated one so will explain in stages,

Windows XP Pro service pack 2. Internet explorer 8 and outlook 2000, latest firefox.

1st symptom.

Lost sound for music and games, op system notifications ok. Noticed windows audio service had stopped and had to be restarted manually each time PC started. Fixed by setting the service to restart on 1st, 2nd, 3rd failure etc.

2nd google searches get redirected to miscellanious websiites, does not matter if firefox or IE used.

3rd outlook opens but as soon as mail opens immeadiately closes down. Originally used Outlook express but changed to outlook to try and cure but no change.

4 IE 6 Closes within 30 secs of opening fixed this by loadind IE8, seems stable now.

I have run dozens of virus scans using 10 different scanners and although things found and fixed nothing helped with this. Including- Avast, nero, avg, macfee and others.

I have run several spyware/malware scans using which seems dozens of different scanners, results as per the virus scans. Including malwarebytes, adaware, spybot, combofix, hijackthis (nothing obvious shown), macfee, and others.

As an addittion what ever the infection is it also seems to block access to certain security websites.

I have also tried safe mode for all the scans and made sure they are totally upto no effect.

Now after nearly four days trying to fix this and a stinking headache as a result does anyone have any idea as to what to try next? I am seriously condisdering a total format although if I can i obviously want to avoid it.

With thanks in anticipation of someone having a brainwave!

  GANDALF <|:-)> 13:43 05 Jun 2009

superantispyware, free version? click here AV scanners will not help.


  GANDALF <|:-)> 13:44 05 Jun 2009 may have to download onto anther computer and copy onto a memory stick.


  jasg 13:49 05 Jun 2009

Tried it no help.

  GANDALF <|:-)> 14:13 05 Jun 2009

No point faffing about....reformat.


  mfletch 15:12 05 Jun 2009

Here is one to try its very good,


Please Download DrWeb-CureIt from here click here & save it to your desktop.

1/ Double-click on drweb-cureit.exe and then click Start
2/ An information notice will appear, click OK.
3/ This starts a short scan that will scan the files currently running in memory.

PS/ If you get a prompt to buy the full version just exit out of the window DrWeb will still work.

4/ If or when something is found, click the Yes button when it asks you if you want to cure it.

5/ Once the short scan has finished and your Back at the main window, select the Complete scan button and then click the Green arrow to start the scan,

6/ Click Yes to all if it asks if you want to cure/move any file(s).

7/ When the scan is done.

8/ In the Dr.Web CureIt menu on top left, click File and choose Save report list

9/ Save the DrWeb.csv report to your Desktop

10/ Exit Dr.Web Cureit and Reboot the computer.

  jasg 13:54 06 Jun 2009

MFLETCH thanks for the link its slow but it did find a few things that the others missed. It solved the outlook issue so just the redirects to sort now!

Many Thanks

  kidsis 14:58 06 Jun 2009

can you let us see the hijack this report so we can see if anything looks iffy.

  mfletch 15:47 06 Jun 2009

A log would be good to look at,

HijackThis 2.0.2 click here

Download and do a quick scan with the free version of this,

MBAM/ Malwarebytes/ Antimalware click here

Let us know what it finds.

  jasg 16:21 06 Jun 2009

Cheers for the help guys hijackthis log below. 2 or maybe 3 parts!

Part 1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:11:03, on 06/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\\Agent\mcagent.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

  jasg 16:22 06 Jun 2009

Part 2

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = click here
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\WINDOWS\System32\rmctrl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Xiaomi Mi Mix 2 review

What went wrong at the Designs of the Year 2017

iPhone X news: Release date, price, new features & specs

Comment utiliser Live Photos ?