perflib_perfdata_xxx.dat crazy infestation

n0risc · 07-16-2009, 01:17 AM

I've got just about 12 hours on this one.

Everytime i turn and delete something either by Winternals Commander, NTFS Dos, BART PE, or whichever way to delete files while unmounted--, it seems as if this damn rootkit gets smarter.

Right now I have the Active Desktop recovery screen up again.. I got rid of this the first time my uninstalling mozilla and reverting back to IE7.., It took over a fresh copy of NIS2009 and rendered it useless.

I also sucessfully removed a winlogon.exe rootkit, but now stumbled onto explorer.exe loading two instances of iexplorer.exe at startup, and throwing about 250 packets WAN bound.

I'm using procexp.exe to monitor processes.,and have found that the iexplorer.exe instances are munching on .tmp files stored in \locals~1\temp, along with the perflib_perffata.xxx.dat file. The .tmp files are named in sequences like ~dfxxxx.tmp, etc.. plus there is index.dat file located in the 'cookies' directory that is showing in on of the iexplorer.exe instances.

Like I said the intstances of iexplorer.exe immediate load when killing explorer.exe and restarting, also I'm triggering something that is starting the SNMP.EXE IIS service from scvhost.exe, which is strange. IIS doesn't even come with XP HOME edition.

This is getting extremely weird and frustrating. , but I'm eager to learn what exactly, and how these rootkits get deposited via open NETBIOS..

dds.scr runs fine, and i have dds.txt available that I'll attach here., however, gmer.exe will not run.. So I cannot supply ark.txt.. Let me paste up dds.txt in another post here in a moment.

n0risc · 07-16-2009, 01:22 AM

When I try to "Restore my Active Desktop", it has a java script error.. On a fresh reboot there is a never ending looping of "The system has recovred from a serious error" messages, and will not stop unless dumprep process is killed.

I cannot access the internet again either...., Arggg. ***.

n0risc · 07-16-2009, 01:29 AM

Seems as if there is some link with the Themes as well... Because it reverts to Xp (Modified), I switch to XP Normal theme and the Restore my Actve Desktop goes away and the default background image comes up.

Control Panel Security Center options "change the way Security Center alerts you" is greyed out.. Not changable.

This is the most elaborate virus I've seen!!

n0risc · 07-16-2009, 01:45 AM

Man, had to install NIS 2009 again to get internet connectivity back, which is nice so I don't have to keep flopping thumb drives around.. Here is a paste of ddr.txt

PASTED ABOVE, 1st THREAD...^^^^^^^

n0risc · 07-16-2009, 01:49 AM

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 2:40:01.60 on Thu 07/16/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.736 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Owner\Desktop\procexp.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.rr.com
uDefault_Page_URL = hxxp://www.rr.com
uSearch Bar = hxxp://www.rr.com/rros2/search_redir
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: &Helper: {a77d3539-581d-450c-9e44-a84c415a6172} - c:\windows\system32\msxmlm.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mPolicies-explorer: HonorAutoRunSetting = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/download/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107920244389
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210937853468
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} -
Notify: igfxcui - igfxsrvc.dll
Notify: ndxqwynk - c:\documents and settings\owner\application data\ndxqwynk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\symefa.sys --> c:\windows\system32\drivers\nis\1005000.087\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\bhdrvx86.sys --> c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys --> c:\windows\system32\drivers\nis\1005000.087\ccHPx86.sys [?]
S1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090712.001\idsxpx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090712.001\IDSxpx86.sys [?]
S2 .norton2009Reset;Norton2009 Reset;c:\documents and settings\all users\application data\norton\Norton2009Reset.exe [2009-3-5 329051]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.5.0.135\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.5.0.135\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [?]
S3 DCamUSBBVI;SiPix StyleCam CAMeleon Dual Mode Camera;c:\windows\system32\drivers\biomini.sys [2005-7-25 397440]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-15 101936]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090715.037\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090715.037\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090715.037\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090715.037\NAVEX15.SYS [?]

=============== Created Last 30 ================

2009-07-16 00:45 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-07-16 00:44 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-07-15 20:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-07-15 20:57 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-07-15 17:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-07-15 16:38 <DIR> --d----- c:\program files\FreeCommander
2009-07-15 15:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-06-20 01:57 <DIR> --d----- c:\program files\common files\Uninstall

==================== Find3M ====================

2009-06-23 12:01 10,752 ac------ c:\windows\DCEBoot.exe
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-30 18:02 63,456 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2008-09-21 13:05 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH: 2:41:40.15 ===============

n0risc · 07-16-2009, 02:16 AM

Here is the attach.txt from ddr.scr..

Also would like to mention that it takes about 3 reboots to get into the desktop, and it will hang at winlogon.exe.---it seems it's right about around the time.

n0risc · 07-16-2009, 09:57 AM

Any suggestions on combo-fix script to remove the malware?

n0risc · 07-16-2009, 12:28 PM

You can close this thread. Was taken care of by removing the HDD, and virus scanning from another computer with protection. general.packed.200 was the virus. 39 files, 1 browser cache.

