Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bootkit whistler infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 m1garand

m1garand

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 09 September 2010 - 04:29 PM

Ok a week ago random clicking sounds have been occurring even when sound is muted. Boopme directed me to here from this topic: http://www.bleepingcomputer.com/forums/topic346241.html
Gmer did not work and said some file location followed by "the file location could not be specified".
The 7 extracter program is messed up as it doesn't give an option to extract bootkit_remover.rar from desktop and when i try to extract it by opening 7 file-manager nothing shows for desktop except documents, network and computer. Also if i try to move bootkit_remover.rar to documents so i can extract it, it doesn't create remover.exe.

DDS LOG:


DDS (Ver_10-03-17.01) - NTFSX64
Run by Ahmad at 16:35:01.58 on 09/09/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.3835.2439 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_471277d5d45019ea\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_471277d5d45019ea\AESTSr64.exe
C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files\Hewlett-Packard\HPToneControl\HPToneCtl.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Ahmad\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files (x86)\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\norton internet security\engine\17.7.0.12\coIEPlg.dll
uRun: [LightScribe Control Panel] c:\program files (x86)\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [NortonOnlineBackupReminder] "c:\program files (x86)\symantec\norton online backup\activation\NOBuActivation.exe" UNATTENDED
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files (x86)\common files\lightscribe\LSRunOnce.exe"
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [SysTrayApp] c:\program files\idt\wdm\sttray64.exe
mRun-x64: [SmartMenu] c:\program files\hewlett-packard\hp mediasmart\SmartMenu.exe /background
mRun-x64: [HP Quick Launch] c:\program files\hewlett-packard\hp quick launch\HPMSGSVC.exe
mRun-x64: [HPToneControl] c:\program files\hewlett-packard\hptonecontrol\HPTonectl.exe
mRun-x64: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden

============= SERVICES / DRIVERS ===============

R1 BHDrvx64;BHDrvx64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100810.004\BHDrvx64.sys [2010-8-10 945200]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nisx64\1107000.00c\cchpx64.sys [2010-8-25 615040]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-4-16 6403584]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-4-16 188928]

=============== Created Last 30 ================

2010-09-09 20:33:08 0 ----a-w- c:\users\ahmad\defogger_reenable
2010-09-09 13:59:34 0 d-----w- c:\program files (x86)\ESET
2010-09-09 13:44:11 0 d-----w- c:\program files (x86)\Trend Micro
2010-09-09 12:59:41 0 d-----w- c:\users\ahmad\appdata\roaming\Malwarebytes
2010-09-09 12:59:32 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-09 12:59:32 0 d-----w- c:\programdata\Malwarebytes
2010-09-09 12:59:32 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-09-06 17:49:03 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-09-06 17:49:03 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-09-06 17:49:03 145184 ----a-w- c:\windows\syswow64\java.exe
2010-09-06 17:46:03 0 d-----w- c:\programdata\Google
2010-09-03 13:30:05 0 d-----w- c:\programdata\Recovery
2010-08-31 01:45:57 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-08-25 01:21:07 0 d-----w- c:\program files (x86)\common files\Symantec Shared
2010-08-25 01:16:24 861184 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-25 01:16:24 571904 ----a-w- c:\windows\syswow64\oleaut32.dll
2010-08-24 20:59:39 468480 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-24 20:59:24 0 d-----w- c:\program files\Java
2010-08-24 05:33:25 0 d-----w- c:\windows\syswow64\Wat
2010-08-24 05:33:25 0 d-----w- c:\windows\system32\Wat
2010-08-24 05:23:45 0 d-----w- c:\program files (x86)\MSXML 4.0
2010-08-24 05:22:30 99176 ----a-w- c:\windows\syswow64\PresentationHostProxy.dll
2010-08-24 05:22:30 49472 ----a-w- c:\windows\syswow64\netfxperf.dll
2010-08-24 05:22:30 48960 ----a-w- c:\windows\system32\netfxperf.dll
2010-08-24 05:22:30 444752 ----a-w- c:\windows\system32\mscoree.dll
2010-08-24 05:22:30 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2010-08-24 05:22:30 297808 ----a-w- c:\windows\syswow64\mscoree.dll
2010-08-24 05:22:30 295264 ----a-w- c:\windows\syswow64\PresentationHost.exe
2010-08-24 05:22:30 1942856 ----a-w- c:\windows\system32\dfshim.dll
2010-08-24 05:22:30 1130824 ----a-w- c:\windows\syswow64\dfshim.dll
2010-08-24 05:22:30 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-08-24 05:17:29 0 d-----w- c:\users\ahmad\appdata\roaming\HpUpdate
2010-08-24 05:17:14 84992 ----a-w- c:\windows\system32\asycfilt.dll
2010-08-24 05:17:14 67584 ----a-w- c:\windows\syswow64\asycfilt.dll
2010-08-24 05:17:12 463360 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-24 05:17:12 404992 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-24 05:17:12 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-24 05:17:10 612352 ----a-w- c:\windows\system32\vbscript.dll
2010-08-24 05:17:10 427520 ----a-w- c:\windows\syswow64\vbscript.dll
2010-08-24 05:17:10 1736608 ----a-w- c:\windows\system32\ntdll.dll
2010-08-24 05:17:09 1289528 ----a-w- c:\windows\syswow64\ntdll.dll
2010-08-24 05:15:59 96768 ----a-w- c:\windows\syswow64\sspicli.dll
2010-08-24 05:12:56 854 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.INF
2010-08-24 05:12:56 7440 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.CAT
2010-08-24 05:12:56 173104 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2010-08-24 05:12:56 0 d-----w- c:\program files\Symantec
2010-08-24 05:12:56 0 d-----w- c:\program files\common files\Symantec Shared
2010-08-24 05:02:08 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-08-24 04:57:34 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-08-24 04:57:34 3426072 ----a-w- c:\windows\syswow64\d3dx9_32.dll
2010-08-24 04:57:30 0 d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2010-08-24 04:56:29 0 d-----w- c:\program files (x86)\Windows Live SkyDrive
2010-08-24 04:55:08 0 d-----w- c:\program files (x86)\common files\Windows Live
2010-08-24 04:53:42 220672 ----a-w- c:\windows\system32\wintrust.dll
2010-08-24 04:53:42 172032 ----a-w- c:\windows\syswow64\wintrust.dll
2010-08-24 04:53:40 139264 ----a-w- c:\windows\system32\cabview.dll
2010-08-24 04:53:40 132608 ----a-w- c:\windows\syswow64\cabview.dll
2010-08-24 01:52:18 0 d-----w- c:\programdata\Sun
2010-08-24 01:46:32 0 d-----w- c:\program files\Google
2010-08-24 01:45:37 423656 ----a-w- c:\windows\syswow64\deployJava1.dll

