Jump to content

sUBs

Trusted Malware Techs
  • Content Count

    54
  • Joined

  • Last visited

About sUBs

  • Rank
    Developer

Previous Fields

  • Teams:
    Nothing Selected
  1. sUBs

    New log

    Don't worry about System Restore points just yet. Check it again tomorrow. Theres should be one created by then. If not so, please let me know *HeHe ... I can always lend you one of mine.
  2. sUBs

    New log

    Use the machine for the next few hours. Throw in a couple of reboots in between. Then come back & tell us how the machine is coping
  3. sUBs

    New log

    334 sounds like a good figure. Please reboot & see if that makes any difference.
  4. sUBs

    New log

    LOL ...I only wanted to find out if E:\I386 exist. Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: @echo off pushd E:\I386\ For /f "tokens=*" %%g in (' vfind -tf *.tt_ *.fo_ ') do @expand -r "%%g" %windir%\fonts\ popd dir /a/b "%windir%\fonts\" > Fonts_log.txt Start Notepad Fonts_log.txt Save this as font.bat Choose to "Save type as - All Files" It should look like this: Double click on font.bat & allow it to run Post back to tell me what it says. If all goes well, you should now have a few hundred fonts files in your \Windows\Fonts folder.
  5. sUBs

    New log

    I counted the number of fonts you have. 49 is a bit sparse. On a freshly installed machine, the number is at least 200 (gets more as we install lingual programs). I'm going to try to repopulate your fonts cache by extracting them from the Windows CD. Please insert your CD into the CDROM. Then tell me the drive letter of your CDROM Also verify if this folder's location is correct. - < driver letter of your CDROM>\I386
  6. sUBs

    New log

    Hmm .. it's not going smoothly. I need to look at the files that you currently have in the C;\Windows\Fonts folder. Please go to Start > Run - copy/paste the following command & click OK cmd /c dir /a/b %windir%\fonts >Log.txt&&Log.txt&&del Log.txt It shall produce a log for you to post back here Question - Do you have access to another Windows XP SP2 machine?
  7. sUBs

    New log

    Here, use this guide > http://www.datarecovery.com.sg/data_recove...tem_restore.htm
  8. sUBs

    New log

    Seeing that we're at loss as to how to restore that function, we might as well try Windows System Restore. Take note that performing a System Restore will revert the machine back to an earlier time. This may fix the keyboard but most of the malware will be restored. We shall need to address them again.
  9. sUBs

    New log

    The folder C:\Windows\System is not your fonts cache. Try looking in C:\Windows\Fonts. For Windows XP to display Korean glyphs, you should need to have Gulim.ttc in there. The guide I earlier linked you to, should have sorted it out for you. Please do it again. Here's a similar guide but it's specific for Korean fonts. http://www.declan-software.com/korean_ime/...n_ime.htm#xpuse Try doing this ... * Uninstall it first. Untick "Install files for East Asian Language". Click OK & reboot * After rebooting, Re-tick "Install files for East Asian Language". Click OK & reboot When you do this part, choose a different 'Locale' first. Example - 'English (United States)' Then click 'Apply'. After that, change it back to 'Korean' & click OK A further reboot may be necessary
  10. sUBs

    New log

    Sorry to interrupt. Which folder did you look at?
  11. sUBs

    New log

    Please use this guide > http://newton.uor.edu/Departments&Prog...llation_XP.html
  12. sUBs

    New log

    TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose Yes at the Warning prompt. Expand the Tools menu. Click Resident. Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box. In the File menu click Exit to exit Spybot Search & Destroy. Download http://www.techsupportforum.com/sectools/ResetTeaTimer.zipDouble click ResetTeaTimer.bat to remove all entries set by TeaTimer. --------------- Open notepad and copy/paste the text in the quotebox below into it: http://forums.pcpitstop.com/index.php?showtopic=149076&st=40&gopid=1440378entry1440378 Collect:: C:\Documents and Settings\USER\pdf.exe C:\WINDOWS\system32\boutctav.dll C:\WINDOWS\system32\jvhsbpby.dll C:\WINDOWS\system32\xcuswrbd.dll C:\WINDOWS\system32\tgiwkwsl.exe C:\WINDOWS\system32\tuvsqon.dll Suspect:: C:\WINDOWS\palist.dat C:\WINDOWS\packeep.dat C:\WINDOWS\paopts.dat File:: C:\Documents and Settings\USER\iexplorer.exe C:\WINDOWS\system32\w32hlpb.sys C:\WINDOWS\system32\ntkernel32.sys C:\WINDOWS\system32\juglhklf.dll C:\2139.bat C:\n.bat C:\z.dat C:\7269.bat Folder:: C:\Incomplete C:\Program Files\Incomplete C:\Documents and Settings\USER\Incomplete Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4FFA72-8B9E-4F5E-A26B-DA67A24E6D6B}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=- [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\juglhklf] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqon] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 Save this as "CFScript" Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4 --------------- Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database:Extended Scan Options:Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------- In your next post, please include fresh logs from: Fresh Hijackthis log taken just before replying Online scan ComboFix's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
  13. sUBs

    New log

    What about "Spytech Software" ?
  14. sUBs

    New log

    2007-11-04 21:01 <DIR> d-------- C:\Incomplete 2007-11-02 17:20 <DIR> d-------- C:\Program Files\Incomplete 2007-10-25 18:46 <DIR> d-------- C:\Downloads 2007-10-25 22:23 <DIR> d-------- C:\Documents and Settings\USER\Incomplete Are these folders created by you? Take a quick peek in them & tell me what's within C:\Program Files\Spytech Software Is this a program you installed? What is it for?
  15. sUBs

    New log

    That's good. Please run ComboFix now by double-clicking it. I shall need to review the log that it produces.
×