Jump to content


Trusted Malware Techs
  • Content Count

  • Joined

  • Last visited

Posts posted by sUBs

  1. Don't worry about System Restore points just yet.


    Check it again tomorrow. Theres should be one created by then. If not so, please let me know


    *HeHe ... I can always lend you one of mine. :)

  2. Is there anything else I should do, or that you want to know?

    Use the machine for the next few hours. Throw in a couple of reboots in between. Then come back & tell us how the machine is coping
  3. There is no folder named Fonts in E:/i386. There are a few files beginning with font* but not a folder.

    LOL ...I only wanted to find out if E:\I386 exist.


    Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:


    @echo off
    pushd E:\I386\
    For /f "tokens=*" %%g in (' vfind -tf *.tt_ *.fo_ ') do @expand -r "%%g" %windir%\fonts\
    dir /a/b "%windir%\fonts\" > Fonts_log.txt
    Start Notepad Fonts_log.txt

    Save this as font.bat Choose to "Save type as - All Files"

    It should look like this: Posted Image

    Double click on font.bat & allow it to run


    Post back to tell me what it says.


    If all goes well, you should now have a few hundred fonts files in your \Windows\Fonts folder.

  4. I counted the number of fonts you have. 49 is a bit sparse.

    On a freshly installed machine, the number is at least 200 (gets more as we install lingual programs).


    I'm going to try to repopulate your fonts cache by extracting them from the Windows CD.

    Please insert your CD into the CDROM.

    Then tell me the drive letter of your CDROM

    Also verify if this folder's location is correct. - < driver letter of your CDROM>\I386

  5. Hmm .. it's not going smoothly. I need to look at the files that you currently have in the C;\Windows\Fonts folder.


    Please go to Start > Run - copy/paste the following command & click OK


    cmd /c dir /a/b %windir%\fonts >Log.txt&&Log.txt&&del Log.txt


    It shall produce a log for you to post back here



    Question - Do you have access to another Windows XP SP2 machine?

  6. Seeing that we're at loss as to how to restore that function, we might as well try Windows System Restore. Take note that performing a System Restore will revert the machine back to an earlier time. This may fix the keyboard but most of the malware will be restored. We shall need to address them again.

  7. The folder C:\Windows\System is not your fonts cache.

    Try looking in C:\Windows\Fonts.

    For Windows XP to display Korean glyphs, you should need to have Gulim.ttc in there.


    The guide I earlier linked you to, should have sorted it out for you. Please do it again.

    Here's a similar guide but it's specific for Korean fonts. http://www.declan-software.com/korean_ime/...n_ime.htm#xpuse


    Try doing this ...


    * Uninstall it first.

    Untick "Install files for East Asian Language".

    Click OK & reboot


    * After rebooting, Re-tick "Install files for East Asian Language".

    Click OK & reboot



    Posted Image



    When you do this part, choose a different 'Locale' first. Example - 'English (United States)'

    Then click 'Apply'. After that, change it back to 'Korean' & click OK

    A further reboot may be necessary

  8. I was just trying to figure out why I cannot get the Korean fonts to work and I looked at vgaoem.fon. There is only ONE single font in there! I thought I extracted the file with all the fonts in it. This would explain why my default font has changed as well as why I cannot type in Korean.

    Sorry to interrupt. Which folder did you look at?
  9. TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

    • Open Spybot Search & Destroy.
    • In the Mode menu click "Advanced mode" if not already selected.
    • Choose Yes at the Warning prompt.
    • Expand the Tools menu.
    • Click Resident.
    • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
    • In the File menu click Exit to exit Spybot Search & Destroy.
    Download http://www.techsupportforum.com/sectools/ResetTeaTimer.zip

    Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.






