How to Remove Perfs.exe
Perfs.exe is a component of several backdoor Trojan horses that are spread via email, network shares IRC, and chat programs. Once downloaded and installed, these Trojans run in the background to provide access to the infected computer via IRC channels and are capable of performing various functions--- they can harvest email addresses, participate in distributed denial-of-service (DDoS) attacks, log keystrokes, steal password information, send email, dial predetermined telephone numbers and disable antivirus software.
Other People Are Reading
Instructions
-
Instructions
-
1
The Windows Registry contains extensive information about how your computer runs. Because removal of the virus requires extensive changes to the Windows Registry via the Registry Editor, it is important to back up the Registry before beginning the virus removal.
For infected Windows Vista computers, click "Start." Type "systempropertiesprotection" in the "Start Search" box. Press "Enter." Type the password if prompted, and click "Allow." Once the most recent restore points display, go to the "System Properties" dialog box on the "System Protection" tab and click "Create." Type the name for this backup and click "Create." Once the backup has been created, click "OK" twice to exit.
For infected Windows XP computers, click "Start," "Run," type "Windows\system32\restore\rstrui.exe," and click "OK." Select a restore point on the Welcome page and click "Next." Enter the name for the backup on the Create a Restore Point page and click "Create." Once the backup has been created, click "Close."
For infected Windows 2000 computers, use the Backup utility to create an Emergency Repair Disk.
For infected Windows 95 computers, restart the computer in safe mode and log in as an administrator. Press "F8" after the first beep occurs during start-up, before the display of the Microsoft Windows 95 logo. Select the first option, to run "Windows in Safe Mode" from the selection menu. Click "Start," then "Run," type "cmd" in the text box and press "Enter." At the command prompt, type the following lines, pressing ENTER after each line:
cd windows
attrib -r -h -s system.dat
attrib -r -h -s user.dat
copy system.dat *.bu
copy user.dat *.buFor infected Windows 98 and Windows Me computers, click "Start," then "Run," type "scanregw" and click "OK. Click "Yes" when prompted to back up the registry. Click "OK" when notified that the Backup is complete.
For infected Windows NT computers, click "Start," then "Run," type "Ntbackup.exe" and click "OK" to use the NT Backup tool to back up the registry.
-
2
If the operating system of the infected computer is either Windows Me or Windows XP, turn off System Restore while this fix is being implemented. To turn off System Restore within Windows Me, click "Start," "Settings" and "Control Panel." Double-click on the "System" icon and select "File System" from the "Performance" tab. Left-click on the "Troubleshooting" tab and check the "Disable System Restore" box. Click "OK."
To turn off System Restore within Windows XP, log in as an administrator and click "Start." Right-click on "My Computer," and select "Properties" from the shortcut menu. Check the "Turn off System Restore" option for each drive on the "System Restore" tab. Left-click "apply" and "yes" to confirm when prompted. Click "OK." -
-
3
Restart the computer in safe mode and log in as an administrator. Press "F8" after the first beep occurs during start-up, before the display of the Microsoft Windows logo. Select the first option, to run "Windows in Safe Mode" from the selection menu.
-
4
Remove any program files from the computer. Go to "Start," "Control Panel" and "Add/Remove Programs." Remove any programs referencing "perfs.exe." If none are listed, continue to Step 5. The malware program contains hidden files that may not be deleted as part of the software removal. In this case, it is likely that the Trojan will reappear upon reboot. It is important to follow the outlined removal process completely to avoid recurrence of the Trojan.
-
5
Use the Windows Search tool to determine if "perfs.exe" exists on the hard drive. Go to "Start," "Search" and "All Files and Folders." Type "perfs.exe" in the "All or Part of the File Name" section. Select "All Local Hard Drives" from the "Look in:" drop-down list for the best results. Click "Search."
-
6
Use the Windows Task Manager to end any perfs.exe processes that are running. Press "Ctrl," "Alt" and "Del" to open Task Manager. Select the "Processes" tab, select "perfs.exe" and "End Process." Repeat the search and delete process for the following:
routing.exe
rouming.exe
indt2.sys
andt.sys -
7
Click on "Start," "Run," type "msconfig" and press "Enter." Remove check marks next to any "perfs" entries on the "Startup" tab. Repeat this search and removal for any of the following file references:
routing.exe
rouming.exe
indt2.sys
andt.sysSave changes and exit to the desktop.
-
8
Click on "Start" and "Run," type "regedit" and press "Enter." Press "Ctrl+F," type "perfs" in the search field and delete all related entries. Repeat the search and delete process for the following values:
routing.exe
rouming.exe
indt2.sys
andt.sysExit the Registry Editor.
-
9
Click on "Start" and "Run," type "cmd" and press "Enter" to access the command prompt and unprotect any files that need to be deleted. Type "cd," press the space bar and type "\windows\system" to access the directory where the virus files typically reside. From the command prompt, type "attrib -a -s -h -r perfs.exe." Repeat this process for the following files:
routing.exe
rouming.exe
indt2.sys
andt.sysType "exit" and press "Enter" to exit the command prompt and return to the desktop operating system.
-
10
Use the Windows Search tool to locate and remove all temp files associated with the virus. Go to "Start," "Search" and "All Files and Folders." Type "*.tmp" in the "All or Part of the File Name" section. Select "All Local Hard Drives" from the "Look in:" drop-down list for the best results. Click "Search." Right-click on each occurrence of the file and select "Delete" from the shortcut menu. Repeat the removal process for each of the following related files:
routing.exe
rouming.exe
indt2.sys
andt.sys -
11
Reboot the PC normally.
-
12
If perfs.exe still resides on the computer, repeat the above steps or try using a free automatic removal program from Trend Micro or AVG listed in the reference section below. If the files have been successfully removed, System Restore may be reactivated. To turn on System Restore within Windows Me, click "Start," "Settings" and "Control Panel." Double-click on the "System" icon and select "File System" from the "Performance" tab. Left-click on the "Troubleshooting" tab and remove the check from the "Disable System Restore" box. Click "OK." To turn on System Restore within Windows XP, log in as an administrator and click "Start." Right-click on "My Computer" and select "Properties" from the shortcut menu. Check the "Turn on System Restore" option for each drive on the "System Restore" tab. Left-click "Apply" and "Yes" to confirm when prompted. Click "OK."
-
1
Tips & Warnings
Manual removal of perfs.exe may be difficult because the removal process requires knowledge of the operating system command prompt and registry editor. In addition, different versions of this malware rename and relocate various file components. If not performed properly, your computer system might experience permanent damage. There are also similarly named programs that legitimately use similarly named program files. Consequently, manual removal might be best for experienced users. Less experienced users might want to consider using an automatic spyware removal application such as that offered by Trend Micro or AVG.
