[SOLVED] Removal of perfs.exe

Randombob18 · 05-05-2008, 04:39 AM

Hey,

I stumbled across what appears to be some excellent advice from Tetonbob on a different thread with a very familiar problem, Here. I appear myself to have the perfs.exe, Indt.exe, routing.exe which all seem to go hand in hand. It's bloody annoying because it plays random sounds whenever it pleases.

They automatically boot upon startup and i've found killing the process' themselves works, providing perfs.exe is killed first. This shortterm fix is making it slightly bareable, but being a complete noob, I need help.

I've done as you've said in the previous thread with the Hijackthis and DSS logs, which are below. I'd really appreciate your help here. Also I need to download a firewall, i'm using NOD32 as an AV which isn't even picking the perfs.exe virus up? But have also been relying on Windows Firewall, I've no idea why, but I have. I will download a decent antivirus as soon as this problem is solved, but i'm a little dubious about downloading any more software at the moment.

Thanks in advance.

Deckard's System Scanner v20071014.68
Run by Luke on 2008-05-05 12:16:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
44: 2008-05-05 11:16:34 UTC - RP119 - Deckard's System Scanner Restore Point
43: 2008-05-04 22:33:35 UTC - RP118 - System Checkpoint
42: 2008-05-02 21:36:55 UTC - RP117 - System Checkpoint
41: 2008-05-01 10:23:50 UTC - RP116 - Software Distribution Service 3.0
40: 2008-04-30 23:48:20 UTC - RP115 - System Checkpoint

-- First Restore Point --
1: 2008-03-12 12:16:55 UTC - RP76 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.56 GiB (less than 15%) free.

-- HijackThis (run as Luke.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:58, on 05/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Luke\Desktop\dss.exe
C:\DOCUME~1\Luke\Desktop\HIJACK~1\Luke.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6517 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DWMRCS (DameWare Mini Remote Control) - c:\windows\system32\dwrcs.exe -service <Not Verified; DameWare Development LLC; DameWare Development DWRCS>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - d:\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 AFinding (AFinding Service) - c:\windows\system32\afinding.exe
S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
S4 Serv-U (Serv-U FTP Server) - c:\program files\rhinosoft.com\serv-u\servudaemon.exe <Not Verified; Rhino Software, Inc. +1(262) 560-9627; Serv-U FTP Server>
S4 WServing (WServing Service) - c:\windows\system32\wserving.exe

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-05 11:13:06 0 dr-h----- C:\Documents and Settings\Luke\Recent
2008-05-02 00:29:00 281600 --a------ C:\WINDOWS\system32\andt.sys
2008-05-01 12:08:50 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-05-01 12:08:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-04-27 19:29:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-27 19:21:45 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-27 19:20:34 0 d-------- C:\Documents and Settings\Luke\Application Data\Xfire
2008-04-27 19:20:30 0 d-------- C:\Program Files\Xfire
2008-04-26 13:08:54 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-23 13:04:06 368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-04-23 12:23:50 0 d-------- C:\Program Files\Rockstar Games
2008-04-10 23:15:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-10 23:15:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-10 23:13:33 40 --a------ C:\WINDOWS\system32\drmgs.sys

-- Find3M Report ---------------------------------------------------------------

2008-05-05 10:18:20 0 d-------- C:\Documents and Settings\Luke\Application Data\uTorrent
2008-05-01 22:23:20 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-23 12:23:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-07 21:59:56 0 d-------- C:\Program Files\DMW Scanner 3
2008-03-31 12:55:46 0 d-------- C:\Program Files\Ultime Pack Maps DMW
2008-03-29 15:42:26 0 d-------- C:\Documents and Settings\Luke\Application Data\teamspeak2
2008-03-27 22:21:37 0 d-------- C:\Program Files\Special
2008-03-27 15:52:41 0 d-------- C:\Documents and Settings\Luke\Application Data\Real
2008-03-24 17:01:29 0 d-------- C:\Program Files\Kontiki
2008-03-22 13:25:59 0 d-------- C:\Documents and Settings\Luke\Application Data\Adobe
2008-03-11 20:47:13 0 d-------- C:\Program Files\Common Files
2008-03-11 20:47:13 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-11 20:47:11 0 d-------- C:\Program Files\Common Files\Real
2008-03-11 20:47:03 0 d-------- C:\Program Files\Real
2008-03-09 17:54:25 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-09 17:45:44 0 d-------- C:\Program Files\Autodesk
2008-03-09 16:17:19 0 d-------- C:\Program Files\MagicISO
2008-03-08 17:35:40 0 d-------- C:\Documents and Settings\Luke\Application Data\Jasc
2008-03-08 17:34:03 0 d-------- C:\Program Files\Jasc Software Inc
2008-03-08 17:27:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-08 17:10:26 0 d-------- C:\Program Files\Bonjour
2008-03-08 17:02:01 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-08 16:56:53 0 d-------- C:\Program Files\PowerISO
2008-03-07 02

