[FogLight]

I have a Dell Inspiron laptop running Windows 7 64-bit O/S which is infected with something nasty. We think it came from a website my wife entered against the advice of McAffee.

Since the infection has occurred we can only bring up IE8 in safe mode. In normal boot, the system just bogs down completely and becomes totally unresponsive. At that point, ctrl-alt-del is the only way to get a response. We then reboot into safe mode ( F8 before the splash screen ) to try address the problem.

When booted into normal mode we have seen PDVDDXSrv.exe crash pretty consistently. We have also seen GFXui crash several times as well. Last night we got the blue screen of death several times, as well as an operating system memory fault report when running in normal mode.

Also I have found that Windows 7 SP1 has not been installed, as well as several other recent updates, even though the system is configured for automatic update. Attempts to install the missing updates failed due to the infection. We found that updates won't install when running in safe mode.

I have gone through the 7 steps posted in EvilFantasy's 'malware removal guide.'

The required logs have been attached to this post as advised in the tutorial.

Thanks in advance for any help offered.

Best Regards to the forum Experts, Foglight

[Rik]

Your Mbam log shows No Action Taken. You need to have Mbam remove what it finds.

[FogLight]

Thanks for checking the logs and commenting, Rik.

Malwarebytes had the 4 infected keys 'quarantined'. I misunderstood this to mean they were no longer a threat or could affect the system.

Before deleting the quarantined keys, I ran Malwarebytes again and the mbam log indicates no problems were found. This log is attached for review.

After the mbam quick scan was complete I went ahead and deleted the keys as advised.

The good news is that things do seem to be a lot better now that the infected keys have been deleted. I am actually making this post from the laptop in question while booted normally ( but still in selective startup with no non-Microsoft services started ).

The bad news is that although IE8 is not crashing outright, it is still running very, very slowly. And when I try to open a text file for instance, notepad says 'program not responding' for 10-15 seconds, and then the text file will open ok ...

Besides the fact I think there is still an infection of some type, my feeling is that I should get SP1 and the other missing updates installed next, but will wait for a while to see if any of the experts have some other advice on how to proceed at this point.

Again, thanks for your comments, Rik - things are already looking a lot better!

[Rik]

I would now like you to update Mbam and run a full scan from a normal boot.

Once done (it should take a few hours) post the new Mbam log along with a new HiJackThis log.

[FogLight]

Just an update for those who may be following here -- mbam was updated with the latest signatures this morning and a full scan in normal mode ( but in 'selective startup' with all non Microsoft services disabled ) , and it has been running very sloooowwww ... but hasn't crashed , so that's good news ...

6 hours and 7 minutes into the full scan , as per Rik , with about 36000 files scanned so far and nothing detected up till now ... at this rate the scan may take another 12 hours ... who the heck knows ...

Next post when something more is available.

Best Regards , Foggy

[Rik]

Sheesh, I have never known it to take that long! I recon you need a device I have been thinking about building, a USB crank handle!

[FogLight]

hehe ... either that , or I need a bigger brain ... lol ...

[Rik]

I have another suggestion.

Please cancel the Mbam scan.


Now please do the following:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/down...virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix.
•
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!




Once done, re run Mbam and post it's log along with combofix.txt.

[FogLight]

Rik , I didn't see your last post until now. And I think you must've anticipated that mbam would eventually stop responding altogether which it eventually did do after 7 hours 26 minutes and 55 seconds elapsed run time and 36897 files checked with no problems found.

mbam has not incremented its run time since last night. I could not kill mbam from task manager, but was able to force a restart from the 'Start' menu ...

Will now download and run Combofix as per your last post.

One other item which may be of interest is that we were able to find the website which caused this infection on surfpac.com. The website is paulineoliveros.us ...

I will update this thread with the results of the combofix run.

[Rik]

Cool, I hope Combofix will do the job!

[FogLight]

Rik,

After rebooting from the hung mbam full scan in normal mode, the system then hung at the welcome screen when restarting normally. I then rebooted into safe mode with internet and ran Combofix and a freshly updated mbam quick scan.

