(new TDL4) Keylogged & IE with a mind of its own

Inactive
By Brutal Black
Nov 23, 2011
  1. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    The connectivity is still down with the same issue. It may have been combofix that caused the issue. I didn't need to restart until OTL forced me to from my recollection. Should I restore to an even earlier point?
  2. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Last Combofix didn't remove anything.

    See if you can run Farbar Service Scanner now.
  3. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    Same error, line 2342, error in expression.
  4. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Use restore point you created before running Combofix.
  5. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    It's like Blackmagic... I restored to 12/03/11 4:38:28 am EST

    That is the same restore point I took it to last night, before CF and aswMBR logs.

    Everything works, but I'm pretty sure we brought back the traces of AVG 2011 we keep spotting after running CF.

    However!

    I don't get redirected nor does IE control itself. So I'm unsure just how threatening the virus is in this state, if at all.
  6. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    We'll leave Combofix alone.

    Create new restore point again and run my OTL fix script.
  7. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    I'm pretty sure it didn't work this time around, here's the log:

    Error: Unable to interpret <netsvcs> in the current context!
    Error: Unable to interpret <drivers32> in the current context!
    Error: Unable to interpret <%SYSTEMDRIVE%\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\Fonts\*.com> in the current context!
    Error: Unable to interpret <%systemroot%\Fonts\*.dll> in the current context!
    Error: Unable to interpret <%systemroot%\Fonts\*.ini> in the current context!
    Error: Unable to interpret <%systemroot%\Fonts\*.ini2> in the current context!
    Error: Unable to interpret <%systemroot%\Fonts\*.exe> in the current context!
    Error: Unable to interpret <%systemroot%\system32\spool\prtprocs\w32x86\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\REPAIR\*.bak1> in the current context!
    Error: Unable to interpret <%systemroot%\REPAIR\*.ini> in the current context!
    Error: Unable to interpret <%systemroot%\system32\*.jpg> in the current context!
    Error: Unable to interpret <%systemroot%\*.jpg> in the current context!
    Error: Unable to interpret <%systemroot%\*.png> in the current context!
    Error: Unable to interpret <%systemroot%\*.scr> in the current context!
    Error: Unable to interpret <%systemroot%\*._sy> in the current context!
    Error: Unable to interpret <%APPDATA%\Adobe\Update\*.*> in the current context!
    Error: Unable to interpret <%ALLUSERSPROFILE%\Favorites\*.*> in the current context!
    Error: Unable to interpret <%APPDATA%\Microsoft\*.*> in the current context!
    Error: Unable to interpret <%PROGRAMFILES%\*.*> in the current context!
    Error: Unable to interpret <%APPDATA%\Update\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\*. /mp /s> in the current context!
    Error: Unable to interpret <CREATERESTOREPOINT> in the current context!
    Error: Unable to interpret <%systemroot%\System32\config\*.sav> in the current context!
    Error: Unable to interpret <%PROGRAMFILES%\bak. /s> in the current context!
    Error: Unable to interpret <%systemroot%\system32\bak. /s> in the current context!
    Error: Unable to interpret <%ALLUSERSPROFILE%\Start Menu\*.lnk /x> in the current context!
    Error: Unable to interpret <%systemroot%\system32\config\systemprofile\*.dat /x> in the current context!
    Error: Unable to interpret <%systemroot%\*.config> in the current context!
    Error: Unable to interpret <%systemroot%\system32\*.db> in the current context!
    Error: Unable to interpret <%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x> in the current context!
    Error: Unable to interpret <%USERPROFILE%\Desktop\*.exe> in the current context!
    Error: Unable to interpret <%PROGRAMFILES%\Common Files\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\*.src> in the current context!
    Error: Unable to interpret <%systemroot%\install\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\DLL\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\HelpFiles\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\rundll\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\winn32\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\Java\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\test\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\Rundll32\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\AppPatch\Custom\*.*> in the current context!
    Error: Unable to interpret <%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x> in the current context!
    Error: Unable to interpret <%PROGRAMFILES%\PC-Doctor\Downloads\*.*> in the current context!
    Error: Unable to interpret <%PROGRAMFILES%\Internet Explorer\*.tmp> in the current context!
    Error: Unable to interpret <%PROGRAMFILES%\Internet Explorer\*.dat> in the current context!
    Error: Unable to interpret <%USERPROFILE%\My Documents\*.exe> in the current context!
    Error: Unable to interpret <%USERPROFILE%\*.exe> in the current context!
    Error: Unable to interpret <%systemroot%\ADDINS\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\assembly\*.bak2> in the current context!
    Error: Unable to interpret <%systemroot%\Config\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\REPAIR\*.bak2> in the current context!
    Error: Unable to interpret <%systemroot%\SECURITY\Database\*.sdb /x> in the current context!
    Error: Unable to interpret <%systemroot%\SYSTEM\*.bak2> in the current context!
    Error: Unable to interpret <%systemroot%\Web\*.bak2> in the current context!
    Error: Unable to interpret <%systemroot%\Driver Cache\*.*> in the current context!
    Error: Unable to interpret <%PROGRAMFILES%\Mozilla Firefox\0*.exe> in the current context!
    Error: Unable to interpret <%ProgramFiles%\Microsoft Common\*.*> in the current context!
    Error: Unable to interpret <%ProgramFiles%\TinyProxy.> in the current context!
    Error: Unable to interpret <%USERPROFILE%\Favorites\*.url /x> in the current context!
    Error: Unable to interpret <%systemroot%\system32\*.bk> in the current context!
    Error: Unable to interpret <%systemroot%\*.te> in the current context!
    Error: Unable to interpret <%systemroot%\system32\system32\*.*> in the current context!
    Error: Unable to interpret <%ALLUSERSPROFILE%\*.dat /x> in the current context!
    Error: Unable to interpret <%systemroot%\system32\drivers\*.rmv> in the current context!
    Error: Unable to interpret <dir /b "%systemroot%\system32\*.exe" | find /i " " /c> in the current context!
    Error: Unable to interpret <dir /b "%systemroot%\*.exe" | find /i " " /c> in the current context!
    Error: Unable to interpret <%PROGRAMFILES%\Microsoft\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\System32\Wbem\proquota.exe> in the current context!
    Error: Unable to interpret <%PROGRAMFILES%\Mozilla Firefox\*.dat> in the current context!
    Error: Unable to interpret <%USERPROFILE%\Cookies\*.txt /x> in the current context!
    Error: Unable to interpret <%SystemRoot%\system32\fonts\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\winlog\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\Language\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\Settings\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\*.quo> in the current context!
    Error: Unable to interpret <%SYSTEMROOT%\AppPatch\*.exe> in the current context!
    Error: Unable to interpret <%SYSTEMROOT%\inf\*.exe> in the current context!
    Error: Unable to interpret <%SYSTEMROOT%\Installer\*.exe> in the current context!
    Error: Unable to interpret <%systemroot%\system32\config\*.bak2> in the current context!
    Error: Unable to interpret <%systemroot%\system32\Computers\*.*> in the current context!
    Error: Unable to interpret <%SystemRoot%\system32\Sound\*.*> in the current context!
    Error: Unable to interpret <%SystemRoot%\system32\SpecialImg\*.*> in the current context!
    Error: Unable to interpret <%SystemRoot%\system32\code\*.*> in the current context!
    Error: Unable to interpret <%SystemRoot%\system32\draft\*.*> in the current context!
    Error: Unable to interpret <%SystemRoot%\system32\MSSSys\*.*> in the current context!
    Error: Unable to interpret <%ProgramFiles%\Javascript\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\pchealth\helpctr\System\*.exe /s> in the current context!
    Error: Unable to interpret <%systemroot%\Web\*.exe> in the current context!
    Error: Unable to interpret <%systemroot%\system32\msn\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\*.tro> in the current context!
    Error: Unable to interpret <%AppData%\Microsoft\Installer\msupdates\*.*> in the current context!
    Error: Unable to interpret <%ProgramFiles%\Messenger\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system32\systhem32\*.*> in the current context!
    Error: Unable to interpret <%systemroot%\system\*.exe> in the current context!
    Error: Unable to interpret <HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU> in the current context!
    Error: Unable to interpret <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs> in the current context!
    Error: Unable to interpret </md5start> in the current context!
    Error: Unable to interpret </md5stop> in the current context!