32 0 d-------- C:\Program Files\Java
2008-03-06 18:16:31 0 d-------- C:\Program Files\Windows Desktop Search
2008-02-28 02

04 88 -r-hs---- C:\WINDOWS\system32\F68392573C.sys

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [23/03/2006 21:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [23/03/2006 21:13]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [23/03/2006 21:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [16/12/2007 15:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/03/2008 20:47]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [10/09/2002 22:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/02/2008 00:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]

C:\Documents and Settings\Luke\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [26/12/2007 16:45:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=01000000
"NoRecentDocsHistory"=01000000
"NoSharedDocuments"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 27/04/2007 13:10 18744 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"C:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
"C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"C:\Program Files\DAEMON Tools Lite\daemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]
"dmwclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16]
C:\WINDOWS\system32\udate32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WServing"=2 (0x2)
"Serv-U"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AFinding"=2 (0x2)

-- End of Deckard's System Scanner: finished at 2008-05-05 12:18:25 ------------

greyknight17 · 05-05-2008, 03:18 PM

Welcome to TSF.

You can switch to other AV software, but keep in mind that there is not a single one that can detect everything. So don't be surprised if your other ones are "slipping" also. NOD32 should be pretty good from the reviews I read in the past. If you want to try another AV program, give AVG or Avast a try. Both have free editions.

Uninstall Kontiki via the Add/Remove Programs panel.

Download OTMoveIt2 at http://download.bleepingcomputer.com.../OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\udate32.exe
C:\Program Files\Kontiki
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Go to http://www.bleepingcomputer.com/comb...o-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Randombob18 · 05-06-2008, 03:26 AM

Morning Greynight!

Thanks for your reply, really appreciate your help...

I've stumbled on problems from step 1, although kontiki is present on my machine there is no record of it on Add/Remove programs.

I used Moveit quite successfully, the log is here:

C:\WINDOWS\system32\andt.sys moved successfully.
File/Folder C:\WINDOWS\system32\udate32.exe not found.
C:\Program Files\Kontiki\4od1 moved successfully.
C:\Program Files\Kontiki moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_110438

I highlighted one in red because it said it was not found?
When running Combofix I installed the Recovery Console for XP Professional SP2 - which is what my machine is running. I followed the steps in their guide completely, yet when I run combofix, it said there was no Recovery Console installed, as you can see in the log:

ComboFix 08-05-01.3 - Luke 2008-05-06 11:14:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.557 [GMT 1:00]
Running from: C:\Documents and Settings\Luke\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\plugin1.dat
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\SysPr.prx

