Virus turns volume down, makes browser click noise?

[santacruztodd]

Hello good people:

Well, here are the symptoms as I know them. I have tried Malwarebtyes and it found this virus once, but it is now back and not being caught by Malwarebytes. This virus turns the wave/MP3 volume all the way down. I get random ads on audio at times, and although I use Firefox, I get IE ads popping up in the tabs. There is an occasionally clicking sound, like when you hit the back button in your browser. I get a "Congratulations, you won!" audio here and there. I run Windows XP btw on a PC. I believe that it has disabled my AVG completely. Any help is much appreciated-maybe I need to run Malwarebytes in safe mode??? I will post the quarantine log for when the virus was detected:

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/13/2010 4:38:04 PM
mbam-log-2010-07-13 (16-38-04).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 247378
Time elapsed: 3 hour(s), 48 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\setups (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Todd Gellman\My Documents\Downloads\ZwinkySetup2.3.67.1.SA.HP.ZJfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\Cache\0162DE8E.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.

[Jtaylor83]

This forum is for people who use avast!. Please use the AVG forums.

Since this is a "Black Internet" infection, we will have to check the MBR to see there's an unknown boot code.


Please download MBRCheck.exe to your desktop.

    * Be sure to disable your security programs
    * Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    * A window will open on your desktop
    * if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    * If nothing unusual is found just press Enter
    * A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
    * Please post the contents of that file.

[santacruztodd]

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



      Size  Device Name          MBR Status

  --------------------------------------------

     28 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done!  Press ENTER to exit...

[Jtaylor83]

Now the bootkit remover log before we create a batch file.

Please download Bootkit Remover from esage lab to your Desktop.

This is a rar file. If you don't have an extraction program to open it, use 7-Zip or Peazip.

* Extract Remover to your desktop
* Right click Remover and select Run as Administrator
* It will show a Black screen with some data on it
* Right click on the screen and click Select All
* Press Ctrl+C (on keyboard) to copy the data
* Open a notepad and press Ctrl+V to paste the data

Please copy/paste the log in the next post.

[santacruztodd]

MBRCheck, version 1.1.1(c) 2010, AD\\.\C: -->

\\.\PhysicalDrive0      Size  Device Name          MBR Status 

--------------------------------------------     28 GB  \\.\PhysicalDrive0   

Known-bad MBR code detected (Whistler / Black

Internet)!Found non-standard or infected MBR.Enter 'Y' and

hit ENTER for more options, or 'N' to exit: Done!  Press

ENTER to exit...

[Dijidog]

You should use Avast Ewido and Mbam..oh yea ....superanti spy ware

[Jtaylor83]

Run MBRCheck.exe again, this time press Y for more options and press enter.

Select option 2 "Restore the MBR of a physical disk with a standard boot code."

After that post the log, restart your computer to complete the fix.

[santacruztodd]

I'm getting this response asking to enter physical disk number to fix (0-99, -1 to cancel) -not sure what to do for disk number?

MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

      Size  Device Name          MBR Status
  --------------------------------------------
     28 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black I
nternet)!


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
  [1] Dump the MBR of a physical disk to file.
  [2] Restore the MBR of a physical disk with a standard boot code.
  [3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel):

[essexboy]

• Run MBRCheck.exe
• Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
• Please push the 'Y' key and then press Enter
• When program ask you Enter your choice: enter 2 and press the Enter key
  
• Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  
• Enter 0 and press the Enter key.
  
• The program will show Available MBR codes:, followed by a list of operating systems.  Please enter 1 for Windows XP, and then press Enter.
  
• The program will prompt for confirmation.  Type 'YES' and hit Enter.
  
• Left click on the title bar (where program name and path is written).
• From menu chose Edit -> Select All
• Hit the Enter key on your keyboard to copy selected text.
• Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
  
• Restart your PC.
• Post the text in "MBRCheck results.txt" here, please.
  

[santacruztodd]

This is it-thank you!

MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

      Size  Device Name          MBR Status
  --------------------------------------------
     28 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black I
nternet)!


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
  [1] Dump the MBR of a physical disk to file.
  [2] Restore the MBR of a physical disk with a standard boot code.
  [3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
 [ 0] Default (Windows XP)
 [ 1] Windows XP
 [ 2] Windows Server 2003
 [ 3] Windows Vista
 [ 4] Windows 2008
 [ 5] Windows 7
 [-1] Cancel

Please select the MBR code to write to this drive: 1

Do you want to fix the MBR code?  Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!  Press ENTER to exit...

[Jtaylor83]

Are you experiencing anymore problems?

[essexboy]

Good tool huh - Ta AD_13 who made it 

[santacruztodd]

I owe youz guyz a big thank you-problem solved. My heartfelt appreciation-thank you!

Todd

[Jtaylor83]

Uninstall AVG and install avast!.