==================== Find3M ====================

2010-08-31 01:51:19 706882 ----a-w- c:\windows\system32\perfh00C.dat
2010-08-31 01:51:19 134364 ----a-w- c:\windows\system32\perfc00C.dat
2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-07-16 19:04:14 19256 ----a-w- c:\windows\system32\HPMDPCoInst11.dll
2010-07-16 19:04:04 30008 ----a-w- c:\windows\system32\drivers\hpdskflt.sys
2010-07-16 19:03:58 30520 ----a-w- c:\windows\system32\SET2157.tmp
2010-07-16 19:03:54 20792 ----a-w- c:\windows\system32\SET2445.tmp
2010-07-16 19:03:48 43320 ----a-w- c:\windows\system32\drivers\Accelerometer.sys
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-19 07:05:01 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 06:11:10 340992 ----a-w- c:\windows\system32\schannel.dll
2010-06-16 05:48:35 224256 ----a-w- c:\windows\syswow64\schannel.dll
2010-05-08 19:46:09 38160 ----a-w- c:\windows\inf\perflib\040c\perfd.dat
2010-05-08 19:46:09 38160 ----a-w- c:\windows\inf\perflib\040c\perfc.dat
2010-05-08 19:46:09 344522 ----a-w- c:\windows\inf\perflib\040c\perfi.dat
2010-05-08 19:46:09 344522 ----a-w- c:\windows\inf\perflib\040c\perfh.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:36:31.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 10 September 2010 - 12:10 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 m1garand

m1garand
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 10 September 2010 - 11:06 AM

TDSSKILLER didn't find anything bu maybe it's because im running a 64-bit operating system and the 64 bit infecting type is fairly new right? The clicking noise persists. I'm starting to believe my kernel is infected and that I have to perform a system restore or harddrive wipe? My laptops an hp pavilion dv6 and it doesn't come with os/recovery disks.

Edited by m1garand, 10 September 2010 - 04:48 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 10 September 2010 - 09:56 PM

Hello

here is what I want you to do next

System Recovery Environment

To access the System Recovery Environment in Windows 7, simply boot your PC,
  1. just before the system loads the Windows operating system, hit the [F8] Function 8 key on your keyboard which will launch the Advanced Boot Options menu.
  2. There you will see a new option 'Repair Your Computer', select this option and hit 'Enter' on your keyboard.
  3. Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:
  4. From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
  5. Type the following into the "Command Prompt Window": and press enter
      bootrec.exe /fixmbr

If you have problems booting the computer after you have run that command boot back into the System Recovery Environment and Type the following into the "Command Prompt Window": and press enter
    bootrec.exe /fixboot


after the computer restart please come back here and let me know how the system is doing


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 m1garand

m1garand
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 11 September 2010 - 12:11 AM

After I typed that in command prompt it said the operation was successful and i clicked on the restart button after closing command prompt. The clicking sounds are still there so i'm about to go do the second command line code.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 11 September 2010 - 12:19 AM