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 11:04 . 2008-05-06 11:04 <DIR> d-------- C:\_OTMoveIt
2008-05-05 13:49 . 2008-05-05 13:49 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2008-05-05 13:49 . 2008-05-05 13:49 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2008-05-05 13:49 . 2008-05-05 13:49 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2008-05-05 13:49 . 2008-05-05 13:49 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2008-05-05 13:10 . 2008-05-05 13:10 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-05 13:09 . 2008-05-05 13:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-05 12:15 . 2008-05-05 12:15 <DIR> d-------- C:\Deckard
2008-04-27 19:29 . 2008-04-27 19:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-27 19:21 . 2008-04-27 19:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-27 19:20 . 2008-05-04 14:24 <DIR> d-------- C:\Program Files\Xfire
2008-04-27 19:20 . 2008-05-05 19:51 <DIR> d-------- C:\Documents and Settings\Luke\Application Data\Xfire
2008-04-26 13:08 . 2008-04-26 13:10 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-23 13:04 . 1998-05-18 03:06 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-04-23 12:23 . 2008-04-23 12:51 <DIR> d-------- C:\Program Files\Rockstar Games
2008-04-22 23:29 . 2008-04-22 23:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 09:55 --------- d-----w C:\Documents and Settings\Luke\Application Data\uTorrent
2008-05-01 21:23 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-23 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-07 20:59 --------- d-----w C:\Program Files\DMW Scanner 3
2008-03-31 11:55 --------- d-----w C:\Program Files\Ultime Pack Maps DMW
2008-03-29 14:42 --------- d-----w C:\Documents and Settings\Luke\Application Data\teamspeak2
2008-03-27 21:21 --------- d-----w C:\Program Files\Special
2008-03-24 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-19 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 19:47 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-11 19:47 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-11 19:47 --------- d-----w C:\Program Files\Real
2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\Real
2008-03-09 16:54 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-09 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-09 16:45 --------- d-----w C:\Program Files\Autodesk
2008-03-09 15:17 --------- d-----w C:\Program Files\MagicISO
2008-03-08 16:35 --------- d-----w C:\Documents and Settings\Luke\Application Data\Jasc
2008-03-08 16:34 --------- d-----w C:\Program Files\Jasc Software Inc
2008-03-08 16:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-08 16:10 --------- d-----w C:\Program Files\Bonjour
2008-03-08 16:02 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-08 15:56 --------- d-----w C:\Program Files\PowerISO
2008-03-07 01:06 --------- d-----w C:\Program Files\Java
2008-03-06 17:16 --------- d-----w C:\Program Files\Windows Desktop Search
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-16 15:14 949376]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 20:47 185896]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-05-05 13:49 221184 C:\WINDOWS\SnoopFreeUI.exe]

C:\Documents and Settings\Luke\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-26 16:45:15 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2007-04-27 13:10 18744 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-03-01 00:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-08-28 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2007-12-19 21:13 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 08:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WServing"=2 (0x2)
"Serv-U"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AFinding"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\MagicISO\\MagicISO.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 17:00]
R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 17:00]
S4 AFinding;AFinding Service;C:\WINDOWS\system32\afinding.exe [2004-08-04 13:00]
S4 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-06-12 09:10]
S4 WServing;WServing Service;C:\WINDOWS\system32\wserving.exe [2004-08-04 13:00]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 11:16:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-06 11:17:59
ComboFix-quarantined-files.txt 2008-05-06 10:17:45

Pre-Run: 3,698,335,744 bytes free
Post-Run: 3,876,466,688 bytes free

174 --- E O F --- 2008-05-01 10:24:16

greyknight17 · 05-07-2008, 07:25 PM

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Quote:

Driver::
AFinding
WServing
File::
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\wserving.exe
Folder::
C:\Documents and Settings\All Users\Application Data\Kontiki

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

For the Recovery Console, go back to that page where you downloaded Combofix. Skip the part for the Windows CD. Go to the next step to download the tool to your desktop. Then drag and drop that bootdisk file into Combofix to install the recovery console.

Randombob18 · 05-09-2008, 06:16 AM

Hi,

Sorry it's taken a couple of days, I've been swamped with work.

This has all been done and the recovery console installed correctl, the log as requested:
ComboFix 08-05-01.3 - Luke 2008-05-09 14:05:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.619 [GMT 1:00]
Running from: C:\Documents and Settings\Luke\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Luke\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active

FILE ::
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\wserving.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Kontiki
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log
C:\Documents and Settings\All Users\Application Data\Kontiki\error2.log
C:\Documents and Settings\All Users\Application Data\Kontiki\kservice.mdmp
C:\Documents and Settings\All Users\Application Data\Kontiki\zdata.db
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\wserving.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_WServing

