Ok, I had some problems with slow downs so I immediately checked my processes for the obvious threats and found perfs.exe and something I forget... I think indt.exe and indt2.exe but I found little info on those. could have been idnt... I can't remember right now. So anyway I deleted the perfs.exe file from the windows system 32 folder but I wonder if thats it? I ran Avast and AVG anti-spyware and they came up clean... But I'm still getting bogged down... Logfile of HijackThis v1.99.1 Scan saved at 12:41:24 PM, on 15/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Fuel\My Documents\Fuel\hijackthis_sfx\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0edc6c20-a31c-11db-8ab9-0800200c9a66} - (no file) O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll O2 - BHO: (no name) - {631f7200-642e-11db-bd13-0800200c9a66} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000 O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.70\AMVConverter\grab.html O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.70\MediaManager\grab.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1190719247734 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5175/mcfscan.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing) I'm obviously worried about the last 2 lines...
hi, log looks ok except for that last service. copy (Ctrl C) and paste (Ctrl V) the text below to Notepad. Save it as "All Files" and name it fixbat. Please save it on your desktop. sc stop perfmons Service sc delete perfmons Service exit Double click Fix.bat. A window will open and close. have a look in the system32 dir and delete the perfs.exe if present. echoreply
never knew I could do a fix that way before. It's so simple its kool. I was able to delete perfs.exe from the directory before... but theres other files with perf in the name: perfc009 - DAT file perfci - H file perfctrs.dll perfd009 - DAT file perfdisk.dll perffilt - H file perffilt - configuration settings perfh009 - DAT file perfi009 - DAT file perfmon - Performance Monitor Command Line Shell perfmon - Microsoft Common Console Document perfnet.dll perfos.dll perfproc.dll PerfStringBackup - Configuration settings perfts.dll perfwci - Both as a "H file" and "configuration settings" So about those, I'm not sure if they have much, if anything to do with perfs.exe trojan/backdoor virus... But it never runs as a process anymore so I figured without the perfs.exe its crippled or messed up. Should I delete all/any of these? I'm guessing the perfmon files for sure, but I will wait for help before I do anything as its beyond my knowledge... and I have no idea of any consequence of any of those.. as some virus' seem to mimic legit files or be named just like them or what have you... so yea... should I get rid of them? Also, thanks for the quick response. Appreciate the help!
echoreply you are a genius that does the trick just a typo correction copy text below and paste in notepad sc stop perfmons Service sc delete perfmons Service exit save as all files to your desktop and name it fix.bat this will make it a batch file In vista you must restart your computer before it will work then after start up double click the new icon on desktop cmd window will pop up quickly with the process then you may go into system32 and delete and this is the ONLY way I know to delete this file on vista because of extra "safety" of vista will not let you just delete the file. Super Job ECHO!!! jackofall
so yea... what about all those other files I listed that contain "perf" in the name... got anything to do with the perfs.exe virus or not?
those are supposed to be there but there is another that you should be looking for in your system 32 it is called routing. it is an executible if you find it and right click go to properties it will say it is routing.exe it also is a virus that usualy goes with perf.exe. computer makes clicking sounds (on its own) like the sound when you open a folder or click on a link supposingly this virus can use your computer your computer has be comprised and its being monitored by a remote server this can be a very dangerous virus all these are associated: C:\WINDOWS\system32\routing.exe C:\WINDOWS\system32\ndt2.sys C:\WINDOWS\system32\perfs.exe you can try : sc stop perfmons sc delete perfmons sc stop Routing sc delete Routing exit if you can get your antivirus to pick it up or your anti-spyware quarantine it then delete do it just like before name it fix.bat restart and delete but this did not work for me once I had deleted the perfs.exe I had to download hijackthis: install open do not scan go into open misc tools goto delete file on reboot find routing.exe in system 32 open reboot here is link for free download hijackthis http://free-software-now.com/hijackthis/index.asp?revid=dhconsult&glid=none&ovid=none&sub=&kbid=
Hi, i wouldnt advise anybody start deleting files from there computer unless you know what it is your deleting. you should rely on antivirus and antimalware apps first for malware removal.
yes I agree you should try using anti-malware software first but this routing.exe is not detected by most anti-malware software or can only remove it partialy It is a virus that compromises your computer and its being monitored by a remote server.also can posibly use your computer to infect others as well as transmit personal data from your computer to a remote host.The only way to fully guarantee that all is removed is to do a re-format and re-install Windows.short of that I used the steps I mentioned above and the clicking stopped and no ill effects on windows vista.Again I do agree with you you should try to use up-to-date anti-malware program FIRST,and quarintine to make sure it is not attached to any crucial processes.
good advice. you can also supplement your resident apps with a online scan or two: F-secure scan: http://support.f-secure.com/enu/home/ols.shtml uses Internet Explorer only click on the "start scanning button" near bottom of page. click to accept/install the ActiveX applet "accept" the License Agreement, click "full system scan" Once the download of files completes,the scan will begin automatically. The scan may take some time to finish. When the scan completes, click the Automatic cleaning (recommended) button. ----------------------------------------------------------- ESET online scanner: http://www.eset.com/onlinescan/ uses Internet Explorer only check "YES" to accept terms click start button allow the ActiveX component to install click the start button. the Scanner will update. check both "Remove found threats" and "Scan unwanted applications" click scan
One more note (im sure you have heard before)that can't be stessed enough BACKUP DISKS. I use the Grandfather-Father-Son Rule: Master- Monthly- Weekly- This way if you do delete something that you shouldn't or your computer just crashes and is unrecoverable you are protected especially If you have documents you cant afford to lose! CD-RW disc = 60ยข hard drive recovery = $300-$400
Thanks for the help guys. I did hear a click every now and then but thought nothing of it. But I removed routing and ndt2 now so I hope everything will be decent now. I'm scanning with F-secure now... but I normally use Avast home for AV. Any really good proggy that uses VERY little system resources? I have a really old P3 950mhz with 256mb ram... so something like norton 360 just won't run.