    Open notepad and copy/paste the text in the quotebox below into it:


    C:\Documents and Settings\USER\pdf.exe
    C:\Documents and Settings\USER\iexplorer.exe
    C:\Program Files\Incomplete
    C:\Documents and Settings\USER\Incomplete
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4FFA72-8B9E-4F5E-A26B-DA67A24E6D6B}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\juglhklf]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqon]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

    Save this as "CFScript"



    Posted Image


    Refering to the picture above, drag CFScript.txt into ComboFix.exe


    When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


    Additonally, ComboFix will generate a zipped file on your Desktop, called [4][email protected]_Time.zip

    Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4






    Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400


    Answer Yes, when prompted to install an ActiveX component.

    • The program will then begin downloading the latest definition files.
    • Once the files have been downloaded click on NEXT
    • Locate the Scan Settings button & configure to:
      • Scan using the following Anti-Virus database:
        • Extended
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
    • Click OK & have it scan My Computer
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.


      Posted Image


    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
    * Turn off the real time scanner of any existing antivirus program while performing the online scan






    In your next post, please include fresh logs from:

    • Fresh Hijackthis log taken just before replying
    • Online scan
    • ComboFix's log
    Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

  10. 2007-11-04 21:01 <DIR> d-------- C:\Incomplete

    2007-11-02 17:20 <DIR> d-------- C:\Program Files\Incomplete

    2007-10-25 18:46 <DIR> d-------- C:\Downloads

    2007-10-25 22:23 <DIR> d-------- C:\Documents and Settings\USER\Incomplete


    Are these folders created by you? Take a quick peek in them & tell me what's within


    C:\Program Files\Spytech Software


    Is this a program you installed? What is it for?

  11. Do you still have access to your buddy's machine? If so, let's expand the file there & save it to floppy disk so that it may be transferred to the trouble machine. When you next run the recovery console, you'll need to amend your commands to reflect the change in location. The file is now located at A:\VGAOEM.FON



  12. Take the CD to another machine. Open it & find out where the file vgaoem.fo_ resides. Note it down.


    Then try again on the trouble machine.


    Don't worry. Even if that fails, we still have other options.

  13. Not sure if this will work but give this a try.


    When you're attempting to type the '_', press these keys on your keyboard ..


    Press ALT & keep it depressed

    Then type these numbers 095

    Release the ALT key

    Does that give you the '_' ?

  14. Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:


    @echo off
    if exist "%temp%\log.txt" del "%temp%\log.txt"
    pushd C:\Qoobox\Quarantine\C\WINDOWS\Fonts
    del /a/f/q/s *.exe.vir *.zip.vir 2>nul
    ren *.vir *.
    move /y * C\WINDOWS\Fonts\ >nul 2>&1
    cd Fonts.vir
    ren *.vir *.
    move /y * C\WINDOWS\Fonts\ >nul 2>&1
    for %%g in (
    "C:\Documents and Settings\USER\.housecall6.6\Quarantine\afqdjhpo.exe.bac_a02676"
    "C:\Documents and Settings\USER\.housecall6.6\Quarantine\edmjipsq.exe.bac_a02676"
    "C:\Documents and Settings\USER\.housecall6.6\Quarantine\vasya[1].bac_a02676"
    "C:\Documents and Settings\USER\My Documents\Downloads\LW\Evidence Eliminator 5.0 Keygen.zip"
    "C:\Documents and Settings\USER\My Documents\Downloads\LW\Sexy evidence eliminator.zip"
    ) do (
    del /a/f/q %%g >nul 2>&1
    if exist %%g echo.%%~g>>"%temp%\log.txt"
    for %%g in (
    "%systemdrive%\VundoFix Backups"
    ) do (
    rd /s/q %%g >nul 2>&1
    if exist %%g echo.%%~g>>"%temp%\log.txt"
    if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
    ) else echo.Deleted Successfully !!
    nircmd wait 7000
    del %0

    Save this as fix.bat Choose to "Save type as - All Files"

    It should look like this: Posted Image

    Double click on fix.bat & allow it to run


    Post back to tell me what it says

  • Create New...