Thread: [SOLVED] Removal of perfs.exe
View Single Post
Old 05-06-2008, 03:26 AM   #3 (permalink)
Randombob18
Registered User
 
Join Date: May 2008
Posts: 4
OS: XP


Re: Removal of perfs.exe
Morning Greynight!

Thanks for your reply, really appreciate your help...

I've stumbled on problems from step 1, although kontiki is present on my machine there is no record of it on Add/Remove programs.

I used Moveit quite successfully, the log is here:

C:\WINDOWS\system32\andt.sys moved successfully.
File/Folder C:\WINDOWS\system32\udate32.exe not found.
C:\Program Files\Kontiki\4od1 moved successfully.
C:\Program Files\Kontiki moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_110438

I highlighted one in red because it said it was not found?
When running Combofix I installed the Recovery Console for XP Professional SP2 - which is what my machine is running. I followed the steps in their guide completely, yet when I run combofix, it said there was no Recovery Console installed, as you can see in the log:

ComboFix 08-05-01.3 - Luke 2008-05-06 11:14:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.557 [GMT 1:00]
Running from: C:\Documents and Settings\Luke\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\plugin1.dat
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\SysPr.prx

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 11:04 . 2008-05-06 11:04 <DIR> d-------- C:\_OTMoveIt
2008-05-05 13:49 . 2008-05-05 13:49 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2008-05-05 13:49 . 2008-05-05 13:49 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2008-05-05 13:49 . 2008-05-05 13:49 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2008-05-05 13:49 . 2008-05-05 13:49 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2008-05-05 13:10 . 2008-05-05 13:10 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-05 13:09 . 2008-05-05 13:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-05 12:15 . 2008-05-05 12:15 <DIR> d-------- C:\Deckard
2008-04-27 19:29 . 2008-04-27 19:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-27 19:21 . 2008-04-27 19:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-27 19:20 . 2008-05-04 14:24 <DIR> d-------- C:\Program Files\Xfire
2008-04-27 19:20 . 2008-05-05 19:51 <DIR> d-------- C:\Documents and Settings\Luke\Application Data\Xfire
2008-04-26 13:08 . 2008-04-26 13:10 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-23 13:04 . 1998-05-18 03:06 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-04-23 12:23 . 2008-04-23 12:51 <DIR> d-------- C:\Program Files\Rockstar Games
2008-04-22 23:29 . 2008-04-22 23:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 09:55 --------- d-----w C:\Documents and Settings\Luke\Application Data\uTorrent
2008-05-01 21:23 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-23 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-07 20:59 --------- d-----w C:\Program Files\DMW Scanner 3
2008-03-31 11:55 --------- d-----w C:\Program Files\Ultime Pack Maps DMW
2008-03-29 14:42 --------- d-----w C:\Documents and Settings\Luke\Application Data\teamspeak2
2008-03-27 21:21 --------- d-----w C:\Program Files\Special
2008-03-24 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-19 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 19:47 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-11 19:47 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-11 19:47 --------- d-----w C:\Program Files\Real
2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\Real
2008-03-09 16:54 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-09 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-09 16:45 --------- d-----w C:\Program Files\Autodesk
2008-03-09 15:17 --------- d-----w C:\Program Files\MagicISO
2008-03-08 16:35 --------- d-----w C:\Documents and Settings\Luke\Application Data\Jasc
2008-03-08 16:34 --------- d-----w C:\Program Files\Jasc Software Inc
2008-03-08 16:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-08 16:10 --------- d-----w C:\Program Files\Bonjour
2008-03-08 16:02 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-08 15:56 --------- d-----w C:\Program Files\PowerISO
2008-03-07 01:06 --------- d-----w C:\Program Files\Java
2008-03-06 17:16 --------- d-----w C:\Program Files\Windows Desktop Search
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-16 15:14 949376]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 20:47 185896]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-05-05 13:49 221184 C:\WINDOWS\SnoopFreeUI.exe]

C:\Documents and Settings\Luke\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-26 16:45:15 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2007-04-27 13:10 18744 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-03-01 00:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-08-28 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2007-12-19 21:13 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 08:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WServing"=2 (0x2)
"Serv-U"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AFinding"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\MagicISO\\MagicISO.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 17:00]
R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 17:00]
S4 AFinding;AFinding Service;C:\WINDOWS\system32\afinding.exe [2004-08-04 13:00]
S4 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-06-12 09:10]
S4 WServing;WServing Service;C:\WINDOWS\system32\wserving.exe [2004-08-04 13:00]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 11:16:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-06 11:17:59
ComboFix-quarantined-files.txt 2008-05-06 10:17:45

Pre-Run: 3,698,335,744 bytes free
Post-Run: 3,876,466,688 bytes free

174 --- E O F --- 2008-05-01 10:24:16
Randombob18 is offline   Reply With Quote