Jump to content

sUBs

Trusted Malware Techs
  • Content Count

    54
  • Joined

  • Last visited

Posts posted by sUBs


  1. There is no folder named Fonts in E:/i386. There are a few files beginning with font* but not a folder.

    LOL ...I only wanted to find out if E:\I386 exist.

     

    Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

     

    @echo off
    pushd E:\I386\
    For /f "tokens=*" %%g in (' vfind -tf *.tt_ *.fo_ ') do @expand -r "%%g" %windir%\fonts\
    popd 
    dir /a/b "%windir%\fonts\" > Fonts_log.txt
    Start Notepad Fonts_log.txt
    

    Save this as font.bat Choose to "Save type as - All Files"

    It should look like this: Posted Image

    Double click on font.bat & allow it to run

     

    Post back to tell me what it says.

     

    If all goes well, you should now have a few hundred fonts files in your \Windows\Fonts folder.


  2. I counted the number of fonts you have. 49 is a bit sparse.

    On a freshly installed machine, the number is at least 200 (gets more as we install lingual programs).

     

    I'm going to try to repopulate your fonts cache by extracting them from the Windows CD.

    Please insert your CD into the CDROM.

    Then tell me the drive letter of your CDROM

    Also verify if this folder's location is correct. - < driver letter of your CDROM>\I386


  3. Hmm .. it's not going smoothly. I need to look at the files that you currently have in the C;\Windows\Fonts folder.

     

    Please go to Start > Run - copy/paste the following command & click OK

     

    cmd /c dir /a/b %windir%\fonts >Log.txt&&Log.txt&&del Log.txt

     

    It shall produce a log for you to post back here

     

     

    Question - Do you have access to another Windows XP SP2 machine?


  4. Seeing that we're at loss as to how to restore that function, we might as well try Windows System Restore. Take note that performing a System Restore will revert the machine back to an earlier time. This may fix the keyboard but most of the malware will be restored. We shall need to address them again.


  5. The folder C:\Windows\System is not your fonts cache.

    Try looking in C:\Windows\Fonts.

    For Windows XP to display Korean glyphs, you should need to have Gulim.ttc in there.

     

    The guide I earlier linked you to, should have sorted it out for you. Please do it again.

    Here's a similar guide but it's specific for Korean fonts. http://www.declan-software.com/korean_ime/...n_ime.htm#xpuse

     

    Try doing this ...

     

    * Uninstall it first.

    Untick "Install files for East Asian Language".

    Click OK & reboot

     

    * After rebooting, Re-tick "Install files for East Asian Language".

    Click OK & reboot

     

     

    Posted Image

     

     

    When you do this part, choose a different 'Locale' first. Example - 'English (United States)'

    Then click 'Apply'. After that, change it back to 'Korean' & click OK

    A further reboot may be necessary


  6. I was just trying to figure out why I cannot get the Korean fonts to work and I looked at vgaoem.fon. There is only ONE single font in there! I thought I extracted the file with all the fonts in it. This would explain why my default font has changed as well as why I cannot type in Korean.

    Sorry to interrupt. Which folder did you look at?

  7. TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

    • Open Spybot Search & Destroy.
    • In the Mode menu click "Advanced mode" if not already selected.
    • Choose Yes at the Warning prompt.
    • Expand the Tools menu.
    • Click Resident.
    • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
    • In the File menu click Exit to exit Spybot Search & Destroy.
    Download http://www.techsupportforum.com/sectools/ResetTeaTimer.zip

    Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

     

     

    ---------------

     

     

    Open notepad and copy/paste the text in the quotebox below into it:

     

    http://forums.pcpitstop.com/index.php?showtopic=149076&st=40&gopid=1440378entry1440378
    Collect::
    C:\Documents and Settings\USER\pdf.exe
    C:\WINDOWS\system32\boutctav.dll
    C:\WINDOWS\system32\jvhsbpby.dll
    C:\WINDOWS\system32\xcuswrbd.dll
    C:\WINDOWS\system32\tgiwkwsl.exe
    C:\WINDOWS\system32\tuvsqon.dll
    Suspect::
    C:\WINDOWS\palist.dat
    C:\WINDOWS\packeep.dat
    C:\WINDOWS\paopts.dat
    File::
    C:\Documents and Settings\USER\iexplorer.exe
    C:\WINDOWS\system32\w32hlpb.sys
    C:\WINDOWS\system32\ntkernel32.sys
    C:\WINDOWS\system32\juglhklf.dll
    C:\2139.bat
    C:\n.bat
    C:\z.dat
    C:\7269.bat
    Folder::
    C:\Incomplete
    C:\Program Files\Incomplete
    C:\Documents and Settings\USER\Incomplete
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4FFA72-8B9E-4F5E-A26B-DA67A24E6D6B}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\juglhklf]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqon]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    