Both programs ran and completed normally.

Logs from those runs are attc'd for review.

I must be away for a while this afternoon - I will check back in around 4 or 5pm.

[Rik]

Combofix has removed quite a lot of bad stuff. How is your computer running now?

[FogLight]

After Combofix completed I had to go out for a few hours , so I shut down the laptop. Upon my return I decided to try running a full scan mbam in normal mode again to see if it would work this time.

I opened Task Manager and opened the 'performance' window which shows a graph of cpu activity. The Inspiron is a quad core machine.

When I started the mbam full scan this time I was able to observe CPU activity and all 4 cores were very active for the first 15 or 30 seconds , during which time mbam crunched through about 29000 files.

Then the mbam window began displaying the message 'Not Responding' , and I noticed CPU activity had dropped down to maybe 5 %. From there over the next few minutes CPU activity dropped off steadily to very nearly zero, although mbam's file count would update by a few dozen files every minute or so ...

This is more or less how mbam behaved prior to the Combofix run , so I would say that in spite of all the things combofix found, the original problem is still present.

Please advise.

Best, Foggy

[Rik]

Ok, I need you to run combofix again but in normal boot mode rather safe mode. Follow my previous combofix instructions.

[FogLight]

I started the combofix run in normal mode as advised, and a banner came up announcing a new version of combofix is available , but based on how screwed up the laptop is , I doubted the install would complete properly and so declined to upgrade.

Then combofix moved through stages 1 and 2 pretty quickly , but now it's been more or less hung in stage 3 for at least half an hour now , I would guess.

CPU activity , as per task manager is pretty much at a solid zero ( yet again ! ) with the occasional spike of activity now and then in one or another of the cores ...

So , at this point , I think combofix is pretty much hung and wont ever complete , but I guess I can wait a while to see if there's any feedback on what I should do next in terms of shutting down combofix or not ...

I did watch combofix make a backup copy of the registry , so that's probably a good thing ...

[FogLight]

well , I'll be darned -- stage 3 just complete now ... hmmmm ....

[FogLight]

Still on stage four , CPU utilization at zero except for intermittent very brief spikes of activity , combofix has been running well over an hour ... I'm going to shut it down and turn in.

Will check for froum feedback tomorrow.

G'nite.

[Rik]

Try updating it.

[FogLight]

Updated combofix in safe mode, restarted system in normal mode, initiated combofix run, and stepped out for about 20 minutes to drop the wife off at work.

Upon my return there was a system information report that 'Microsoft Scripting Host' had crashed. It had terminated at some address which was reported too. I clicked on OK for both the bad address report and the Scripting Host report.

During the period the crash report was up it appears combofix had hung at some point after displaying the line,"Combofix is preparing to run." As soon as I cleared the crash reports , it appears Combofix resumed execution.

Combofix has just completed creating the system restore point and backing up the registry.

The bad news is, just as before, CPU utilization is now pretty much steady-state at around zero, with brief intermittent spikes of activity.

I will allow combofix to run for a while, and report back here ...

[FogLight]

Combofix took about 45 minutes after my last post to complete stage 4. At about that point I noticed that CPU utilization had risen to about 25 % , more or less steady-state ... so, this seems like an improvement.

Somewhere during stage 4 , I think it was , the desktop went black for between 5 and ten minutes , and then came back. I believe this is where the increase in CPU occurred.

After stage 5 completed, then the next many stages completed in sequence quite quickly until stage 32 was reached where it stayed for quite a while and was where it was when I began this post.

Now, during the time I've been typing this, Combofix has advanced from stage 32 to stage 48, while CPU remains at about 25%.

Interestingly, it seems that the 'Dell Support Center' process , pcdrcui.exe , is using the lion's share of that 25 % , although PEV.cfxxe *32 , which I believe is the Combofix process, does seem to get some CPU from time to time ...

Combofix now remaining at stage 48 ...

Will post more when Combofix completes ( hopefully ) ...