isbro.hk

[shell26]

I have been having really bad problems with two pcs lately and i posted a thread on the hardware section called "a challenge for you".
I have just been through my emails and i am having some really suspicious ones telling me to view an e card that a family member has sent.
They were from smsale.hk, isbro.hk and eoclam.hk.
I am convinced this is some sort of malware. Has anyone ever heard of these and how much damage can they do? As i said, i have been having problems with two pcs (problems booting) and i was just wondering if they could be linked.

[oddjob]

I believe these all relate to a surge in fake greeting cards & phishing expeditions by botnets.

Quite what damage they may do I'm not sure. Best to start with a general clean out of your computer system and a check of the HJT log.

I suggest you print this out to help you follow my advice.
 
***********************
 
Make sure you have exposed all Hidden Files & Folders.
 
To enable the viewing of Hidden files follow these steps:
 
   1. Close all programs so that you are at your desktop.
   2. Double-click on the My Computer icon.
   3. Select the Tools menu and click Folder Options.
   4. After the new window appears select the View tab.
   5. Put a checkmark in the checkbox labeled Display the contents of system folders.
   6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
   7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
   8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
   9. Press the Apply button and then the OK button and close My Computer.
 
***********************

Please download and install Superantispyware here ….

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

• Load SUPERAntiSpyware and click the Check for Updates button.
• Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

• Open SUPERAntiSpyware and click the Scan your Computer button.
• Check Perform Complete Scan and then click Next.
• SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
• Make sure that they all have a check next to them, and then click Next.
• Click Finish and you will be taken back to the main interface.
• It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
• I'll need a log afterwards of what has been found.
• To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
• Please post the results of the SUPERAntiSpyware log in your next reply.

***********************

Download a self-extracting copy of HijackThis from here …….

http://downloads.malwareremoval.com/hijackthis_sfx.exe
 
Save it to your Desktop.

Double-click on the file hijackthis_sfx.exe file and it will self-extract into its own folder ……

C:\Program Files\HijackThis

Go to this folder and run the hijackthis.exe file.

From the menu click on "Do a system scan and save a logfile".

*******************

Rehide your Hidden Files & Folders by carrying out the reverse operation to that described at the start of this post.


Copy and paste both the Superantispyware scan report and the HJT logfile to this thread. More specific removal instructions will follow for any malware revealed.


OJ

[shell26]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/26/2007 at 10:18 AM

Application Version : 3.8.1002

Core Rules Database Version : 3260
Trace Rules Database Version: 1271

Scan type       : Complete Scan
Total Scan Time : 11:18:13

Memory items scanned      : 386
Memory threats detected   : 0
Registry items scanned    : 4175
Registry threats detected : 0
File items scanned        : 15754
File threats detected     : 26

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@pcstats[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@uk[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@a[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@avoncosmetics[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt

Adware.Starware
   C:\Documents and Settings\Owner\Application Data\Starware\Manager
   C:\Documents and Settings\Owner\Application Data\Starware

[shell26]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:31, on 2007-06-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Desktop\programs\HiJackThis_v2.exe

[shell26]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CA4FF57-4204-4483-87DA-0CA825A2C31C}: NameServer = 195.92.195.94 195.92.195.95
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

--
End of file - 5245 bytes

[shell26]

when i ran superantispyware, i had several windows popping up asking to insert a disk into drive d (cd) with the options try again, continue and cancel. It happened when it was scanning the registry.
Since deleting the nasties, it has booted up ok, no problems. Thanks so much for your help. Do you think this could've been the problem with the other pc? Only problem with the other one is that you cant boot it atall, not even to safe mode.

[CBMatt]

oddjob is right about this being a phishing site.  As long as you didn't download any attachments, you should be fine, but you might want to search for an ecard.exe file on your computer, just in case.

Download CCleaner (install without Yahoo! toolbar) and configure it according to this guide.  Use this to clean out your Temp and TIF, as well as invalid registry entries.

I see that you don't have Java installed.  You'll want to correct this quickly, as it will help provide further protection for you.  To do so, go here and click on Free Java Download.  You will be given instructions on what to do next.

As for your logs, I don't see anything malicious.  AVG AS got rid of the Starware Toolbar, which is fortunate, but I don't know how much damage just a toolbar could've been doing.  You say things are running fine now, though?

I'm not too sure what you can do about your other computer if it's not booting up.  That sounds like more of a hardware problem.  I'll take a look at your other thread to see what kind suggestions have been made.  You could try slaving the hard drive to your working computer and then scanning it with AVG Anti-Virus, AVG Anti-Spyware, and SUPERAntiSpyware.  However, keep in mind that if the drive is infected, there's a possibility of it spreading.

[CBMatt]

Alright, I just read through your other thread...

Slaving a hard drive is fairly simple.  First, open up the faulty non-booting computer and disconnect the hard drive.  Pay attention to the cable connected to it.  Open up your working computer and there should be a cage/slot that your drive will fit in.  Remember that cable I mentioned?  There should be a couple just like it in the working computer; use one to connect it to the drive.  Then you'll need to jumper the drive and set it as a slave.  There should be diagrams on the drive that explain how to do this.  Use tweezers to reposition the tiny plastic jumper.

Here are some helpful references/guides that will likely explain it better...
http://www.ehow.com/how_6030_install-second-hard.html
http://www.ehow.com/how_6031_change-master-slave-designation.html
http://www.pcguide.com/byop/byop_SettingHardDriveJumpers.htm

If done correctly, when you boot up the computer, it should detect the new hardware and the slaved drive will show up in My Computer.  You will then be able to use the virus/spyware scanners to scan this second drive.

[shell26]

Thank! Will do that and let you know result.   

[shell26]

Added the faulty c drive to my daughters pc as a slave. There was no slot for a second drive so i had to remove the cd drive and put it in there. went to bios to ensure it was on autodetect which it  was. Booted up ok but very very slow. went into "my computer" and it had the broken drive there as "d drive" but i was unable to open it, it stopped reponding. I tried to scan the broken drive using superantispyware but although i set it to scan the slave, it just scanned the other drive. I then opened word to try and open up a document from the slave but i had the error message telling me that my slave was in a different format. I then realised that the file system for my daughters pc was fat32 and the file system on the slave was ntfs. I then converted the file system on the working c drive to ntfs.
I am still having same problem though. I am unable to access the slave. Device manager tells me that the slave is working but the error messages in event viewer keep saying "bad block on drive d".
Any ideas on how i can get my data off the faulty drive?
Is there any alterations i can make in the bios?

[shell26]

As this now seems to be a hardware problem and not a spyware problem, is it better to continue my posts on my original thread in the hw section?

[CBMatt]

Given the current situation...yes, I do believe this would probably be better-suited for your other thread.  My hardware knowledge only extends so far and at this point, I'm not comfortable giving you further advice here when there is the potential to lose your data.  Simply attempting to slave the drive shouldn't have caused any damage, but changing the format might not have been the best thing to do.  I can't say for sure if this might've had any adverse effects.  If you can manage to get the drive to boot, come back here and I'll help you with cleaning it out if necessary.  In the meantime, I'll keep an eye on your other thread.

[shell26]

I changed the format on the working drive (my daughters),, not the faulty one. Have taken drive back out now and my daughters pc up and running fine. Will continue the hardware problems on the other thread now. Thankyou for all your help.

[CBMatt]

Alright, gotcha.  Well, good luck on getting this all worked out.  I know how frustrating it can be when you're worried about losing data.

[patio]

And if it brings about a regular backup routine...all the better.

See the new posts in that thread.