    Save this as "CFScript"

     

     

    Posted Image

     

    Refering to the picture above, drag CFScript.txt into ComboFix.exe

     

    When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

     

    Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip

    Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4

     

     

    ---------------

     

     

    Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

     

    Answer Yes, when prompted to install an ActiveX component.

    • The program will then begin downloading the latest definition files.
    • Once the files have been downloaded click on NEXT
    • Locate the Scan Settings button & configure to:
      • Scan using the following Anti-Virus database:
        • Extended
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
    • Click OK & have it scan My Computer
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

       

      Posted Image

       

    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
    * Turn off the real time scanner of any existing antivirus program while performing the online scan

     

     

    ---------------

     

     

    In your next post, please include fresh logs from:

    • Fresh Hijackthis log taken just before replying
    • Online scan
    • ComboFix's log
    Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now


  8. 2007-11-04 21:01 <DIR> d-------- C:\Incomplete

    2007-11-02 17:20 <DIR> d-------- C:\Program Files\Incomplete

    2007-10-25 18:46 <DIR> d-------- C:\Downloads

    2007-10-25 22:23 <DIR> d-------- C:\Documents and Settings\USER\Incomplete

     

    Are these folders created by you? Take a quick peek in them & tell me what's within

     

    C:\Program Files\Spytech Software

     

    Is this a program you installed? What is it for?


  9. Do you still have access to your buddy's machine? If so, let's expand the file there & save it to floppy disk so that it may be transferred to the trouble machine. When you next run the recovery console, you'll need to amend your commands to reflect the change in location. The file is now located at A:\VGAOEM.FON

     

    C:\Windows>COPY A:\VGAOEM.FON C:\WINDOWS\SYSTEM


  10. Not sure if this will work but give this a try.

     

    When you're attempting to type the '_', press these keys on your keyboard ..

     

    Press ALT & keep it depressed

    Then type these numbers 095

    Release the ALT key

    Does that give you the '_' ?


  11. Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

     

    @echo off
    if exist "%temp%\log.txt" del "%temp%\log.txt"
    pushd C:\Qoobox\Quarantine\C\WINDOWS\Fonts
    del /a/f/q/s *.exe.vir *.zip.vir 2>nul
    ren *.vir *.
    move /y * C\WINDOWS\Fonts\ >nul 2>&1
    cd Fonts.vir
    ren *.vir *.
    move /y * C\WINDOWS\Fonts\ >nul 2>&1
    popd
    for %%g in (
    "C:\Documents and Settings\USER\.housecall6.6\Quarantine\afqdjhpo.exe.bac_a02676"
    "C:\Documents and Settings\USER\.housecall6.6\Quarantine\edmjipsq.exe.bac_a02676"
    "C:\Documents and Settings\USER\.housecall6.6\Quarantine\vasya[1].bac_a02676"
    "C:\Documents and Settings\USER\My Documents\Downloads\LW\Evidence Eliminator 5.0 Keygen.zip"
    "C:\Documents and Settings\USER\My Documents\Downloads\LW\Sexy evidence eliminator.zip"
    ) do (
    del /a/f/q %%g >nul 2>&1
    if exist %%g echo.%%~g>>"%temp%\log.txt"
    )
    for %%g in (
    "%systemdrive%\VundoFix Backups"
    %systemdrive%\Deckard
    %systemdrive%\Qoobox
    ) do (
    rd /s/q %%g >nul 2>&1
    if exist %%g echo.%%~g>>"%temp%\log.txt"
    )
    if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
    ) else echo.Deleted Successfully !!
    
    nircmd wait 7000
    del %0
    

    Save this as fix.bat Choose to "Save type as - All Files"

    It should look like this: Posted Image

    Double click on fix.bat & allow it to run

     

    Post back to tell me what it says

×
×
  • Create New...