# computer makes clicking sound when no browser open



## corbott (Dec 26, 2007)

hi ,
my computer makes clicking sounds (on its own) like the sound when you open a folder or click on a link in internet explorer.heres is my hijack this log.Hopefully someone can explain whats wrong.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:19 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ndt2.sys
C:\WINDOWS\system32\perfs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O1 - Hosts: 82.98.86.173 hvqxs.cn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172652961343
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe

--
End of file - 6134 bytes


----------



## sjpritch25 (Sep 8, 2005)

Welcome to TSG 

You have a file i would like you to get anaylzed. Please go to VirusTotal. On the very top of the Website, you will see a Browse button. Use that to search for this file

*C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe*.

Then Click on Send. This could take between 30 Second-a couple of minutes. When you get the Results, Open Notepad, please highlight the results, copy them to Notepad and save it as "Scan.txt". Save the text file "Scan.txt" to your desktop. Please include the file in your next post.

Note: You may need to unhide hidden files and folders.
*Configure Windows XP to show hide hidden files:*
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select* "Show hidden files and folders". *
Uncheck the *"Hide protected operating system files (recommended)*" option.
Uncheck the *"Hide file extensions for known file types"* option.
Click *Yes* to confirm. Click *OK.*


----------



## corbott (Dec 26, 2007)

here are the results for the 2 files you wanted analyzed.*Thanks very much*
C:\WINDOWS\system32\perfs.exe


File perfs.exe received on 12.27.2007 20:00:42 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/32 (3.13%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3	-	-	-
AntiVir	-	-	-
Authentium	-	-	-
Avast	-	-	-
AVG	-	-	-
BitDefender	-	-	-
CAT-QuickHeal	-	-	-
ClamAV	-	-	-
DrWeb	-	-	-
eSafe	-	-	-
eTrust-Vet	-	-	-
Ewido	-	-	-
FileAdvisor	-	-	-
Fortinet	-	-	-
F-Prot	-	-	-
F-Secure	-	-	-
Ikarus	-	-	-
Kaspersky	-	-	-
McAfee	-	-	-
Microsoft	-	-	-
NOD32v2	-	-	-
Norman	-	-	-
Panda	-	-	-
Prevx1	-	-	Generic.Rootkit
Rising	-	-	-
Sophos	-	-	-
Sunbelt	-	-	-
Symantec	- -	-
TheHacker	-	-	-
VBA32	-	-	-
VirusBuster	-	-	-
Webwasher-Gateway	-	-	-
Additional information
MD5: ec1e6c794027036e94f2e9eac9d34a97

C:\WINDOWS\system32\routing.exe.

File routing.exe. received on 12.22.2007 01:51:43 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 2/32 (6.25%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3	-	-	-
AntiVir	-	-	-
Authentium	-	-	-
Avast	-	-	-
AVG	-	-	-
BitDefender	-	-	-
CAT-QuickHeal	-	-	-
ClamAV	-	-	-
DrWeb	-	-	-
eSafe	-	-	-
eTrust-Vet	-	-	-
Ewido	-	-	-
FileAdvisor	-	-	-
Fortinet	-	-	-
F-Prot	-	-	-
F-Secure	-	-	-
Ikarus	-	-	-
Kaspersky	-	-	-
McAfee	-	-	-
Microsoft	-	-	-
NOD32v2	-	-	-
Norman	-	-	-
Panda	-	-	-
Prevx1	-	-	Heuristic: Suspicious File With Bad Child Associations
Rising	-	-	-
Sophos	-	-	-
Sunbelt	-	-	-
Symantec	-	-	-
TheHacker	-	-	-
VBA32	-	-	suspected of Backdoor.XiaoBird.150 (paranoid heuristics)
VirusBuster	-	-	-
Webwasher-Gateway	-	-	-
Additional information
MD5: 220ebc16fb5c6dfdc59e4ed1f48a8244


----------



## sjpritch25 (Sep 8, 2005)

i would like to get those two files Analyzed, lest upload them to this site.

http://thespykiller.co.uk/index.php?PHPSESSID=bbaca256e0c6d5ee005443bf151d61ae&board=1.0

Make the subject *Files for Derek*

Let me know when you have uploaded those two files. Thanks.


----------



## corbott (Dec 26, 2007)

i've uploaded the files to that forum.thanks


----------



## sjpritch25 (Sep 8, 2005)

Okay, once i here back. we will proceed. Please stay off the computer, as much as possible. Thanks.