Hello

run this for me

MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 m1garand

m1garand
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 11 September 2010 - 08:24 AM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP Pavilion dv6 Notebook PC
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 201):
0x02A63000 \SystemRoot\system32\ntoskrnl.exe
0x02A1A000 \SystemRoot\system32\hal.dll
0x00BAB000 \SystemRoot\system32\kdcom.dll
0x00C99000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00CA6000 \SystemRoot\system32\PSHED.dll
0x00CBA000 \SystemRoot\system32\CLFS.SYS
0x00D18000 \SystemRoot\system32\CI.dll
0x00EDE000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F82000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F91000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00FE8000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00FF1000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00E00000 \SystemRoot\system32\DRIVERS\pci.sys
0x00E33000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00E40000 \SystemRoot\System32\drivers\partmgr.sys
0x00E55000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00E5E000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00E6A000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00E7F000 \SystemRoot\System32\drivers\volmgrx.sys
0x00DD8000 \SystemRoot\System32\drivers\mountmgr.sys
0x00DF2000 \SystemRoot\system32\DRIVERS\atapi.sys
0x00C00000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x00C2A000 \SystemRoot\system32\DRIVERS\msahci.sys
0x00C35000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x00C45000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x010D0000 \SystemRoot\system32\drivers\fltmgr.sys
0x0111C000 \SystemRoot\system32\drivers\fileinfo.sys
0x01130000 \SystemRoot\system32\drivers\NISx64\1107000.00C\SYMDS64.SYS
0x0119E000 \SystemRoot\system32\drivers\NISx64\1107000.00C\SYMEFA64.SYS
0x0123F000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01000000 \SystemRoot\System32\Drivers\msrpc.sys
0x013E2000 \SystemRoot\System32\Drivers\ksecdd.sys
0x014F4000 \SystemRoot\System32\Drivers\cng.sys
0x01567000 \SystemRoot\System32\drivers\pcw.sys
0x01578000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01400000 \SystemRoot\system32\drivers\ndis.sys
0x01582000 \SystemRoot\system32\drivers\NETIO.SYS
0x01200000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01601000 \SystemRoot\System32\drivers\tcpip.sys
0x0105E000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01816000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x01862000 \SystemRoot\System32\Drivers\spldr.sys
0x0186A000 \SystemRoot\System32\drivers\rdyboost.sys
0x018A4000 \SystemRoot\System32\Drivers\mup.sys
0x018B6000 \SystemRoot\System32\drivers\hwpolicy.sys
0x018BF000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
0x018C9000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01903000 \SystemRoot\system32\DRIVERS\disk.sys
0x01919000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01949000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
0x01989000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x019B3000 \SystemRoot\System32\Drivers\Null.SYS
0x019BC000 \SystemRoot\System32\Drivers\Beep.SYS
0x019C3000 \SystemRoot\System32\drivers\vga.sys
0x019D1000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x01800000 \SystemRoot\System32\drivers\watchdog.sys
0x019F6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x015E2000 \SystemRoot\system32\drivers\rdpencdd.sys
0x015EB000 \SystemRoot\system32\drivers\rdprefmp.sys
0x015F4000 \SystemRoot\System32\Drivers\Msfs.SYS
0x0122B000 \SystemRoot\System32\Drivers\Npfs.SYS
0x010A8000 \SystemRoot\system32\DRIVERS\tdx.sys
0x011D9000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02C0D000 \SystemRoot\System32\Drivers\NISx64\1107000.00C\SYMTDIV.SYS
0x02C83000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x02CB9000 \SystemRoot\system32\drivers\afd.sys
0x02D43000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02D88000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02D91000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02DB7000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x02DCD000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02DDC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x011E6000 \SystemRoot\system32\DRIVERS\termdd.sys
0x00C50000 \SystemRoot\system32\drivers\NISx64\1107000.00C\Ironx64.SYS
0x00C77000 \SystemRoot\system32\drivers\NISx64\1107000.00C\SRTSPX64.SYS
0x03A85000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03AD6000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03AE2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03AED000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100909.001\IDSvia64.sys
0x03B63000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x03BD9000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x03A00000 \SystemRoot\system32\DRIVERS\dvmio.sys
0x03A08000 \SystemRoot\System32\drivers\discache.sys
0x03A17000 \SystemRoot\System32\Drivers\dfsc.sys
0x03CF9000 \SystemRoot\system32\drivers\NISx64\1107000.00C\ccHPx64.sys
0x03D95000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03C00000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100810.004\BHDrvx64.sys
0x03DA6000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x03DCC000 \SystemRoot\system32\DRIVERS\amdppm.sys
0x03A35000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x03EAA000 \SystemRoot\system32\DRIVERS\atipmdag.sys
0x04519000 \SystemRoot\System32\Drivers\fastfat.SYS
0x04812000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04906000 \SystemRoot\System32\drivers\dxgmms1.sys
0x0494C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04A3A000 \SystemRoot\system32\DRIVERS\athrx.sys
0x04BA9000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x04BB6000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x0454F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x04BC1000 \SystemRoot\system32\DRIVERS\usbfilter.sys
0x04BCE000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04BDF000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x04A00000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x045A5000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x04A0F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04A11000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x04A20000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0x04A2D000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x049BC000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x049C5000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x049D5000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x03E00000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x049EB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03E24000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x03E53000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x03E6E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x03E8F000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x04A32000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04C91000 \SystemRoot\system32\DRIVERS\ks.sys
0x04CD4000 \SystemRoot\system32\DRIVERS\circlass.sys
0x04CE6000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04CF8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04D52000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04D67000 \SystemRoot\system32\drivers\AtiHdmi.sys
0x04D89000 \SystemRoot\system32\drivers\portcls.sys
0x04DC6000 \SystemRoot\system32\drivers\drmk.sys
0x04DE8000 \SystemRoot\system32\drivers\ksthunk.sys
0x04C00000 \SystemRoot\system32\DRIVERS\stwrt64.sys
0x00080000 \SystemRoot\System32\win32k.sys
0x04C7F000 \SystemRoot\System32\drivers\Dxapi.sys
0x03DE1000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x04DEE000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04800000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x03CEB000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x03A69000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x0269D000 \SystemRoot\System32\Drivers\usbvideo.sys
0x026CB000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00530000 \SystemRoot\System32\TSDDD.dll
0x006B0000 \SystemRoot\System32\cdd.dll
0x00940000 \SystemRoot\System32\ATMFD.DLL
0x026D9000 \SystemRoot\system32\drivers\luafv.sys
0x026FC000 \SystemRoot\system32\drivers\WudfPf.sys
0x0271D000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x02732000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x02785000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x02798000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x02A0F000 \SystemRoot\system32\drivers\HTTP.sys
0x02AD7000 \SystemRoot\system32\DRIVERS\bowser.sys
0x02AF5000 \SystemRoot\System32\drivers\mpsdrv.sys
0x02B0D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x02B3A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x02B88000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x0382A000 \SystemRoot\system32\drivers\peauth.sys
0x038D0000 \SystemRoot\System32\Drivers\secdrv.SYS
0x038DB000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x03908000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0391A000 \SystemRoot\System32\DRIVERS\srv2.sys
0x02600000 \SystemRoot\System32\DRIVERS\srv.sys
0x08A0B000 \SystemRoot\System32\Drivers\NISx64\1107000.00C\SRTSP64.SYS
0x09416000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100910.041\EX64.SYS
0x095D0000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100910.041\ENG64.SYS
0x76FE0000 \Windows\System32\ntdll.dll
0x484C0000 \Windows\System32\smss.exe
0xFF300000 \Windows\System32\apisetschema.dll
0xFF3C0000 \Windows\System32\autochk.exe
0xFF2D0000 \Windows\System32\imagehlp.dll
0xFF2B0000 \Windows\System32\sechost.dll
0x771B0000 \Windows\System32\psapi.dll
0xFF230000 \Windows\System32\shlwapi.dll
0xFEFD0000 \Windows\System32\iertutil.dll
0xFEF80000 \Windows\System32\ws2_32.dll
0xFEEE0000 \Windows\System32\msvcrt.dll
0xFEE90000 \Windows\System32\Wldap32.dll
0xFEE80000 \Windows\System32\lpk.dll
0xFEDE0000 \Windows\System32\clbcatq.dll
0x76EE0000 \Windows\System32\user32.dll
0xFECB0000 \Windows\System32\wininet.dll
0xFEB80000 \Windows\System32\rpcrt4.dll
0xFEAA0000 \Windows\System32\oleaut32.dll
0xFEA30000 \Windows\System32\gdi32.dll
0xFE9B0000 \Windows\System32\difxapi.dll
0xFE8E0000 \Windows\System32\usp10.dll
0x771A0000 \Windows\System32\normaliz.dll
0xFE8B0000 \Windows\System32\imm32.dll
0xFE730000 \Windows\System32\urlmon.dll
0xFD9A0000 \Windows\System32\shell32.dll
0xFD990000 \Windows\System32\nsi.dll
0xFD8B0000 \Windows\System32\advapi32.dll
0xFD6D0000 \Windows\System32\setupapi.dll
0xFD5C0000 \Windows\System32\msctf.dll
0xFD3B0000 \Windows\System32\ole32.dll
0xFD310000 \Windows\System32\comdlg32.dll
0x76DC0000 \Windows\System32\kernel32.dll
0xFD2F0000 \Windows\System32\devobj.dll
0xFD180000 \Windows\System32\crypt32.dll
0xFD140000 \Windows\System32\cfgmgr32.dll
0xFD0A0000 \Windows\System32\comctl32.dll
0xFD030000 \Windows\System32\KernelBase.dll
0xFCFF0000 \Windows\System32\wintrust.dll
0xFCFE0000 \Windows\System32\msasn1.dll
0x75020000 \Windows\SysWOW64\normaliz.dll

Processes (total 65):
0 System Idle Process
4 System
280 C:\Windows\System32\smss.exe
400 csrss.exe
492 C:\Windows\System32\wininit.exe
524 csrss.exe
548 C:\Windows\System32\services.exe
568 C:\Windows\System32\lsass.exe
576 C:\Windows\System32\lsm.exe
636 C:\Windows\System32\winlogon.exe
732 C:\Windows\System32\svchost.exe
812 C:\Windows\System32\svchost.exe
864 C:\Windows\System32\atiesrxx.exe
936 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
320 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_471277d5d45019ea\stacsv64.exe
504 C:\Windows\System32\audiodg.exe
1168 C:\Windows\System32\svchost.exe
1220 C:\Windows\System32\hpservice.exe
1232 C:\Windows\System32\atieclxx.exe
1352 C:\Windows\System32\svchost.exe
1460 C:\Windows\System32\spoolsv.exe
1492 C:\Windows\System32\svchost.exe
1588 C:\Windows\System32\svchost.exe
1640 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_471277d5d45019ea\AESTSr64.exe
1696 C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe
1728 C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
1788 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
1816 C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe
1860 svchost.exe
1944 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2224 C:\Windows\System32\taskhost.exe
2396 C:\Windows\System32\dwm.exe
2512 C:\Windows\explorer.exe
2628 C:\Windows\System32\SearchIndexer.exe
2652 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2808 WmiPrvSE.exe
2884 C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe
2952 C:\Windows\System32\rundll32.exe
1092 C:\Windows\System32\svchost.exe
3140 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3156 C:\Program Files\IDT\WDM\sttray64.exe
3164 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
3196 C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
3204 C:\Program Files\Hewlett-Packard\HPToneControl\HPToneCtl.exe
3236 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe
3320 WmiPrvSE.exe
3396 C:\Windows\System32\SearchProtocolHost.exe
3404 C:\Windows\System32\taskeng.exe
3444 C:\Windows\System32\taskeng.exe
3484 C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
3540 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3568 C:\Windows\System32\SearchFilterHost.exe
4044 C:\Windows\System32\svchost.exe
2252 C:\Program Files\Windows Media Player\wmpnetwk.exe
896 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
3248 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
3216 C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
1140 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
3720 dllhost.exe
3644 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4424 C:\Users\Ahmad\Desktop\MBRCheck.exe
4460 C:\Windows\System32\conhost.exe
4480 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`0c800000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000006f`29b00000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000074`6a400000 (FAT32)

