HELP, very annoying Virus

[פֿяαιп βαмαgεפ]

Ok here goes, NoD32 tell me there are some buggers called

c:\windows\system32\perfs.exe
c:\windows\system32\routing.exe

And a process called: WmiPrvSe.exe

can't find 'em, can't delete 'em, google has abadoned me.

Any help?

[פֿяαιп βαмαgεפ]

Anyone?

[Damascus]

Windows® Management Instrumentation (WMI) is a component of the Microsoft® Windows® operating system that provides management information and control in an enterprise environment. By using industry standards, managers can use WMI to query and set information on desktop systems, applications, networks, and other enterprise components. Developers can use WMI to create event monitoring applications that alert users when important incidents occur. In earlier versions of Windows, providers were loaded in-process with the Windows Management service (WinMgmt.exe), running under the LocalSystem security account. Failure of a provider caused the entire WMI service to fail. The next request to WMI restarted the service.
Beginning with Windows XP, WMI resides in a shared service host with several other services. To avoid stopping all the services when a provider fails, providers are loaded into a separate host process named Wmiprvse.exe. Multiple instances of Wmiprvse.exe can run at the same time under different accounts: LocalSystem, NetworkService, or LocalService. The WMI core WinMgmt.exe is loaded into the shared Local Service host named Svchost.exe.
Note: wmiprvsw.exe is the Sasser worm!

source: http://www.neuber.com/taskmanager/pr...prvse.exe.html

[GhostBuster]

maybe this will help u:

http://xtra.co.nz/help/0,,4155-1916458,00.html

If u delete em and their reappear, try using avast, that shit takes out the respawning virus for ever (try using the option of search after rebooting the pc so it will take them down from the core)

[פֿяαιп βαмαgεפ]

Quote:

Originally Posted by Damascus

Blah

Yes I know it's a part of windows, but this is a file with that name that is NOT a windows process, believe me!

And thanks Ghost, I'm on it!

*edit* avast it is, the fucker won't budge!

[pF]

SDFix helped me get rid of the worst trojans etc.. maybe give it a try?

[groovyf]

Boot into Windows Safe Mode (Press F8 during bootup)
Or, failing that, boot into Recovery Mode and delete that way
Or, alternatively, boot off Ultimate Boot CD (not touching Windows at all) and delete the files.

Download and run "Hijack This" too.

[פֿяαιп βαмαgεפ]

Avast is still scanning, I'll see what it solves.

Thanks for all the tips!

[-=Roland=-]

Avast won't find it. I run it at work and still got the dang thing. Once you figure out where everything is it's really not that bad to remove just annoying because nothing finds the dang thing.

You'll have to end the process, remove the service and delete the files.

Clipped this from Afterdawn
Which is where I found the most useful info. I didn't bother with the .bat file I just entered the commands cmd window.

Code:

also I recommend making backups of all files before you attempt any of this 

all these are associated:  

C:\WINDOWS\system32\routing.exe  
C:\WINDOWS\system32\ndt2.sys  
C:\WINDOWS\system32\perfs.exe  
you can try :
sc stop perfmons  
sc delete perfmons  
sc stop Routing  
sc delete Routing  
exit

I also had a indt2.sys with my infection.

Also recommend HijackThis to remove the associated lines from startup.

Good Luck,
-=Roland=-

[פֿяαιп βαмαgεפ]

Yup, avast went right trough. Only NOD32 keeps bugging mah face!

I'll try what you just suggested, I'm getting really desperate here...

[[AE] 82694]

If all else fails complete reslate thats what I do When I fuck shit up. Also see what those pie porn site do.

[פֿяαιп βαмαgεפ]

Quote:

Originally Posted by 82694

If all else fails complete reslate thats what I do When I fuck shit up. Also see what those pie porn site do.

Well I haven't been at home to try what Roland said, but I'll do that tomorrow or sunday (looooooong hard weekend ahead of me.)

By the way, am I good with NOD32, or should I go get something else?
I've always like NOD32 untill now, it let me down by letting in a freakn' fucked up trojan.

[-=Roland=-]

So, how'd you make out there DB? All better now?

[פֿяαιп βαмαgεפ]

Still working on it, this is one NASTY bugger, but I did manage to cap it so it's not active anymore, but deleting will have to go through Hiren's boot cd.

[pF]

Quote:

Originally Posted by -pF-

SDFix helped me get rid of the worst trojans etc.. maybe give it a try?

[פֿяαιп βαмαgεפ]

^Tried that, went right over it.

[Focksbot]

Step 1:
Delete your CacAfee/Borton scanner you probably are using.

Step 2:
Download Avast Anti-Virus.
Download AVG Anti-Virus.
Download SpyBot S&D.
Download Ad-Aware.

Step 3:
Update all the scanners.

Step 4:
Restart computer and put into safe mode.

Step 5:
Set all of them onto thorough scan or however the heck you spell that word.

Step 6:
Scan overnight/any time 2 times using all of them. Repeat as your paranoia desires.

Step 7:
Delete AVG so Steam won't bitch and crash because you have it on the comp.

Step 8:
Continue using Avast as your main scanner.
Continue using Spybot as your secondary spyware scanner.
Continue using Ad-Aware as your secondary spyware scanner.

Step 9:
Buy me a case of Romanian wine.

Step 10:
Cheers.

Further tips:

Run: MSCONFIG. Hide all the Microsoft Services (A tickbox).
Then disable whatever you find questionable.

---------------------------------------------------------

Further notes:
I've had viruses like the ones you described, this scanner set basically owned everything. Twice have I hit profile editor sites that have carpetbombs of viruses, that means my Avast alarm goes off about 10 times and even after I close the window. I just do the steps above and next thing I know, it's all gone.

[-=Roland=-]

He's running Avast...the same as I was.

[Focksbot]

Quote:

Originally Posted by -=Roland=-

He's running Avast...the same as I was.

He wasn't originally running it.

And he didn't have the combo I use.

[-=Roland=-]

True I forgot he was running NOD first.

SpyBot and AdAware both ignore this one too unless they've been updated since I had it.