Thread: [SOLVED] Removal of perfs.exe
View Single Post
Old 05-05-2008, 04:39 AM   #1 (permalink)
Randombob18
Registered User
 
Join Date: May 2008
Posts: 4
OS: XP


[SOLVED] Removal of perfs.exe
Hey,

I stumbled across what appears to be some excellent advice from Tetonbob on a different thread with a very familiar problem, Here. I appear myself to have the perfs.exe, Indt.exe, routing.exe which all seem to go hand in hand. It's bloody annoying because it plays random sounds whenever it pleases.

They automatically boot upon startup and i've found killing the process' themselves works, providing perfs.exe is killed first. This shortterm fix is making it slightly bareable, but being a complete noob, I need help.

I've done as you've said in the previous thread with the Hijackthis and DSS logs, which are below. I'd really appreciate your help here. Also I need to download a firewall, i'm using NOD32 as an AV which isn't even picking the perfs.exe virus up? But have also been relying on Windows Firewall, I've no idea why, but I have. I will download a decent antivirus as soon as this problem is solved, but i'm a little dubious about downloading any more software at the moment.

Thanks in advance.

Deckard's System Scanner v20071014.68
Run by Luke on 2008-05-05 12:16:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
44: 2008-05-05 11:16:34 UTC - RP119 - Deckard's System Scanner Restore Point
43: 2008-05-04 22:33:35 UTC - RP118 - System Checkpoint
42: 2008-05-02 21:36:55 UTC - RP117 - System Checkpoint
41: 2008-05-01 10:23:50 UTC - RP116 - Software Distribution Service 3.0
40: 2008-04-30 23:48:20 UTC - RP115 - System Checkpoint


-- First Restore Point --
1: 2008-03-12 12:16:55 UTC - RP76 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.56 GiB (less than 15%) free.


-- HijackThis (run as Luke.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:58, on 05/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Luke\Desktop\dss.exe
C:\DOCUME~1\Luke\Desktop\HIJACK~1\Luke.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6517 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DWMRCS (DameWare Mini Remote Control) - c:\windows\system32\dwrcs.exe -service <Not Verified; DameWare Development LLC; DameWare Development DWRCS>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - d:\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 AFinding (AFinding Service) - c:\windows\system32\afinding.exe
S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
S4 Serv-U (Serv-U FTP Server) - c:\program files\rhinosoft.com\serv-u\servudaemon.exe <Not Verified; Rhino Software, Inc. +1(262) 560-9627; Serv-U FTP Server>
S4 WServing (WServing Service) - c:\windows\system32\wserving.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-05 11:13:06 0 dr-h----- C:\Documents and Settings\Luke\Recent
2008-05-02 00:29:00 281600 --a------ C:\WINDOWS\system32\andt.sys
2008-05-01 12:08:50 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-05-01 12:08:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-04-27 19:29:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-27 19:21:45 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-27 19:20:34 0 d-------- C:\Documents and Settings\Luke\Application Data\Xfire
2008-04-27 19:20:30 0 d-------- C:\Program Files\Xfire
2008-04-26 13:08:54 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-23 13:04:06 368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-04-23 12:23:50 0 d-------- C:\Program Files\Rockstar Games
2008-04-10 23:15:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-10 23:15:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-10 23:13:33 40 --a------ C:\WINDOWS\system32\drmgs.sys


-- Find3M Report ---------------------------------------------------------------

2008-05-05 10:18:20 0 d-------- C:\Documents and Settings\Luke\Application Data\uTorrent
2008-05-01 22:23:20 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-23 12:23:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-07 21:59:56 0 d-------- C:\Program Files\DMW Scanner 3
2008-03-31 12:55:46 0 d-------- C:\Program Files\Ultime Pack Maps DMW
2008-03-29 15:42:26 0 d-------- C:\Documents and Settings\Luke\Application Data\teamspeak2
2008-03-27 22:21:37 0 d-------- C:\Program Files\Special
2008-03-27 15:52:41 0 d-------- C:\Documents and Settings\Luke\Application Data\Real
2008-03-24 17:01:29 0 d-------- C:\Program Files\Kontiki
2008-03-22 13:25:59 0 d-------- C:\Documents and Settings\Luke\Application Data\Adobe
2008-03-11 20:47:13 0 d-------- C:\Program Files\Common Files
2008-03-11 20:47:13 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-11 20:47:11 0 d-------- C:\Program Files\Common Files\Real
2008-03-11 20:47:03 0 d-------- C:\Program Files\Real
2008-03-09 17:54:25 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-09 17:45:44 0 d-------- C:\Program Files\Autodesk
2008-03-09 16:17:19 0 d-------- C:\Program Files\MagicISO
2008-03-08 17:35:40 0 d-------- C:\Documents and Settings\Luke\Application Data\Jasc
2008-03-08 17:34:03 0 d-------- C:\Program Files\Jasc Software Inc
2008-03-08 17:27:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-08 17:10:26 0 d-------- C:\Program Files\Bonjour
2008-03-08 17:02:01 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-08 16:56:53 0 d-------- C:\Program Files\PowerISO
2008-03-07 0232 0 d-------- C:\Program Files\Java
2008-03-06 18:16:31 0 d-------- C:\Program Files\Windows Desktop Search
2008-02-28 0204 88 -r-hs---- C:\WINDOWS\system32\F68392573C.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [23/03/2006 21:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [23/03/2006 21:13]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [23/03/2006 21:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [16/12/2007 15:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/03/2008 20:47]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [10/09/2002 22:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/02/2008 00:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]

C:\Documents and Settings\Luke\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [26/12/2007 16:45:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=01000000
"NoRecentDocsHistory"=01000000
"NoSharedDocuments"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 27/04/2007 13:10 18744 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"C:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
"C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"C:\Program Files\DAEMON Tools Lite\daemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]
"dmwclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16]
C:\WINDOWS\system32\udate32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WServing"=2 (0x2)
"Serv-U"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AFinding"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-05-05 12:18:25 ------------
Attached Files
File Type: txt extra.txt (24.7 KB, 2 views)
Randombob18 is offline   Reply With Quote