|
Help - Perfs.exe & Hijackthis Log
|
|
Member
1 product review
|
15. December 2007 @ 11:50 |
Link to this message
|
Ok, I had some problems with slow downs so I immediately checked my processes for the obvious threats and found perfs.exe and something I forget... I think indt.exe and indt2.exe but I found little info on those. could have been idnt... I can't remember right now.
So anyway I deleted the perfs.exe file from the windows system 32 folder but I wonder if thats it? I ran Avast and AVG anti-spyware and they came up clean... But I'm still getting bogged down...
Logfile of HijackThis v1.99.1
Scan saved at 12:41:24 PM, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fuel\My Documents\Fuel\hijackthis_sfx\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0edc6c20-a31c-11db-8ab9-0800200c9a66} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {631f7200-642e-11db-bd13-0800200c9a66} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredit...html?p=ZJfox000
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.70\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1190719247734
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Mes...nt.cab31267.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-lo...175/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/Sol...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
I'm obviously worried about the last 2 lines...
|
|
Advertisement
|
|
|
|
Member
|
15. December 2007 @ 18:32 |
Link to this message
|
|
hi,
log looks ok except for that last service.
copy (Ctrl C) and paste (Ctrl V) the text below to Notepad. Save it as "All Files" and name it fixbat. Please save it on your desktop.
sc stop perfmons Service
sc delete perfmons Service
exit
Double click Fix.bat. A window will open and close.
have a look in the system32 dir and delete the perfs.exe if present.
echoreply
|
Member
1 product review
|
15. December 2007 @ 18:46 |
Link to this message
|
never knew I could do a fix that way before. It's so simple its kool.
I was able to delete perfs.exe from the directory before... but theres other files with perf in the name:
perfc009 - DAT file
perfci - H file
perfctrs.dll
perfd009 - DAT file
perfdisk.dll
perffilt - H file
perffilt - configuration settings
perfh009 - DAT file
perfi009 - DAT file
perfmon - Performance Monitor Command Line Shell
perfmon - Microsoft Common Console Document
perfnet.dll
perfos.dll
perfproc.dll
PerfStringBackup - Configuration settings
perfts.dll
perfwci - Both as a "H file" and "configuration settings"
So about those, I'm not sure if they have much, if anything to do with perfs.exe trojan/backdoor virus... But it never runs as a process anymore so I figured without the perfs.exe its crippled or messed up. Should I delete all/any of these? I'm guessing the perfmon files for sure, but I will wait for help before I do anything as its beyond my knowledge... and I have no idea of any consequence of any of those.. as some virus' seem to mimic legit files or be named just like them or what have you... so yea... should I get rid of them?
Also, thanks for the quick response. Appreciate the help!
|
Junior Member
|
2. January 2008 @ 22:38 |
Link to this message
|
echoreply you are a genius that does the trick just a typo correction
copy text below and paste in notepad
sc stop perfmons Service
sc delete perfmons Service
exit
save as all files to your desktop and name it fix.bat
this will make it a batch file
In vista you must restart your computer before it will work then after start up double click the new icon on desktop cmd window will pop up quickly with the process then you may go into system32 and delete and this is the ONLY way I know to delete this file on vista because of extra "safety" of vista will not let you just delete the file.
Super Job ECHO!!!
jackofall
|
Member
1 product review
|
3. January 2008 @ 07:53 |
Link to this message
|
|
so yea... what about all those other files I listed that contain "perf" in the name... got anything to do with the perfs.exe virus or not?
|
Junior Member
|
3. January 2008 @ 16:46 |
Link to this message
|
those are supposed to be there but there is another that you should be looking for in your system 32 it is called routing. it is an executible if you find it and right click go to properties it will say it is routing.exe it also is a virus that usualy goes with perf.exe.
computer makes clicking sounds (on its own) like the sound when you open a folder or click on a link supposingly this virus can use your computer
your computer has be comprised and its being monitored by a remote server
this can be a very dangerous virus
all these are associated:
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\ndt2.sys
C:\WINDOWS\system32\perfs.exe
you can try :
sc stop perfmons
sc delete perfmons
sc stop Routing
sc delete Routing
exit
if you can get your antivirus to pick it up or your anti-spyware quarantine it then delete
do it just like before name it fix.bat restart and delete but this did not work for me once I had deleted the perfs.exe I had to download hijackthis:
install
open
do not scan
go into
open misc tools
goto
delete file on reboot
find routing.exe in system 32
open
reboot
here is link for free download hijackthis
http://free-software-now.com/hijackthis/index.asp?revid=dhconsult&glid=none&ovid=none&sub=&kbid=
|
Member
|
3. January 2008 @ 18:00 |
Link to this message
|
|
Hi,
i wouldnt advise anybody start deleting files from there computer unless you know what it is your deleting. you should rely on antivirus and antimalware apps first for malware removal.
|
Junior Member
|
3. January 2008 @ 18:16 |
Link to this message
|
|
yes I agree you should try using anti-malware software first but this routing.exe is not detected by most anti-malware software or can only remove it partialy It is a virus that compromises your computer and its being monitored by a remote server.also can posibly use your computer to infect others as well as transmit personal data from your computer to a remote host.The only way to fully guarantee that all is removed is to do a re-format and re-install Windows.short of that I used the steps I mentioned above and the clicking stopped and no ill effects on windows vista.Again I do agree with you you should try to use up-to-date anti-malware program FIRST,and quarintine to make sure it is not attached to any crucial processes.
|
Member
|
3. January 2008 @ 22:15 |
Link to this message
|
good advice. you can also supplement your resident apps with a online scan or two:
F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml
uses Internet Explorer only
click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet
"accept" the License Agreement, click "full system scan"
Once the download of files completes,the scan will begin automatically.
The scan may take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.
-----------------------------------------------------------
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
|
Junior Member
|
4. January 2008 @ 10:55 |
Link to this message
|
|
One more note (im sure you have heard before)that can't be stessed enough BACKUP DISKS.
I use the Grandfather-Father-Son Rule:
Master-
Monthly-
Weekly-
This way if you do delete something that you shouldn't or your computer just crashes and is unrecoverable you are protected
especially If you have documents you cant afford to lose!
CD-RW disc = 60¢
hard drive recovery = $300-$400
|
|
Advertisement
|
|
|
Member
1 product review
|
4. January 2008 @ 16:35 |
Link to this message
|
|
Thanks for the help guys. I did hear a click every now and then but thought nothing of it. But I removed routing and ndt2 now so I hope everything will be decent now. I'm scanning with F-secure now... but I normally use Avast home for AV. Any really good proggy that uses VERY little system resources? I have a really old P3 950mhz with 256mb ram... so something like norton 360 just won't run.
|