((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-06 11:04 . 2008-05-06 11:04 <DIR> d-------- C:\_OTMoveIt
2008-05-05 13:49 . 2008-05-05 13:49 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2008-05-05 13:49 . 2008-05-05 13:49 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2008-05-05 13:49 . 2008-05-05 13:49 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2008-05-05 13:49 . 2008-05-05 13:49 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2008-05-05 13:10 . 2008-05-05 13:10 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-05 13:09 . 2008-05-05 13:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-05 12:15 . 2008-05-05 12:15 <DIR> d-------- C:\Deckard
2008-04-27 19:29 . 2008-04-27 19:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-27 19:21 . 2008-04-27 19:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-27 19:20 . 2008-05-04 14:24 <DIR> d-------- C:\Program Files\Xfire
2008-04-27 19:20 . 2008-05-08 21:53 <DIR> d-------- C:\Documents and Settings\Luke\Application Data\Xfire
2008-04-26 13:08 . 2008-04-26 13:10 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-23 13:04 . 1998-05-18 03:06 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-04-23 12:23 . 2008-04-23 12:51 <DIR> d-------- C:\Program Files\Rockstar Games
2008-04-22 23:29 . 2008-04-22 23:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 17:23 --------- d-----w C:\Program Files\Last.fm
2008-05-06 11:53 --------- d-----w C:\Documents and Settings\Luke\Application Data\uTorrent
2008-04-23 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-07 20:59 --------- d-----w C:\Program Files\DMW Scanner 3
2008-03-31 11:55 --------- d-----w C:\Program Files\Ultime Pack Maps DMW
2008-03-29 14:42 --------- d-----w C:\Documents and Settings\Luke\Application Data\teamspeak2
2008-03-27 21:21 --------- d-----w C:\Program Files\Special
2008-03-19 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-03-11 19:47 --------- d-----w C:\Program Files\Real
2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\Real
2008-03-09 16:54 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-09 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-09 16:45 --------- d-----w C:\Program Files\Autodesk
2008-03-09 15:17 --------- d-----w C:\Program Files\MagicISO
.

((((((((((((((((((((((((((((( snapshot@2008-05-06_11.17.37.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 12:53:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 13:08:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-05-06 10:16:50 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
+ 2008-05-09 13:08:48 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-16 15:14 949376]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 20:47 185896]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-05-05 13:49 221184 C:\WINDOWS\SnoopFreeUI.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2007-04-27 13:10 18744 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-03-01 00:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-08-28 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2007-12-19 21:13 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 08:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WServing"=2 (0x2)
"Serv-U"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AFinding"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\MagicISO\\MagicISO.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 17:00]
R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 17:00]
S4 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-06-12 09:10]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 14:08:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\SnoopFreeSvc.exe
C:\WINDOWS\system32\DWRCST.EXE
.
**************************************************************************
.
Completion time: 2008-05-09 14:14:39 - machine was rebooted [Luke]
ComboFix-quarantined-files.txt 2008-05-09 13:14:33
ComboFix2.txt 2008-05-06 10:18:00

Pre-Run: 4,176,113,664 bytes free
Post-Run: 4,106,907,648 bytes free

183 --- E O F --- 2008-05-01 10:24:16

greyknight17 · 05-09-2008, 04:48 PM

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

Randombob18 · 05-10-2008, 04:04 AM

Wow.

Dude I can't say how appreciative I am. You're a legend. Really am very very happy. You've been a good help. I'm off to donate to you wonderful guys now :D

Thanks again, have a good weekened!

05-05-2008, 03:18 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,259 OS: Windows 98 & Windows XP Home/Pro My System	Re: Removal of perfs.exe Welcome to TSF. You can switch to other AV software, but keep in mind that there is not a single one that can detect everything. So don't be surprised if your other ones are "slipping" also. NOD32 should be pretty good from the reviews I read in the past. If you want to try another AV program, give AVG or Avast a try. Both have free editions. Uninstall Kontiki via the Add/Remove Programs panel. Download OTMoveIt2 at http://download.bleepingcomputer.com.../OTMoveIt2.exe * Save it to your desktop. * Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator). * Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Code: C:\WINDOWS\system32\andt.sys C:\WINDOWS\system32\udate32.exe C:\Program Files\Kontiki HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16 * Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste. * Click the red Moveit! button. * A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. * Close OTMoveIt2. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Go to http://www.bleepingcomputer.com/comb...o-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