PhysicalDrive0 Model Number: WDCWD5000BEVT-60A0RT0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

Edited by m1garand, 11 September 2010 - 01:28 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 11 September 2010 - 02:30 PM

Hello

That looks good - are you still having clicking sounds?

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 m1garand

m1garand
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 11 September 2010 - 02:47 PM

The clicking sound still occurs even though sound is turned off. Could it be something other than the whistlerbootkit like some random file that makes a click noise into scaring you?

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4595

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/09/2010 3:44:04 PM
mbam-log-2010-09-11 (15-44-04).txt

Scan type: Quick scan
Objects scanned: 132779
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 11 September 2010 - 02:53 PM

Hello

I don't think it is the whistlerbootkit the fix/mbr fix would have removed it and the MBRcheck tool would show it.


One thing that sounds very interesting to me is that you hear it even with the sound off. This makes me lean to hardware and not a virus.

lets do a good check in case it is something else.

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click on Minimal Output at the top
  • Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the OTL.Txt into this topic and please attach the Extras.Txt.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 m1garand

m1garand
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 11 September 2010 - 03:13 PM

OTL logfile created on: 9/11/2010 4:06:06 PM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\Ahmad\Desktop
OTL SCAN:

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 69.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 444.46 Gb Total Space | 406.75 Gb Free Space | 91.52% Space Free | Partition Type: NTFS
Drive D: | 21.01 Gb Total Space | 3.06 Gb Free Space | 14.56% Space Free | Partition Type: NTFS
Drive E: | 99.02 Mb Total Space | 92.75 Mb Free Space | 93.67% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AHMAD-PC
Current User Name: Ahmad
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Users\Ahmad\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
PRC - C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe (DeviceVM, Inc.)
PRC - C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe (Symantec Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Ahmad\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files (x86)\Internet Explorer\ieproxy.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\rsaenh.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\WindowsCodecs.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\thumbcache.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\StructuredQuery.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\srvcli.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\slc.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\SearchFolder.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\RpcRtRemote.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\ntshrui.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\networkexplorer.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\linkinfo.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\EhStorShell.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\cscapi.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\actxprxy.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (STacSV) -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_471277d5d45019ea\stacsv64.exe (IDT, Inc.)
SRV:64bit: - (HP Wireless Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe (Hewlett-Packard)
SRV:64bit: - (HPWMISVC) -- C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe ()
SRV:64bit: - (wlidsvc) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (hpsrv) -- C:\Windows\SysNative\hpservice.exe (Hewlett-Packard)
SRV:64bit: - (AESTFilters) -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_471277d5d45019ea\AESTSr64.exe (Andrea Electronics Corporation)
SRV - (clr_optimization_v4.0.30319_64) -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (DvmMDES) -- C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe (DeviceVM, Inc.)
SRV - (NIS) -- C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe (Symantec Corporation)
SRV - (GameConsoleService) -- C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe (WildTangent, Inc.)


========== Driver Services (SafeList) ==========

DRV:64bit: - (SymEvent) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS (Symantec Corporation)
DRV:64bit: - (Point64) -- C:\Windows\SysNative\drivers\point64.sys (Microsoft Corporation)
DRV:64bit: - (hpdskflt) -- C:\Windows\SysNative\drivers\hpdskflt.sys (Hewlett-Packard Company)
DRV:64bit: - (Accelerometer) -- C:\Windows\SysNative\drivers\Accelerometer.sys (Hewlett-Packard Company)
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (SYMTDIv) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symtdiv.sys (Symantec Corporation)
DRV:64bit: - (SymIRON) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\ironx64.sys (Symantec Corporation)
DRV:64bit: - (SymEFA) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symefa64.sys (Symantec Corporation)
DRV:64bit: - (SRTSP) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\srtsp64.sys (Symantec Corporation)
DRV:64bit: - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\srtspx64.sys (Symantec Corporation)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atipmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (ccHP) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\cchpx64.sys (Symantec Corporation)
DRV:64bit: - (RSUSBSTOR) -- C:\Windows\SysNative\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (STHDA) -- C:\Windows\SysNative\drivers\stwrt64.sys (IDT, Inc.)
DRV:64bit: - (AtiHdmiService) -- C:\Windows\SysNative\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV:64bit: - (usbfilter) -- C:\Windows\SysNative\drivers\usbfilter.sys (Advanced Micro Devices)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek )
DRV:64bit: - (DVMIO) -- C:\Windows\SysNative\drivers\dvmio.sys (DeviceVM, Inc.)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (SymDS) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symds64.sys (Symantec Corporation)
DRV:64bit: - (AtiPcie) AMD PCI Express (3GIO) -- C:\Windows\SysNative\drivers\AtiPcie.sys (Advanced Micro Devices Inc.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)
DRV:64bit: - (SrvHsfV92) -- C:\Windows\SysNative\drivers\VSTDPV6.SYS (Conexant Systems, Inc.)
DRV:64bit: - (SrvHsfWinac) -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS (Conexant Systems, Inc.)
DRV:64bit: - (SrvHsfHDA) -- C:\Windows\SysNative\drivers\VSTAZL6.SYS (Conexant Systems, Inc.)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)
DRV:64bit: - (netw5v64) Intel® -- C:\Windows\SysNative\drivers\netw5v64.sys (Intel Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100910.041\EX64.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100910.041\ENG64.SYS (Symantec Corporation)
DRV - (BHDrvx64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100810.004\BHDrvx64.sys (Symantec Corporation)
DRV - (IDSVia64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100909.001\IDSviA64.sys (Symantec Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON/4
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCON/4

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON/4
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2010/08/25 23:16:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/08/25 23:04:19 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ipsbho.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
O4:64bit: - HKLM..\Run: [HP Quick Launch] C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe (Hewlett-Packard Company)
O4:64bit: - HKLM..\Run: [HPToneControl] C:\Program Files\Hewlett-Packard\HPToneControl\HPToneCtl.exe (Hewlett-Packard )
O4:64bit: - HKLM..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe ()
O4:64bit: - HKLM..\Run: [IntelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe ()
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe (Symantec Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30:64bit: - LSA: Security Packages - (livessp) - C:\Windows\SysNative\livessp.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\SysWow64\livessp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 90 Days ==========