07-16-2009, 01:17 AM	#1 (permalink)
n0risc Registered User Join Date: Aug 2008 Posts: 8 OS: WinXpSp3	perflib_perfdata_xxx.dat crazy infestation I've got just about 12 hours on this one. Everytime i turn and delete something either by Winternals Commander, NTFS Dos, BART PE, or whichever way to delete files while unmounted--, it seems as if this damn rootkit gets smarter. Right now I have the Active Desktop recovery screen up again.. I got rid of this the first time my uninstalling mozilla and reverting back to IE7.., It took over a fresh copy of NIS2009 and rendered it useless. I also sucessfully removed a winlogon.exe rootkit, but now stumbled onto explorer.exe loading two instances of iexplorer.exe at startup, and throwing about 250 packets WAN bound. I'm using procexp.exe to monitor processes.,and have found that the iexplorer.exe instances are munching on .tmp files stored in \locals~1\temp, along with the perflib_perffata.xxx.dat file. The .tmp files are named in sequences like ~dfxxxx.tmp, etc.. plus there is index.dat file located in the 'cookies' directory that is showing in on of the iexplorer.exe instances. Like I said the intstances of iexplorer.exe immediate load when killing explorer.exe and restarting, also I'm triggering something that is starting the SNMP.EXE IIS service from scvhost.exe, which is strange. IIS doesn't even come with XP HOME edition. This is getting extremely weird and frustrating. , but I'm eager to learn what exactly, and how these rootkits get deposited via open NETBIOS.. dds.scr runs fine, and i have dds.txt available that I'll attach here., however, gmer.exe will not run.. So I cannot supply ark.txt.. Let me paste up dds.txt in another post here in a moment.

07-16-2009, 01:22 AM	#2 (permalink)
n0risc Registered User Join Date: Aug 2008 Posts: 8 OS: WinXpSp3	Re: perflib_perfdata_xxx.dat crazy infestation When I try to "Restore my Active Desktop", it has a java script error.. On a fresh reboot there is a never ending looping of "The system has recovred from a serious error" messages, and will not stop unless dumprep process is killed. I cannot access the internet again either...., Arggg. ***.

07-16-2009, 01:29 AM	#3 (permalink)
n0risc Registered User Join Date: Aug 2008 Posts: 8 OS: WinXpSp3	Re: perflib_perfdata_xxx.dat crazy infestation Seems as if there is some link with the Themes as well... Because it reverts to Xp (Modified), I switch to XP Normal theme and the Restore my Actve Desktop goes away and the default background image comes up. Control Panel Security Center options "change the way Security Center alerts you" is greyed out.. Not changable. This is the most elaborate virus I've seen!!

07-16-2009, 01:45 AM	#4 (permalink)
n0risc Registered User Join Date: Aug 2008 Posts: 8 OS: WinXpSp3	Re: perflib_perfdata_xxx.dat crazy infestation Man, had to install NIS 2009 again to get internet connectivity back, which is nice so I don't have to keep flopping thumb drives around.. Here is a paste of ddr.txt PASTED ABOVE, 1st THREAD...^^^^^^^

07-16-2009, 01:49 AM	#5 (permalink)
n0risc Registered User Join Date: Aug 2008 Posts: 8 OS: WinXpSp3	Re: perflib_perfdata_xxx.dat crazy infestation DDS (Ver_09-06-26.01) - NTFSx86 Run by Owner at 2:40:01.60 on Thu 07/16/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.736 [GMT -4:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Documents and Settings\Owner\Desktop\procexp.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Owner\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.rr.com uDefault_Page_URL = hxxp://www.rr.com uSearch Bar = hxxp://www.rr.com/rros2/search_redir uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/keyword/%s BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll BHO: &Helper: {a77d3539-581d-450c-9e44-a84c415a6172} - c:\windows\system32\msxmlm.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mPolicies-explorer: HonorAutoRunSetting = 0 (0x0) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/download/tgctlcm.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107920244389 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210937853468 DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - Notify: igfxcui - igfxsrvc.dll Notify: ndxqwynk - c:\documents and settings\owner\application data\ndxqwynk.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\symefa.sys --> c:\windows\system32\drivers\nis\1005000.087\SYMEFA.SYS [?] S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\bhdrvx86.sys --> c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [?] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys --> c:\windows\system32\drivers\nis\1005000.087\ccHPx86.sys [?] S1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090712.001\idsxpx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090712.001\IDSxpx86.sys [?] S2 .norton2009Reset;Norton2009 Reset;c:\documents and settings\all users\application data\norton\Norton2009Reset.exe [2009-3-5 329051] S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.5.0.135\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.5.0.135\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [?] S3 DCamUSBBVI;SiPix StyleCam CAMeleon Dual Mode Camera;c:\windows\system32\drivers\biomini.sys [2005-7-25 397440] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-15 101936] S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090715.037\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090715.037\NAVENG.SYS [?] S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090715.037\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090715.037\NAVEX15.SYS [?] =============== Created Last 30 ================ 2009-07-16 00:45 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE 2009-07-16 00:44 <DIR> --dsh--- c:\documents and settings\owner\IETldCache 2009-07-15 20:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec 2009-07-15 20:57 <DIR> --d----- c:\program files\common files\Symantec Shared 2009-07-15 17:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton 2009-07-15 16:38 <DIR> --d----- c:\program files\FreeCommander 2009-07-15 15:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller 2009-06-20 01:57 <DIR> --d----- c:\program files\common files\Uninstall ==================== Find3M ==================== 2009-06-23 12:01 10,752 ac------ c:\windows\DCEBoot.exe 2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll 2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll 2009-04-30 18:02 63,456 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT 2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys 2008-09-21 13:05 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat ============= FINISH: 2:41:40.15 ===============

07-16-2009, 09:57 AM	#7 (permalink)
n0risc Registered User Join Date: Aug 2008 Posts: 8 OS: WinXpSp3	Re: perflib_perfdata_xxx.dat crazy infestation Any suggestions on combo-fix script to remove the malware?

07-16-2009, 12:28 PM	#8 (permalink)
n0risc Registered User Join Date: Aug 2008 Posts: 8 OS: WinXpSp3	Re: perflib_perfdata_xxx.dat crazy infestation You can close this thread. Was taken care of by removing the HDD, and virus scanning from another computer with protection. general.packed.200 was the virus. 39 files, 1 browser cache.