05-06-2008, 03:26 AM	#3 (permalink)
Randombob18 Registered User Join Date: May 2008 Posts: 4 OS: XP	Re: Removal of perfs.exe Morning Greynight! Thanks for your reply, really appreciate your help... I've stumbled on problems from step 1, although kontiki is present on my machine there is no record of it on Add/Remove programs. I used Moveit quite successfully, the log is here: C:\WINDOWS\system32\andt.sys moved successfully. File/Folder C:\WINDOWS\system32\udate32.exe not found. C:\Program Files\Kontiki\4od1 moved successfully. C:\Program Files\Kontiki moved successfully. < HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD > Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD\\ deleted successfully. < HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16 > Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16\\ deleted successfully. OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_110438 I highlighted one in red because it said it was not found? When running Combofix I installed the Recovery Console for XP Professional SP2 - which is what my machine is running. I followed the steps in their guide completely, yet when I run combofix, it said there was no Recovery Console installed, as you can see in the log: ComboFix 08-05-01.3 - Luke 2008-05-06 11:14:37.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.557 [GMT 1:00] Running from: C:\Documents and Settings\Luke\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drmgs.sys C:\WINDOWS\system32\Indt2.sys C:\WINDOWS\system32\plugin1.dat C:\WINDOWS\system32\routing.exe C:\WINDOWS\system32\SysPr.prx . ((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 ))))))))))))))))))))))))))))))) . 2008-05-06 11:04 . 2008-05-06 11:04 <DIR> d-------- C:\_OTMoveIt 2008-05-05 13:49 . 2008-05-05 13:49 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe 2008-05-05 13:49 . 2008-05-05 13:49 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe 2008-05-05 13:49 . 2008-05-05 13:49 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll 2008-05-05 13:49 . 2008-05-05 13:49 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys 2008-05-05 13:10 . 2008-05-05 13:10 1,160 --a------ C:\WINDOWS\mozver.dat 2008-05-05 13:09 . 2008-05-05 13:09 0 --a------ C:\WINDOWS\nsreg.dat 2008-05-05 12:15 . 2008-05-05 12:15 <DIR> d-------- C:\Deckard 2008-04-27 19:29 . 2008-04-27 19:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire 2008-04-27 19:21 . 2008-04-27 19:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire 2008-04-27 19:20 . 2008-05-04 14:24 <DIR> d-------- C:\Program Files\Xfire 2008-04-27 19:20 . 2008-05-05 19:51 <DIR> d-------- C:\Documents and Settings\Luke\Application Data\Xfire 2008-04-26 13:08 . 2008-04-26 13:10 <DIR> d-------- C:\WINDOWS\system32\Adobe 2008-04-23 13:04 . 1998-05-18 03:06 368,912 --a------ C:\WINDOWS\system32\vbar332.dll 2008-04-23 12:23 . 2008-04-23 12:51 <DIR> d-------- C:\Program Files\Rockstar Games 2008-04-22 23:29 . 2008-04-22 23:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-06 09:55 --------- d-----w C:\Documents and Settings\Luke\Application Data\uTorrent 2008-05-01 21:23 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2008-04-23 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-04-07 20:59 --------- d-----w C:\Program Files\DMW Scanner 3 2008-03-31 11:55 --------- d-----w C:\Program Files\Ultime Pack Maps DMW 2008-03-29 14:42 --------- d-----w C:\Documents and Settings\Luke\Application Data\teamspeak2 2008-03-27 21:21 --------- d-----w C:\Program Files\Special 2008-03-24 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki 2008-03-19 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-11 19:47 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll 2008-03-11 19:47 