[2010/09/11 15:55:46 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Users\Ahmad\Desktop\OTL.exe
[2010/09/11 15:51:08 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft IntelliPoint
[2010/09/10 19:53:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/09/10 19:53:04 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/09/10 19:52:58 | 007,009,088 | ---- | C] (SurfRight B.V.) -- C:\Users\Ahmad\Desktop\HitmanPro35_x64.exe
[2010/09/10 11:57:00 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\Desktop\tdsskiller
[2010/09/09 17:12:27 | 000,083,968 | ---- | C] (eSage Lab) -- C:\Users\Ahmad\Desktop\bootkit_remover.exe
[2010/09/09 17:05:57 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Local\Adobe
[2010/09/09 16:47:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\7-Zip
[2010/09/09 16:42:56 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\Desktop\gmer
[2010/09/09 09:44:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2010/09/09 08:59:41 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Roaming\Malwarebytes
[2010/09/09 08:59:33 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/09/09 08:59:32 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/09/09 08:59:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/09/09 08:59:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/09/08 10:02:50 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Documents\Scanned Documents
[2010/09/08 10:02:49 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\Documents\Fax
[2010/09/08 08:11:57 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\Desktop\Eng105
[2010/09/07 11:04:43 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\Desktop\business
[2010/09/06 13:48:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2010/09/06 13:46:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2010/09/03 09:30:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Recovery
[2010/08/30 21:31:01 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Local\Microsoft Games
[2010/08/25 00:04:32 | 000,451,120 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symtdiv.sys
[2010/08/25 00:04:32 | 000,221,232 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symefa64.sys
[2010/08/25 00:04:31 | 000,615,040 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\cchpx64.sys
[2010/08/25 00:04:31 | 000,505,392 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\srtsp64.sys
[2010/08/25 00:04:31 | 000,433,200 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symds64.sys
[2010/08/25 00:04:31 | 000,150,064 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\ironx64.sys
[2010/08/25 00:04:31 | 000,032,304 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\srtspx64.sys
[2010/08/25 00:04:12 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NISx64\1107000.00C
[2010/08/24 21:21:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2010/08/24 18:48:05 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Local\Diagnostics
[2010/08/24 16:59:24 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/08/24 01:33:25 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2010/08/24 01:33:25 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2010/08/24 01:23:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSXML 4.0
[2010/08/24 01:17:29 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Roaming\HpUpdate
[2010/08/24 01:13:23 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Roaming\Adobe
[2010/08/24 01:12:56 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2010/08/24 01:12:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/08/24 01:12:56 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/08/24 01:12:03 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Roaming\ATI
[2010/08/24 01:12:03 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Local\ATI
[2010/08/24 01:11:17 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Searches
[2010/08/24 01:11:16 | 000,000,000 | -H-D | C] -- C:\Users\Ahmad\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2010/08/24 01:11:07 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Roaming\Identities
[2010/08/24 01:11:03 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Contacts
[2010/08/24 01:10:17 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Local\Hewlett-Packard
[2010/08/24 00:59:56 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Roaming\Hewlett-Packard
[2010/08/24 00:57:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2010/08/24 00:56:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Live SkyDrive
[2010/08/24 00:56:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Live
[2010/08/24 00:55:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Windows Live
[2010/08/24 00:54:05 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Local\VirtualStore
[2010/08/24 00:51:20 | 000,000,000 | --SD | C] -- C:\Users\Ahmad\AppData\Roaming\Microsoft
[2010/08/24 00:51:20 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Videos
[2010/08/24 00:51:20 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Saved Games
[2010/08/24 00:51:20 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Pictures
[2010/08/24 00:51:20 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Music
[2010/08/24 00:51:20 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Links
[2010/08/24 00:51:20 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Favorites
[2010/08/24 00:51:20 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Downloads
[2010/08/24 00:51:20 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Documents
[2010/08/24 00:51:20 | 000,000,000 | R--D | C] -- C:\Users\Ahmad\Desktop
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\AppData\Local\Temporary Internet Files
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\Templates
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\Start Menu
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\SendTo
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\Recent
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\PrintHood
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\NetHood
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\Documents\My Videos
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\Documents\My Pictures
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\Documents\My Music
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\My Documents
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\Local Settings
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\AppData\Local\History
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\Cookies
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\Application Data
[2010/08/24 00:51:20 | 000,000,000 | -HSD | C] -- C:\Users\Ahmad\AppData\Local\Application Data
[2010/08/24 00:51:20 | 000,000,000 | -H-D | C] -- C:\Users\Ahmad\AppData
[2010/08/24 00:51:20 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Local\Temp
[2010/08/24 00:51:20 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Local\Microsoft
[2010/08/24 00:51:20 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Roaming\Media Center Programs
[2010/08/23 21:52:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/08/23 21:52:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2010/08/23 21:46:57 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Roaming\Macromedia
[2010/08/23 21:46:48 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Roaming\Google
[2010/08/23 21:46:36 | 000,000,000 | ---D | C] -- C:\Users\Ahmad\AppData\Local\Google
[2010/08/23 21:46:32 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/08/23 21:46:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
