Internet Explorer Clicks and "Congratutions You've Won" audio.

Hi!

Thanks for all of the useful help I've read in other threads already!

I am running Windows XP Home Edition.

******************SYMPTOMS************************

I started having issues about 4 or 5 days ago. I would hear clicking sounds and random audio such as "Congratulations, you've won". :kissmy

This would happen even when Internet Explorer was not running. I didn't have IE open and it did not display a thread in "Process Explorer", if you are familiar with that application. If not, it's basically a useful version of Task Manager. I did, however see IE listed in my Network Traffic monitoring in ESET Anti-Virus software.

Internet Explorer would also sometimes generate an error. The info I got from the error details was that it occured in module mshtml.dll. The good thing, I guess, is that it also took out Internet Explorer, so I knew any time IE came up, it was the virus. When I opened Internet Explorer and tried to use it, it simply could not find anything on the web and would revert to Offline Mode.

It also infected and disabled my Windows Installer. Obviously, that caused issues with installing new Anti-Virus software. I had to change the attributes, rename and delete the msiexec.exe, msi.dll and (I think) msihndl.dll files. Windows replaced them with versions from the original XP installation that were in the dllcache. Then I was able to install the Windows Installer 3.1 V2.

After getting the Windows Installer fixed, I tried to install Ad Aware. It would not install because the installation could not get the Visual C Runtime library to update. I'm not sure if the virus is at fault or not. I downloaded the Service Pack manually from Microsoft (Visual C Runtime Service Pack 1 - vcredist_x86.exe). I still can not get the VC Runtime to install, though. Again, I'm not sure if the virus is at fault or not.

I finally got Prevx installed and it detected the the Win32/Mebroot Trojan virus. I don't believe it actually removed it, though.

There was also what appeared to be a randomly generated file and folder in My Documents. The file was nneqbqhtssd.exe and the subfolder was lhhqwegh. I removed these in a previous virus scan before I stumbled across this forum, so they will probably not show up in any of the attached logs.

I also ran the Avast software which found a couple of items:
Filename: A0089467.exe

Location: c:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP356

So, I guess my restore points should be killed once everything is cleaned?

Avast also found:
C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\8\53b7f588-12569d51 - a variant of Win32/Unruy.AA trojan - action selection postponed until scan completion

C:\Documents and Settings\Anyone\Local Settings\Application Data\Mozilla\Firefox\Profiles\avjxuge3.default\Cache\10A598F8d01 » NSIS » mw2mmgr32.exe - a variant of Win32/KeyLogger.FamilyKeyLogger.C potentially unsafe application. I had actually installed this to see if there was any text being generated along with the clicks. It did not return anything useful, though.

C:\Documents and Settings\Anyone\Local Settings\Application Data\Mozilla\Firefox\Profiles\avjxuge3.default\Cache\10A598F8d01 » NSIS » mw2mmgr32.dll - a variant of Win32/KeyLogger.FamilyKeyLogger.D potentially unsafe application

C:\Website\Website Building Software\fp2006-final-3.00-setup.exe » INNO » file1119.bin - JS/BadJoke.KillFiles.A potentially unsafe application. I checked this JavaScript and it seems to be just a fake virus notification that you can put on your website to play a joke on your visitors. Evrsoft First Page includes it as sample JS code you can add to your website design. Ha Ha! What a great idea! I'm sure your visitors will really appreciate it and come back to your site again and again. :foolish RIIIIIIIIIGHT! I did remove it, though.

C:\Program Files\Evrsoft First Page 2006\Iscripts\Games\games-scripts.izs - JS/BadJoke.KillFiles.A potentially unsafe application - action selection postponed until scan completion. Same as above.

FYI: I've also noticed it seems to be tied to this specific website: tombirdswithhair.com

***************CONCLUSION/EDUCATED GUESS******************
I BELIEVE this is from the Win32/Mebroot Trojan virus.
Does that sound correct?

**************CORRECTIVE ACTIONS THUS FAR******************
I ran through all of the "READ & RUN ME FIRST" instructions.

RootRepeal would not run. It would open and display a "Please wait - Initializing Sytem" message box. It would then appear to just hang up. I watched its operation in Process Explorer and it just kept allocating more and more Virtual Memory. Once it got to 2 GB (after about 8 minutes) I terminated the application. I tried it in both Safe and Normal mode with the same results.

Attached are the following logs:

Combo Fix Log - ran in Safe mode

Malwarebytes log - ran in Safe mode

2 Super Anti Spyware Logs - 1 ran in Normal Mode (08-13-04) and one that I ran in Safe Mode (17-25-45).

I will attach the MGlogs.zip file in a separate post.

I'll also ran the MBR Check. I didn't change anything, just ran the report. I'll attach the report in the next post as well. Spoiler Alert: Known-bad MBR code detected (Whistler / Black Internet)!

Could you take a look at the logs and let me know what I need to do from this point?

Thank You!

P.S. What a great site! There a re a lot of great forums on here. Too bad I had to get a virus to find MajorGeeks.com, but I guess at least every cloud has a silver lining.

 

Moderator - please attach to my other post

Moderator,

I can not see my thread that I just posted until it is reviewed and so can not post to the (as yet) invisible thread. I still need to post 2 more files, so....

Please merge this message with my other post. Thanks!

Here are the other 2 Log files (from MGTools and MBRCheck):

 

No

Yes. There is only one hard drive in the system.

No. The computer is from Toshiba and I replaced the hard drive a while back, and it is standard.

No

No

Not at the time of the scans. I have had one installed on occasion after the infection, though.

Yes