    OTL by OldTimer - Version 3.2.31.0 log created on 12042011_164130
  8. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    You missed 1st line of my script:
    Redo
  9. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    I was trying to run the wrong script entirely, we've created quite the long thread. haha

    Running it now, thanks for pointing that out.
  10. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    May be a record....5 pages...LOL
  11. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    Alright, since running the OTL fix windows refuses to boot up. I ran an automatic repair that did nothing to fix the issue. Recovery disk time?
     
  12. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    It's currently attempting another automatic repair, it's searching longer this time instead of immediatley attempting to repair, could stumble on the problem so going to let it run.
  13. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Since running correct OTL fix?

    Please Boot to the System Recovery Options
    If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
    It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt

    Choose Command Prompt
    You should see X:\SOURCES>...

    Execute the following commands in bold.
    Press Enter after every one of them.

    bootrec /fixmbr (<--- there is a "space" after "bootrec")

    bootrec /fixboot

    exit

    Restart computer.
  14. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    If not follow my latest reply.
  15. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    The extended search ended in offering a system restore. Hmmm...
  16. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Try my previous reply first.

    You didn't say:
  17. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    So windows cannot make it past the 4 glowing lights that form the windows flag. System restore comes up with the error that startup repair cannot automatically fix this computer.

    I ran the commands you wrote out in bold but nothing changed, it still stops just short of the windows password screen and tells me windows failed to launch.

    Both those commands entered successfully.
  18. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    Yes, it was ever since running the correct fix, the wrong one simply froze the program forcing me to restart it.
  19. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    I still have the restore point you told me to create if all else fails.
  20. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Did you read my reply #88?
  21. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Go ahead with restore point then.
  22. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    Uh oh...

    I'm slightly worried now. Even though I "KNOW" I created a restore point, and had multiple ones besides the one I created. The system isn't finding any restore points.
  23. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    I see a system image is different, however I don't have one of these. :(
  24. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    I'm afraid we're dealing with some serious Windows corruption.
    Did you try to boot to Safe Mode?
  25. Brutal Black

    Brutal Black Newcomer, in training Topic Starter Posts: 75

    Safe mode stops loading waaaaaay too earlier at something like WMLIB.sys and reboots the computer. Same any other safe mode.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.