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll 2008-03-11 19:47 --------- d-----w C:\Program Files\Real 2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\xing shared 2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\Real 2008-03-09 16:54 --------- d-----w C:\Program Files\Common Files\Autodesk Shared 2008-03-09 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk 2008-03-09 16:45 --------- d-----w C:\Program Files\Autodesk 2008-03-09 15:17 --------- d-----w C:\Program Files\MagicISO 2008-03-08 16:35 --------- d-----w C:\Documents and Settings\Luke\Application Data\Jasc 2008-03-08 16:34 --------- d-----w C:\Program Files\Jasc Software Inc 2008-03-08 16:27 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-08 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-03-08 16:10 --------- d-----w C:\Program Files\Bonjour 2008-03-08 16:02 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-03-08 15:56 --------- d-----w C:\Program Files\PowerISO 2008-03-07 01:06 --------- d-----w C:\Program Files\Java 2008-03-06 17:16 --------- d-----w C:\Program Files\Windows Desktop Search 2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-16 15:14 949376] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 20:47 185896] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024] "SnoopFreeUI"="SnoopFreeUI.exe" [2008-05-05 13:49 221184 C:\WINDOWS\SnoopFreeUI.exe] C:\Documents and Settings\Luke\Start Menu\Programs\Startup\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-26 16:45:15 106496] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] PCANotify.dll 2007-04-27 13:10 18744 C:\WINDOWS\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Last.fm Helper.lnk] path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Last.fm Helper.lnk backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-03-01 00:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] --a------ 2007-08-28 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2007-12-19 21:13 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2008-01-20 08:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] --a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WServing"=2 (0x2) "Serv-U"=3 (0x3) "ProtexisLicensing"=2 (0x2) "Bonjour Service"=2 (0x2) "AFinding"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\GameSpy Arcade\\Aphex.exe"= "C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"= "C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\MagicISO\\MagicISO.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Xfire\\xfire.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP::Disabled:@xpsp2res.dll,-22009 "6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service "139:TCP"= 139:TCP:@xpsp2res.dll,-22004 "445:TCP"= 445:TCP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22005 "137:UDP"= 137:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22001 "138:UDP"= 138:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22002 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 17:00] R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service [] R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 17:00] S4 AFinding;AFinding Service;C:\WINDOWS\system32\afinding.exe [2004-08-04 13:00] S4 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-06-12 09:10] S4 WServing;WServing Service;C:\WINDOWS\system32\wserving.exe [2004-08-04 13:00] Newly Created Service* - CATCHME . ************************************************************************ catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-06 11:16:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-05-06 11:17:59 ComboFix-quarantined-files.txt 2008-05-06 10:17:45 Pre-Run: 3,698,335,744 bytes free Post-Run: 3,876,466,688 bytes free 174 --- E O F --- 2008-05-01 10:24:16