----------



## sjpritch25 (Sep 8, 2005)

corbott, you computer has be comprised and its being monitored by a remote server. We can remove most of the infection, but can't guarantee that everything will be gone. The only way to fully guarantee is to do a re-format and re-install Windows. If you would like to proceed with removal, follow these instructions.

Please download and install *SUPERAntiSpyware*
Load SUPERAntiSpyware and click the *Check for Updates* button.
Once the update has finished, exit SUPERAntiSpyware. Please do *NOT* run a scan yet!

Open *Hijackthis*
Click on *Open the Misc Tools Section*.
Under *System Tools*, click on *Open process Manager*.
Navigate to the processes below and click on *Kill process*.
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\ndt2.sys
C:\WINDOWS\system32\perfs.exe
Close *Hijackthis*.
Click on *Start* ---> *Run* 
Type the following commands one by one followed by the *Enter* Key.
sc stop "perfmons"
sc delete "perfmons"
sc stop "Routing"
sc delete "Routing"

===================================================================

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

*IMPORTANT*: Do *NOT* open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.
Open SUPERAntiSpyware and click the *Scan your Computer* button.
Check *Perform Complete Scan* and then click *Next*.
SUPERAntiSpyware will now scan your computer and when it\u2019s finished it will list all the infections it has found.
Make sure that they all have a check next to them, and then click *Next*.
Click *Finish* and you will be taken back to the main interface.
It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
I'll need a log afterwards of what has been found.
To get the log, click *Preferences* and then click the *Statistics/Logs* tab. Click the dated log and press *View Log* and a text file will appear.
Please post the results of the *SUPERAntiSpyware log*in your next reply.


----------



## corbott (Dec 26, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/29/2007 at 01:33 PM

Application Version : 3.9.1008

Core Rules Database Version : 3370
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 00:47:10

Memory items scanned : 189
Memory threats detected : 0
Registry items scanned : 6549
Registry threats detected : 0
File items scanned : 34012
File threats detected : 15

Adware.Tracking Cookie
C:\Documents and Settings\cornelius gagnoochie\Cookies\cornelius [email protected][1].txt
C:\Documents and Settings\cornelius gagnoochie\Cookies\[email protected][1].txt
C:\Documents and Settings\cornelius gagnoochie\Cookies\[email protected][1].txt
C:\Documents and Settings\cornelius gagnoochie\Cookies\[email protected][2].txt
C:\Documents and Settings\cornelius gagnoochie\Cookies\[email protected][3].txt
C:\Documents and Settings\cornelius gagnoochie\Cookies\cornelius [email protected][1].txt
C:\Documents and Settings\cornelius gagnoochie\Cookies\[email protected][2].txt
C:\Documents and Settings\cornelius gagnoochie\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt

Trojan.Downloader-Gen/INDT2
C:\WINDOWS\SYSTEM32\INDT2.SYS
C:\WINDOWS\Prefetch\INDT2.SYS-3A706AA7.pf

Rootkit.NDT2
C:\WINDOWS\SYSTEM32\NDT2.SYS
C:\WINDOWS\Prefetch\NDT2.SYS-22AAAB91.pf

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\PERFS.EXE


----------



## sjpritch25 (Sep 8, 2005)

Post a fresh HIjackthis log. Thanks.

Let run an online scan too.

Please attach the log. thanks.

Please perform a scan with *Kaspersky Webscan Online Virus Scanner*

1. Read the Requirements and Privacy statement, then select "*Accept*". 2. A new window will appear promting you to install an ActiveX component from Kaspersky - "*Do you want to install this software*?". 3. Click "*Yes*" or select "*Install*" to download the ActiveX controls that allows ActiveScan to run. 4. When the download is complete it will say ready, click "*Next*". 5. Click "*Scan Settings*" and check the option to use the *Extended Database* if available otherwise Standard). 6. Click "*Scan Options*" and select both "*Scan Archives*" and "*Scan Mail Bases*". 7. Click "*OK*". 8. Under "*Select a target to scan*", click on "*My Computer*". 9. When the scan is complete choose to save the results as "*Save as Text*" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for _Free Online Virus Scanner_. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps *here* and reboot afterwards if your system does not reboot automatically or it will show '_Kaspersky Online Scanner license key was not found!_


----------



## corbott (Dec 26, 2007)

attached are the 2 logs you requested


----------