[2010/06/15 05:40:56 | 000,000,000 | ---D | C] -- C:\Windows\ehome
[2010/06/15 05:39:08 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010/06/15 05:24:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\HP Games
[2010/06/15 05:24:57 | 000,000,000 | ---D | C] -- C:\ProgramData\WildTangent
[2010/06/15 05:20:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Downloaded Installations
[2010/06/15 05:19:45 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NISx64
[2010/06/15 05:19:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton Internet Security
[2010/06/15 05:19:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2010/06/15 05:18:53 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2010/06/15 05:18:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NortonInstaller
[2010/06/15 05:15:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft
[2010/06/15 05:00:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\LightScribe
[2010/06/15 04:57:03 | 000,000,000 | ---D | C] -- C:\Windows\Hewlett-Packard
[2010/06/15 04:56:31 | 000,000,000 | ---D | C] -- C:\Windows\Driver Cache
[2010/06/15 04:55:38 | 001,484,800 | ---- | C] (Atheros Communications, Inc.) -- C:\Windows\SysNative\drivers\athrx.sys
[2010/06/15 04:55:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Atheros
[2010/06/15 04:55:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Atheros
[2010/06/15 04:54:37 | 000,295,424 | ---- | C] (Realtek ) -- C:\Windows\SysNative\drivers\Rt64win7.sys
[2010/06/15 04:54:37 | 000,097,792 | ---- | C] (Realtek Semiconductor Corporation) -- C:\Windows\SysNative\RTNUninst64.dll
[2010/06/15 04:54:04 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2010/06/15 04:53:55 | 012,613,120 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\idtcpl64.cpl
[2010/06/15 04:53:55 | 003,345,408 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\stlang64.dll
[2010/06/15 04:53:55 | 000,564,224 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\idt64mp1.exe
[2010/06/15 04:53:55 | 000,487,424 | ---- | C] (IDT, Inc.) -- C:\Windows\sttray64.exe
[2010/06/15 04:53:54 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SRSLabs
[2010/06/15 04:53:21 | 000,209,920 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\staco64.dll
[2010/06/15 04:53:11 | 000,000,000 | ---D | C] -- C:\Program Files\IDT
[2010/06/15 04:53:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Realtek
[2010/06/15 04:52:55 | 000,000,000 | ---D | C] -- C:\Program Files\Synaptics
[2010/06/15 04:52:41 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2010/06/15 04:52:40 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2010/06/15 04:52:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD
[2010/06/15 04:50:21 | 000,000,000 | ---D | C] -- C:\Program Files\ATI
[2010/06/15 04:50:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ATI Technologies
[2010/06/15 04:44:48 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/11 16:07:42 | 001,310,720 | -HS- | M] () -- C:\Users\Ahmad\NTUSER.DAT
[2010/09/11 16:06:44 | 001,432,568 | ---- | M] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\Cat.DB
[2010/09/11 15:55:49 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Ahmad\Desktop\OTL.exe
[2010/09/11 15:51:28 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_point64_01009.Wdf
[2010/09/11 15:43:36 | 000,023,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/11 15:43:36 | 000,023,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/11 15:36:18 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/11 15:36:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/11 15:36:04 | 3015,884,800 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/11 12:03:58 | 002,076,140 | -H-- | M] () -- C:\Users\Ahmad\AppData\Local\IconCache.db
[2010/09/11 09:18:26 | 000,080,384 | ---- | M] () -- C:\Users\Ahmad\Desktop\MBRCheck.exe
[2010/09/11 00:53:38 | 000,007,604 | ---- | M] () -- C:\Users\Ahmad\AppData\Local\Resmon.ResmonCfg
[2010/09/10 19:55:07 | 000,019,528 | ---- | M] () -- C:\Windows\SysNative\drivers\hitmanpro35.sys
[2010/09/10 19:53:24 | 000,001,974 | ---- | M] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2010/09/10 19:53:19 | 007,009,088 | ---- | M] (SurfRight B.V.) -- C:\Users\Ahmad\Desktop\HitmanPro35_x64.exe
[2010/09/10 12:06:56 | 001,193,882 | ---- | M] () -- C:\Users\Ahmad\Desktop\tdsskiller.zip
[2010/09/09 16:56:38 | 000,040,375 | ---- | M] () -- C:\Users\Ahmad\Documents\bootkit_remover.rar
[2010/09/09 16:56:38 | 000,040,375 | ---- | M] () -- C:\Users\Ahmad\Desktop\bootkit_remover.rar
[2010/09/09 16:47:44 | 000,284,915 | ---- | M] () -- C:\Users\Ahmad\Desktop\gmer.zip
[2010/09/09 16:46:59 | 000,939,956 | ---- | M] () -- C:\Users\Ahmad\Desktop\7z465.exe
[2010/09/09 16:34:17 | 000,525,824 | ---- | M] () -- C:\Users\Ahmad\Desktop\dds.scr
[2010/09/09 16:33:08 | 000,000,000 | ---- | M] () -- C:\Users\Ahmad\defogger_reenable
[2010/09/09 16:33:02 | 000,050,477 | ---- | M] () -- C:\Users\Ahmad\Desktop\Defogger.exe
[2010/09/09 08:59:37 | 000,001,009 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/01 15:33:49 | 000,083,968 | ---- | M] (eSage Lab) -- C:\Users\Ahmad\Desktop\bootkit_remover.exe
[2010/08/30 21:51:19 | 001,555,368 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/08/30 21:51:19 | 000,706,882 | ---- | M] () -- C:\Windows\SysNative\perfh00C.dat
[2010/08/30 21:51:19 | 000,628,460 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/08/30 21:51:19 | 000,134,364 | ---- | M] () -- C:\Windows\SysNative\perfc00C.dat
[2010/08/30 21:51:19 | 000,110,612 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/08/25 23:03:31 | 000,002,489 | ---- | M] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
[2010/08/24 03:44:32 | 000,039,219 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2010/08/24 03:44:32 | 000,039,219 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2010/08/24 01:36:02 | 000,352,320 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/24 01:31:53 | 000,524,288 | -HS- | M] () -- C:\Users\Ahmad\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/08/24 01:31:53 | 000,524,288 | -HS- | M] () -- C:\Users\Ahmad\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/08/24 01:31:53 | 000,065,536 | -HS- | M] () -- C:\Users\Ahmad\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/08/24 01:12:56 | 000,173,104 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2010/08/24 01:12:56 | 000,007,440 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2010/08/24 01:12:56 | 000,000,854 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2010/08/24 01:12:43 | 000,001,437 | ---- | M] () -- C:\Users\Ahmad\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/24 00:54:50 | 000,084,240 | ---- | M] () -- C:\Users\Ahmad\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/08/24 00:51:20 | 000,000,020 | -HS- | M] () -- C:\Users\Ahmad\ntuser.ini
[2010/06/15 05:30:09 | 000,002,216 | ---- | M] () -- C:\Users\Public\Desktop\Jouer HP Games.lnk
[2010/06/15 04:59:17 | 000,000,299 | ---- | M] () -- C:\Windows\SysWow64\RStoneLog2.ini
[2010/06/15 04:59:16 | 000,000,240 | ---- | M] () -- C:\Windows\SysWow64\RStoneLog.ini
[2010/06/15 04:58:02 | 000,000,000 | ---- | M] () -- C:\Windows\ativpsrm.bin
[2010/06/15 04:55:28 | 000,000,000 | RHS- | M] () -- C:\Windows\SysWow64\drivers\103C_HP_cNB_Pavilion dv6 Notebook PC_Y5335KV_0U_QCNF023K9VB_E595716-122_4A_I1440_SHP_V67.16_F.08_T100610_WU3-0_L409_M3835_J500_7AMD_8F63_92.30_#100615_N10EC8168;168C002A_(XA512UA#ABC)_XMOBILE_CN10_Z.MRK
