Virus turns volume down, makes browser click noise?

Hello good people:

Well, here are the symptoms as I know them. I have tried Malwarebtyes and it found this virus once, but it is now back and not being caught by Malwarebytes. This virus turns the wave/MP3 volume all the way down. I get random ads on audio at times, and although I use Firefox, I get IE ads popping up in the tabs. There is an occasionally clicking sound, like when you hit the back button in your browser. I get a “Congratulations, you won!” audio here and there. I run Windows XP btw on a PC. I believe that it has disabled my AVG completely. Any help is much appreciated-maybe I need to run Malwarebytes in safe mode??? I will post the quarantine log for when the virus was detected:

Malwarebytes’ Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/13/2010 4:38:04 PM
mbam-log-2010-07-13 (16-38-04).txt

Scan type: Full Scan (A:|C:|D:|E:|F:|G:|)
Objects scanned: 247378
Time elapsed: 3 hour(s), 48 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt&Search(default) (Adware.Hotbar) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\1.bin (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\Cache (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\setups (Adware.MyWebSearch) → Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Todd Gellman\My Documents\Downloads\ZwinkySetup2.3.67.1.SA.HP.ZJfox000.exe (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\Cache\0162DE8E.exe (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\Cache\files.ini (Adware.MyWebSearch) → Quarantined and deleted successfully.

This forum is for people who use avast!. Please use the AVG forums.

Since this is a “Black Internet” infection, we will have to check the MBR to see there’s an unknown boot code.

Please download MBRCheck.exe to your desktop.

* Be sure to disable your security programs
* Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
* A window will open on your desktop
* if an unknown bootcode is found you will have further options available to you, at this time press [b]N[/b] then press Enter twice.
* If nothing unusual is found just press [b]Enter[/b]
* A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
* Please post the contents of that file.

MBRCheck, version 1.1.1

(c) 2010, AD

\.\C: → \.\PhysicalDrive0

  Size  Device Name          MBR Status

 28 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.

Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:

Done! Press ENTER to exit…

Now the bootkit remover log before we create a batch file.

Please download Bootkit Remover from esage lab to your Desktop.

This is a rar file. If you don’t have an extraction program to open it, use 7-Zip or Peazip.

  • Extract Remover to your desktop
  • Right click Remover and select Run as Administrator
  • It will show a Black screen with some data on it
  • Right click on the screen and click Select All
  • Press Ctrl+C (on keyboard) to copy the data
  • Open a notepad and press Ctrl+V to paste the data

Please copy/paste the log in the next post.

MBRCheck, version 1.1.1(c) 2010, AD\.\C: →

\.\PhysicalDrive0 Size Device Name MBR Status

-------------------------------------------- 28 GB \.\PhysicalDrive0

Known-bad MBR code detected (Whistler / Black

Internet)!Found non-standard or infected MBR.Enter ‘Y’ and

hit ENTER for more options, or ‘N’ to exit: Done! Press

ENTER to exit…

You should use Avast Ewido and Mbam…oh yea …superanti spy ware

Run MBRCheck.exe again, this time press Y for more options and press enter.

Select option 2 “Restore the MBR of a physical disk with a standard boot code.”

After that post the log, restart your computer to complete the fix.

I’m getting this response asking to enter physical disk number to fix (0-99, -1 to cancel) -not sure what to do for disk number?

MBRCheck, version 1.1.1
(c) 2010, AD

\.\C: → \.\PhysicalDrive0

  Size  Device Name          MBR Status

 28 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black I

nternet)!

Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel):

[*]Run MBRCheck.exe
[*]Wait until you see the following line: Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[*]Please push the ‘Y’ key and then press Enter
[*]When program ask you Enter your choice: enter 2 and press the Enter key
[*]Now the program will ask you “Enter the physical disk number to fix (0-99, -1 to cancel):”
[*]Enter 0 and press the Enter key.
[*]The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
[*]The program will prompt for confirmation. Type ‘YES’ and hit Enter.
[*]Left click on the title bar (where program name and path is written).
[*]From menu chose Edit → Select All
[*]Hit the Enter key on your keyboard to copy selected text.
[*]Paste that text into Notepad, save it to your desktop as “MBRCheck results.txt”
[*]Restart your PC.
[*]Post the text in “MBRCheck results.txt” here, please.

This is it-thank you!

MBRCheck, version 1.1.1
(c) 2010, AD

\.\C: → \.\PhysicalDrive0

  Size  Device Name          MBR Status

 28 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black I

nternet)!

Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1

Do you want to fix the MBR code? Type ‘YES’ and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.

Done! Press ENTER to exit…

Are you experiencing anymore problems?

Good tool huh - Ta AD_13 who made it ;D

I owe youz guyz a big thank you-problem solved. My heartfelt appreciation-thank you!

Todd

Uninstall AVG and install avast!.