Have Perfcoo Trojan Cannot Rid[INACTIVE]

[jathuerk]

Hi I recently connected my computer to a dorm network and I had 3 moth old definitions on my symantec antivirus. I got the trojan called perfcoo or perfc000.dat I do not know how I got it as I was not using my computer when the security alerts began appearing. The symptoms are that if I have symantec active protection on I get about 3 alerts per second about perfc000.dat until my computer locks up after about 10-15 minutes. I have followed the symmantec instructions to remove this trojan but it did not work, the trojan just appeared again immediatly after removal. Also the registry key modification instructions are not clear and detailed enough for me to follow. I have read around about this and it looks like a nasty one to remove.

I have done updated ad aware, symantec antivirus and spy bot search and destroy scans while in safe mode and nothing has removed the trojan

here is my log file from hijak this, I hope someone can help, thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:33:37 AM, on 9/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDll32.exe

C:\WINDOWS\system32\carpserv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ZyXEL\G-302v2\tiwlnsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.wisc.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: AutorunsDisabled

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8577AE3C-8681-44FC-BBC4-B365634F29F5}: NameServer = 194.54.90.226

O17 - HKLM\System\CCS\Services\Tcpip\..\{A0243ACE-7216-4E05-896B-8064E0070CA5}: NameServer = 194.54.90.226

O17 - HKLM\System\CCS\Services\Tcpip\..\{ABB638D0-1F64-455F-9C79-D7B7766C778E}: NameServer = 194.54.90.226

O17 - HKLM\System\CS1\Services\Tcpip\..\{8577AE3C-8681-44FC-BBC4-B365634F29F5}: NameServer = 194.54.90.226

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)

O22 - SharedTaskScheduler: {874443fe-aa33-4ebf-a6ac-73208787e62d} - bestreak - (no file)

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\ZyXEL\G-302v2\tiwlnsvc.exe

O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)

--

End of file - 5256 bytes

Edited September 3, 2007 by jathuerk

[Shaba]

Hi jathuerk

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://download.bleepingcomputer.com/lonny/Fixwareout.exe

• Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
  
• The fix will begin; follow the prompts.
  
• You will be asked to reboot your computer; please do so.
  
• Your system may take longer than usual to load; this is normal.
  
• Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.
  

1. Download combofix from one of these links:

Link1

Link2

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log

- combofix report

- fixwareout report

[jathuerk]

Hello Shaba

Thank you for your response but I have posted my problem and started a fix from another forum. I hope I have not wasted much of your time and thank you agian for your effort.

[Shaba]

Hi

Ok, then this thread will get closed & archived.