[2010/06/15 04:55:28 | 000,000,000 | RHS- | M] () -- C:\Windows\SysNative\drivers\103C_HP_cNB_Pavilion dv6 Notebook PC_Y5335KV_0U_QCNF023K9VB_E595716-122_4A_I1440_SHP_V67.16_F.08_T100610_WU3-0_L409_M3835_J500_7AMD_8F63_92.30_#100615_N10EC8168;168C002A_(XA512UA#ABC)_XMOBILE_CN10_Z.MRK
[2010/06/15 04:52:59 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_SynTP_01009.Wdf
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/11 15:51:28 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_point64_01009.Wdf
[2010/09/11 09:18:26 | 000,080,384 | ---- | C] () -- C:\Users\Ahmad\Desktop\MBRCheck.exe
[2010/09/10 19:53:36 | 000,019,528 | ---- | C] () -- C:\Windows\SysNative\drivers\hitmanpro35.sys
[2010/09/10 19:53:05 | 000,001,974 | ---- | C] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2010/09/10 19:50:26 | 000,007,604 | ---- | C] () -- C:\Users\Ahmad\AppData\Local\Resmon.ResmonCfg
[2010/09/10 11:56:37 | 001,193,882 | ---- | C] () -- C:\Users\Ahmad\Desktop\tdsskiller.zip
[2010/09/09 17:11:27 | 000,040,375 | ---- | C] () -- C:\Users\Ahmad\Documents\bootkit_remover.rar
[2010/09/09 16:55:05 | 000,040,375 | ---- | C] () -- C:\Users\Ahmad\Desktop\bootkit_remover.rar
[2010/09/09 16:46:54 | 000,939,956 | ---- | C] () -- C:\Users\Ahmad\Desktop\7z465.exe
[2010/09/09 16:41:04 | 000,284,915 | ---- | C] () -- C:\Users\Ahmad\Desktop\gmer.zip
[2010/09/09 16:34:17 | 000,525,824 | ---- | C] () -- C:\Users\Ahmad\Desktop\dds.scr
[2010/09/09 16:33:08 | 000,000,000 | ---- | C] () -- C:\Users\Ahmad\defogger_reenable
[2010/09/09 16:32:57 | 000,050,477 | ---- | C] () -- C:\Users\Ahmad\Desktop\Defogger.exe
[2010/09/09 08:59:37 | 000,001,009 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/25 23:02:51 | 001,432,568 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\Cat.DB
[2010/08/25 00:04:32 | 000,007,829 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symefa64.cat
[2010/08/25 00:04:32 | 000,007,787 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symnetv64.cat
[2010/08/25 00:04:32 | 000,007,368 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symnet64.cat
[2010/08/25 00:04:32 | 000,003,373 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symefa.inf
[2010/08/25 00:04:32 | 000,001,473 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symnetv.inf
[2010/08/25 00:04:32 | 000,001,445 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symnet.inf
[2010/08/25 00:04:31 | 000,007,414 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\srtspx64.cat
[2010/08/25 00:04:31 | 000,007,410 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\srtsp64.cat
[2010/08/25 00:04:31 | 000,007,406 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symds64.cat
[2010/08/25 00:04:31 | 000,007,402 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\iron.cat
[2010/08/25 00:04:31 | 000,007,358 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\cchpx64.cat
[2010/08/25 00:04:31 | 000,002,793 | R--- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\symds.inf
[2010/08/25 00:04:31 | 000,001,838 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\cchpx64.inf
[2010/08/25 00:04:31 | 000,001,437 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\srtsp64.inf
[2010/08/25 00:04:31 | 000,001,421 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\srtspx64.inf
[2010/08/25 00:04:31 | 000,000,771 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\iron.inf
[2010/08/25 00:04:12 | 000,000,172 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1107000.00C\isolate.ini
[2010/08/24 01:12:56 | 000,007,440 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2010/08/24 01:12:56 | 000,000,854 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2010/08/24 01:12:47 | 000,002,489 | ---- | C] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
[2010/08/24 01:12:43 | 000,001,437 | ---- | C] () -- C:\Users\Ahmad\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/24 00:59:27 | 000,002,256 | ---- | C] () -- C:\Users\Public\Desktop\Accessories.lnk
[2010/08/24 00:59:27 | 000,002,192 | ---- | C] () -- C:\Users\Public\Desktop\eBay.lnk
[2010/08/24 00:51:20 | 001,310,720 | -HS- | C] () -- C:\Users\Ahmad\NTUSER.DAT
[2010/08/24 00:51:20 | 000,524,288 | -HS- | C] () -- C:\Users\Ahmad\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/08/24 00:51:20 | 000,524,288 | -HS- | C] () -- C:\Users\Ahmad\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/08/24 00:51:20 | 000,262,144 | -HS- | C] () -- C:\Users\Ahmad\ntuser.dat.LOG1
[2010/08/24 00:51:20 | 000,065,536 | -HS- | C] () -- C:\Users\Ahmad\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/08/24 00:51:20 | 000,000,290 | ---- | C] () -- C:\Users\Ahmad\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2010/08/24 00:51:20 | 000,000,272 | ---- | C] () -- C:\Users\Ahmad\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2010/08/24 00:51:20 | 000,000,020 | -HS- | C] () -- C:\Users\Ahmad\ntuser.ini
[2010/08/24 00:51:20 | 000,000,000 | -HS- | C] () -- C:\Users\Ahmad\ntuser.dat.LOG2
[2010/06/15 05:42:06 | 000,048,265 | ---- | C] () -- C:\Windows\HomePremium.xml
[2010/06/15 05:25:19 | 000,002,216 | ---- | C] () -- C:\Users\Public\Desktop\Jouer HP Games.lnk
[2010/06/15 05:18:17 | 000,000,105 | ---- | C] () -- C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
[2010/06/15 05:18:11 | 000,000,032 | ---- | C] () -- C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
[2010/06/15 05:17:57 | 000,000,032 | ---- | C] () -- C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
[2010/06/15 05:17:38 | 000,000,032 | ---- | C] () -- C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
[2010/06/15 05:17:01 | 000,000,032 | ---- | C] () -- C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
[2010/06/15 04:58:02 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/06/15 04:54:37 | 000,067,584 | ---- | C] () -- C:\Windows\SysNative\RtNicProp64.dll
[2010/06/15 04:53:55 | 000,015,222 | ---- | C] () -- C:\Windows\SysNative\nbspkrs.ico
[2010/06/15 04:53:55 | 000,003,774 | ---- | C] () -- C:\Windows\SysNative\bltinmic.ico
[2010/06/15 04:53:55 | 000,003,774 | ---- | C] () -- C:\Windows\SysNative\2hps.ico
[2010/06/15 04:52:59 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_SynTP_01009.Wdf
[2010/06/15 04:49:18 | 000,000,299 | ---- | C] () -- C:\Windows\SysWow64\RStoneLog2.ini
[2010/06/15 04:49:18 | 000,000,240 | ---- | C] () -- C:\Windows\SysWow64\RStoneLog.ini
[2010/06/15 04:48:58 | 000,000,000 | RHS- | C] () -- C:\Windows\SysWow64\drivers\103C_HP_cNB_Pavilion dv6 Notebook PC_Y5335KV_0U_QCNF023K9VB_E595716-122_4A_I1440_SHP_V67.16_F.08_T100610_WU3-0_L409_M3835_J500_7AMD_8F63_92.30_#100615_N10EC8168;168C002A_(XA512UA#ABC)_XMOBILE_CN10_Z.MRK
[2010/06/15 04:48:58 | 000,000,000 | RHS- | C] () -- C:\Windows\SysNative\drivers\103C_HP_cNB_Pavilion dv6 Notebook PC_Y5335KV_0U_QCNF023K9VB_E595716-122_4A_I1440_SHP_V67.16_F.08_T100610_WU3-0_L409_M3835_J500_7AMD_8F63_92.30_#100615_N10EC8168;168C002A_(XA512UA#ABC)_XMOBILE_CN10_Z.MRK
[2010/06/15 04:43:55 | 3015,884,800 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/08 18:24:05 | 000,000,188 | ---- | C] () -- C:\Windows\SysWow64\HPWA.ini
[2010/05/08 17:00:11 | 000,000,109 | ---- | C] () -- C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
[2010/05/08 16:54:26 | 000,000,110 | ---- | C] () -- C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
[2010/05/08 16:53:03 | 000,000,105 | ---- | C] () -- C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
[2010/05/08 16:52:24 | 000,000,107 | ---- | C] () -- C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
[2010/02/09 21:58:12 | 000,012,800 | ---- | C] () -- C:\Windows\LPRES.DLL
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/07/10 00:03:56 | 000,370,312 | ---- | C] () -- C:\Windows\SysWow64\sqlite3.dll