05-09-2008, 06:16 AM	#5 (permalink)
Randombob18 Registered User Join Date: May 2008 Posts: 4 OS: XP	Re: Removal of perfs.exe Hi, Sorry it's taken a couple of days, I've been swamped with work. This has all been done and the recovery console installed correctl, the log as requested: ComboFix 08-05-01.3 - Luke 2008-05-09 14:05:37.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.619 [GMT 1:00] Running from: C:\Documents and Settings\Luke\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Luke\Desktop\CFscript.txt * Created a new restore point * Resident AV is active FILE :: C:\WINDOWS\system32\afinding.exe C:\WINDOWS\system32\wserving.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Kontiki C:\Documents and Settings\All Users\Application Data\Kontiki\error.log C:\Documents and Settings\All Users\Application Data\Kontiki\error2.log C:\Documents and Settings\All Users\Application Data\Kontiki\kservice.mdmp C:\Documents and Settings\All Users\Application Data\Kontiki\zdata.db C:\WINDOWS\system32\afinding.exe C:\WINDOWS\system32\wserving.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFINDING -------\Legacy_WSERVING -------\Service_AFinding -------\Service_WServing ((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 ))))))))))))))))))))))))))))))) . 2008-05-06 11:04 . 2008-05-06 11:04 <DIR> d-------- C:\_OTMoveIt 2008-05-05 13:49 . 2008-05-05 13:49 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe 2008-05-05 13:49 . 2008-05-05 13:49 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe 2008-05-05 13:49 . 2008-05-05 13:49 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll 2008-05-05 13:49 . 2008-05-05 13:49 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys 2008-05-05 13:10 . 2008-05-05 13:10 1,160 --a------ C:\WINDOWS\mozver.dat 2008-05-05 13:09 . 2008-05-05 13:09 0 --a------ C:\WINDOWS\nsreg.dat 2008-05-05 12:15 . 2008-05-05 12:15 <DIR> d-------- C:\Deckard 2008-04-27 19:29 . 2008-04-27 19:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire 2008-04-27 19:21 . 2008-04-27 19:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire 2008-04-27 19:20 . 2008-05-04 14:24 <DIR> d-------- C:\Program Files\Xfire 2008-04-27 19:20 . 2008-05-08 21:53 <DIR> d-------- C:\Documents and Settings\Luke\Application Data\Xfire 2008-04-26 13:08 . 2008-04-26 13:10 <DIR> d-------- C:\WINDOWS\system32\Adobe 2008-04-23 13:04 . 1998-05-18 03:06 368,912 --a------ C:\WINDOWS\system32\vbar332.dll 2008-04-23 12:23 . 2008-04-23 12:51 <DIR> d-------- C:\Program Files\Rockstar Games 2008-04-22 23:29 . 2008-04-22 23:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-06 17:23 --------- d-----w C:\Program Files\Last.fm 2008-05-06 11:53 --------- d-----w C:\Documents and Settings\Luke\Application Data\uTorrent 2008-04-23 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-04-07 20:59 --------- d-----w C:\Program Files\DMW Scanner 3 2008-03-31 11:55 --------- d-----w C:\Program Files\Ultime Pack Maps DMW 2008-03-29 14:42 --------- d-----w C:\Documents and Settings\Luke\Application Data\teamspeak2 2008-03-27 21:21 --------- d-----w C:\Program Files\Special 2008-03-19 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4 2008-03-11 19:47 --------- d-----w C:\Program Files\Real 2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\xing shared 2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\Real 2008-03-09 16:54 --------- d-----w C:\Program Files\Common Files\Autodesk Shared 2008-03-09 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk 2008-03-09 16:45 --------- d-----w C:\Program Files\Autodesk 2008-03-09 15:17 --------- d-----w C:\Program Files\MagicISO . ((((((((((((((((((((((((((((( snapshot@2008-05-06_11.17.37.45 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-05 12:53:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-09 13:08:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE - 2008-05-06 10:16:50 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll + 2008-05-09 13:08:48 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-16 15:14 949376] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 20:47 185896] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024] "SnoopFreeUI"="SnoopFreeUI.exe" [2008-05-05 13:49 221184 C:\WINDOWS\SnoopFreeUI.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] PCANotify.dll 2007-04-27 13:10 18744 C:\WINDOWS\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Last.fm Helper.lnk] path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Last.fm Helper.lnk backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-03-01 00:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] --a------ 2007-08-28 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2007-12-19 21:13 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2008-01-20 08:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] --a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WServing"=2 (0x2) "Serv-U"=3 (0x3) "ProtexisLicensing"=2 (0x2) "Bonjour Service"=2 (0x2) "AFinding"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\GameSpy Arcade\\Aphex.exe"= "C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"= "C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\MagicISO\\MagicISO.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Xfire\\xfire.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP::Disabled:@xpsp2res.dll,-22009 "6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service "139:TCP"= 139:TCP:@xpsp2res.dll,-22004 "445:TCP"= 445:TCP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22005 "137:UDP"= 137:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22001 "138:UDP"= 138:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22002 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 17:00] R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service [] R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 17:00] S4 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-06-12 09:10] . *********************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-09 14:08:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\DWRCS.EXE C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\ESET\nod32krn.exe C:\WINDOWS\system32\SnoopFreeSvc.exe C:\WINDOWS\system32\DWRCST.EXE . ************************************************************************ . Completion time: 2008-05-09 14:14:39 - machine was rebooted [Luke] ComboFix-quarantined-files.txt 2008-05-09 13:14:33 ComboFix2.txt 2008-05-06 10:18:00 Pre-Run: 4,176,113,664 bytes free Post-Run: 4,106,907,648 bytes free 183 --- E O F --- 2008-05-01 10:24:16

05-09-2008, 04:48 PM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,259 OS: Windows 98 & Windows XP Home/Pro My System	Re: Removal of perfs.exe Good job. Your log is clean. To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

05-10-2008, 04:04 AM	#7 (permalink)
Randombob18 Registered User Join Date: May 2008 Posts: 4 OS: XP	Re: Removal of perfs.exe Wow. Dude I can't say how appreciative I am. You're a legend. Really am very very happy. You've been a good help. I'm off to donate to you wonderful guys now :D Thanks again, have a good weekened!