Suspected infection - cannot find to disinfect

My main computer has started intermittently playing the Windows ‘Asterisk’ sound at random intervals. Most times, this is not accompanied by any pop-up system window, but occasionally it asks about needing to format D: before writing to it. D: is an old Linux drive, there are no programs or data that Windows would need access to nor have I ever told Windows to attempt to access that drive. I am taking these attempts to write to D: as evidence of an infection of some sort. I have tried doing an Avast full scan, an Avast boot scan, and an MBAM full scan, none of which find anything untoward but the computer continues to play that sound and attempt to write to D:.

Additional information -
Windows 7 Home Deluxe, SP1
Avast versions 130621-1 8.0.1489, dated 6/23/2013
MBAM version 1.75.0.1300, dates 04/04/2013

follow guide an attach requested logs. http://forum.avast.com/index.php?topic=53253.0

  1. AdwCleaner
  2. MalwRebytes
  3. OTL
  4. aswMBR

when done, removal experts will be notified

Please find requested logs attached. I also note that at this point, the system is identifying my optical drive as D: and the Linux drive as E: and the ‘please format’ messages are for drive E:

Thank you.

As it wouldn’t let me attach this on the previous reply…

removets are notified, it may take hours before one arrive so be patient

Hi first a question did you install this [2013/04/04 19:04:40 | 000,000,000 | —D | M] – C:\Users\Carnifex\AppData\Roaming\Curse Advertising

Also when the ding occurs could you see what is running in task manager… Is there a regularity about them i.e. 15 minutes after start or every few days or so ? Thinking along the lines of a job being queued here

Also you have the update client running are you aware of that O4 - Startup: C:\Users\Carnifex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()

Curse is an add-on manager for World of Warcraft, it tracks which add-ons have newer versions available so that they can be kept fully patched-up and current. If it is a problem, it can certainly be uninstalled however it has been installed since around October of 2012 while the sounds and windows only have been occurring the past week or so.

The sound plays anywhere from once per minute to every 15 minutes, with a random interval. It does seem to be more frequent the more applications are running so possibly the virus has set itself in the registry as a launcher for .EXE files or something?

I will try watching Task Manager.

Sound just played, and got the ‘cannot write to E:’ warning window. Firefox was the only running application, nothing appeared untoward in the processes tab of Task Manager. Will try killing the Curse process and see if that stops the problem.

Aye my understanding of the client is that it will download and save any patches or updates, did you have any games on D drive at one stage ?

No. I originally built this system as a Linux box, and later installed a second HD and put Windows on that (and rearranged the SATA cables to make the new drive the first one). I have not touched the Linux HD since Windows was installed. Windows shouldn’t be looking for anything off of C:.

Interestingly - I tried stopping the Yahoo, Curse, and two anti-spyware apps processes and the beeping and error message about D:/E: has dropped to nothing. I don’t use YM on this machine (I have an older box I use as a comms server for that) so will plan to uninstall that completely. Curse is useful, but I suspect it wouldn’t hurt it to be uninstalled and a fresh copy installed from the makers site, as this one seems to be possibly compromised.

Thanks for that, I did not see any apparent malware on the logs

Have determined that the beeping in question is from when Windows dismounts, remounts, and attempts to access my old Linux drive. A beep for each, and a warning window only on the last. What remains unsolved is just why Windows decided to start trying to reach this volume after a year or so of ignoring it (as it should) and how to tell Windows to resume ignoring it. The latter question has been posted to MS technical support, and I do thank you all for your help in getting this far.

If you find an answer and remember could you post here in case I come across it again

I haven’t been able to find an answer, unfortunately. One MS tech who couldn’t grasp the idea of two separate hard drives instead of two partitions, which invalidated his stock ‘bad sectors’ answer was as close as I got.