========== LOP Check ==========

[2009/07/14 01:08:49 | 000,012,458 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/07/13 21:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2010/09/11 15:36:04 | 3015,884,800 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/11 15:36:09 | 4021,182,464 | -HS- | M] () -- C:\pagefile.sys
[2010/09/10 11:59:57 | 000,065,170 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_10.09.2010_11.57.22_log.txt
[2010/09/10 12:01:31 | 000,065,170 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_10.09.2010_12.00.01_log.txt
[2010/09/10 12:10:29 | 000,128,168 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_10.09.2010_12.07.19_log.txt
[2010/09/10 12:28:40 | 000,065,170 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_10.09.2010_12.26.59_log.txt

< %systemroot%\Fonts\*.com >
[2009/07/14 01:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/14 01:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/14 01:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/07/14 01:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/06/10 16:49:50 | 000,000,065 | -H-- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2009/07/10 12:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2009/07/14 00:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/08/24 01:12:43 | 000,000,221 | -HS- | M] () -- C:\Users\Ahmad\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2010/09/09 16:46:59 | 000,939,956 | ---- | M] () -- C:\Users\Ahmad\Desktop\7z465.exe
[2010/09/01 15:33:49 | 000,083,968 | ---- | M] (eSage Lab) -- C:\Users\Ahmad\Desktop\bootkit_remover.exe
[2010/09/09 16:33:02 | 000,050,477 | ---- | M] () -- C:\Users\Ahmad\Desktop\Defogger.exe
[2010/09/10 19:53:19 | 007,009,088 | ---- | M] (SurfRight B.V.) -- C:\Users\Ahmad\Desktop\HitmanPro35_x64.exe
[2010/09/11 09:18:26 | 000,080,384 | ---- | M] () -- C:\Users\Ahmad\Desktop\MBRCheck.exe
[2010/09/11 15:55:49 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Ahmad\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2009/06/10 17:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/08/24 01:38:18 | 000,000,402 | -HS- | M] () -- C:\Users\Ahmad\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2010/06/15 05:18:11 | 000,000,032 | ---- | M] () -- C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
[2010/05/08 17:00:51 | 000,000,109 | ---- | M] () -- C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
[2010/06/15 05:17:38 | 000,000,032 | ---- | M] () -- C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
[2010/05/08 16:54:15 | 000,000,105 | ---- | M] () -- C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
[2010/06/15 05:17:01 | 000,000,032 | ---- | M] () -- C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
[2010/06/15 05:17:57 | 000,000,032 | ---- | M] () -- C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
[2010/05/08 16:52:55 | 000,000,107 | ---- | M] () -- C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
[2010/05/08 17:00:03 | 000,000,110 | ---- | M] () -- C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
[2010/06/15 05:18:25 | 000,000,105 | ---- | M] () -- C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.exe >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< %USERPROFILE%\Templates\*.tmp >

< %SYSTEMDRIVE%\explorexxx.exe\*.* >

< %Windir%\Installer\*.tmp >

< %systemroot%\System32\*.xco >

< %ProgramFiles%\system32\*.* >

< %systemroot%\System32\windos\*.* >

< %SystemRoot%\system32\sandbox\*.* >

< %SystemRoot%\system32\*.amo >

< %SystemRoot%\system32\Windows Live\*.* >

< %ProgramFiles%\logs\*.* >

< %ProgramFiles%\Bifrost\*.* >

< %SystemRoot%\system32\*.goo >

< %systemroot%\system32\IME\*.* >

< %systemroot%\BackUp\*.* >

< %systemroot%\system32\*.ico >
[2009/06/10 17:17:19 | 000,116,288 | ---- | M] () -- C:\Windows\SysWOW64\PerfCenterCpl.ico

< %systemroot%\system\*.dat >

< %systemroot%\system\*.exe >

< %AppData%\Macromedia\Common\*.* >

< %SYSTEMDRIVE%\dir\*.* /s >

< %systemroot%\system32\ras\*.exe >

< %SYSTEMDRIVE%\MFILES\*.* >

< %SYSTEMDRIVE%\mDNSRespon.exe\*.* >

< %systemroot%\system32\services\*.* >

< %systemroot%\Spooler\*.* >

< %ProgramFiles%\system32\*.* >

< %systemroot%\system32\Setup\*.dll /x >

< %systemroot%\system32\*.mine >

< %SYSTEMDRIVE%\cleansweep.exe\*.* >

< %systemroot%\system32\ras\*.dll >

< %systemroot%\system32\ras\*.drv >

< %systemroot%\*.iq >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >

Attached Files



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 11 September 2010 - 07:38 PM

Hello

Besides the clicking you hear do you have any other type of symtoms?

Run OTL Script

We need to run an OTL Fix
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the textbox. Do not include the word Code
    CODE
    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
  • Then click the Run Fix button at the top.
  • Click .
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 m1garand

m1garand
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 12 September 2010 - 12:07 PM

I did this otl fix last night but had to go do something and turned my laptop off after restarting and didn't post the log. That's ok right? I still have those clicking sounds after like 5 minutes after my laptop is turned on and have no other symptoms. I guess it's just a hardware issue or something. The clicking sounds are very random and space out between each other by a couple minutes. Also do you think i shound uninstall my norton internet security trial for mse or mse 2.0 beta? I feel that it has too many features that slow down start-up and that mse with windows firewall on no exceptions would be best along with mbam as on-demand side scanner.



OTL FIX:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Ahmad
->Temp folder emptied: 4757 bytes
->Temporary Internet Files folder emptied: 1718239 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1824 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.00 mb


[EMPTYFLASH]

User: Ahmad
->Flash cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.12.0 log created on 09122010_125858

Files\Folders moved on Reboot...
C:\Users\Ahmad\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Edited by m1garand, 12 September 2010 - 12:12 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 12 September 2010 - 02:06 PM

Also do you think i shound uninstall my norton internet security trial for mse or mse 2.0 beta? I feel that it has too many features that slow down start-up and that mse with windows firewall on no exceptions would be best along with mbam as on-demand side scanner.

I have been using MSE on one of my computers for a short time now and like what I see so far and I havent liked Norton for a while (but they have been getting better) if you are going to remove norton run this tool after you have uninstalled it
    Please go to this -page- and select the product you have
      1 Download the Norton Removal Tool.
      Save the file to the Windows desktop.
      2 On the Windows desktop, double-click the Norton Removal Tool icon.
      3 Follow the on-screen instructions.
      Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 m1garand

m1garand
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 12 September 2010 - 09:36 PM

No eset log was created.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users