Modems, Drivers and Internet Security

[Broni]

I see nothing dangerous in your log.
Spybot report looks like false positive, since it points to svchost.exe file located in C:\WINDOWS\System32, which is legit location.

Just in case, download, and run CWShredder: http://www.intermute.com/products/cwshredder.html

"svchost.exe", I looked in Windows Task Manager and found that there were 5 instances of it running.

It's normal.

It showed that both CRSS.EXE and LSASS.exe

LSASS.exe is legit Windows file, if located in C:\WINDOWS\System32
CRSS.EXE is not.
Are they BOTH listed in Task Manager?

[Tatterdemalion]

Both Processes I mentioned are listed in Task Manager. The LSASS.EXE I typed correctly but the other Image Name should have said "CSRSS.EXE".

Should I delete the "svchost.exe" file that is associated with CoolWWWSearch.OleHelp now and re-boot ?

It looks like I am going to have to uninstall and reinstall my Conexant Access Runner DSL modem again.

Could someone have left a file on my system that is periodically scrambling that or are they hacking in and doing it live ?

[Broni]

If it's CSRSS.EXE, it's also legit Windows file, as long as located in C:\Windows\System32.

Should I delete the "svchost.exe" file that is associated with CoolWWWSearch.OleHelp now and re-boot ?

No. As I said, it's legit file.

Did you run CWShredder?

[Tatterdemalion]

Wow !Thanks for your on-going support and for sharing your knowledge.....

I returned to my poorly PC and let it keep the svchost.exe. I uninstalled the ADSL modem, re-booted (and was delighted that I made it to the Desktop after Spybot had reported so many changes). Next I  re-installed the ADSL modem in order to connect to the 'net.

I decided to surf back to this page using Firefox instead of IE6. Firefox said it had a new Extension but I couldn't find any details of it.

I used your link to get to the standalone version of Trend Micro CWShredder and saw that it was listing a lot of symptoms that I have experienced including dramatic slow-downs and inaccessible web pages.

I clicked "Check for Update" but got the response "Unable to check for updates" and so I'm using this healthier computer to contact you again querying what my next step should be.

The CWShredder I have says it is version 2.19

[Broni]

That's the latest version.
When the scan was finished, did it reported any findings?
I assume, you clicked on "Scan only" button?

[Tatterdemalion]

I've just run the Scan and it said CoolWebSearch was not on the system.

[Broni]

OK. Let's clarify...at this very moment what's the complain about your computer?

[Tatterdemalion]

At this point I am worried that I may have been being hacked and that this may continue to happen.

I suppose the only way to find out is to get back online and see how long I last before my modem is diasbled again.

I am currently running an AVG scan with the latest definitions.....

I ran a scan at Shields Up that said my laptop was vulnerable because it was responding to Ping ICMP Echoes.

[Broni]

Keep us posted.

[Tatterdemalion]

Hi, thanks for being there....

I uninstalled and reinstalled my USB ADSL modem again. This time I found the place in its Setup where you can switch on the Internet Connection Firewall. I did this and visited the Shields Up website to check my visibility - it reported everything as Stealth this time and did not say that my machine was responding to Pings.

I then added the McAfee Site advisor extension to Firefox and decided to only use that browser as I believe it is supposed to be more secure than IE6.

I was able to surf for almost three hours and then AVG reported a Trojan. I told it to "Heal" it. My other choice was to send it to a "Vault".

Ten minutes after that Trojan alert my web pages stopped supplying any fresh content.

My ConexantAccessRunnerDSL panel said : "Bytes received 336 Bytes Sent 480" which are extremely low figures.

I disconnected my modem cable and reconnected it. When my computer recognised it I was able to click on my AccessRunnerDSL and it still had my correct Login details and hardware associated with it so I could get back online immediately.

When I did so Firefox wanted to re-start. It said it was adding an Update "Firefox is installing your updates" (I thought the McAffee site advisor - which was the only thing I had requested was ALREADY working) and it took me to one of its own webpages instead of my usual opening page.

Exactly two hours after this reconnection, AVG reported a Trojan again. I opted for "Heal".

This time my ADSL modem was disabled in the same manner as my very first experience of this.

After the Trojan's arrival my modem said there was "No dialtone", an Error 680. When I clicked on the AccessRunner icon there was a funny sound as if a TELEPHONE disl up modem is trying to start to dial a number.

Initially it would not display my Connect To box. This later appeared on its own but wrongly filled out with "internetaccess" again replacing my Username.

I went to look at my AVG and found I had a list of items in its Vault including the two Trojans that I had asked it to "Heal".

Some of the items had blue exclamation marks beside them, others had red ones. They all said that they were infected and could not be healed.

I ran Malwarebyte's Anti-Malware. It says that the Backdoor.bot is in Quarantine .

It states -->

Category : Registry Value

Items : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft works portfolio (Data: C:\Program Files\Microsoft Works\WksSb.exe/AllUsers)

There is a button at the bottom of the screen that gives me the option to "Delete".

Should I do that ?

Sould I be trying to "Delete" all the items listed in AVG as well ?

[Broni]

Keep any file, Malwarebytes, or AVG discovers, in quarantine. Don't delete them, until you're sure, your computer is working OK.
Can you post names of files found by Malwarebytes, and AVG?

[Tatterdemalion]

I will list my AVG findings in reverse chronological order. I know, from my experience the other evening, that the ***10.AOWW Trojan Horse*** is identified just before my modem is disabled and its settings changed.

The 10.AOWW file is always shown to be 35k in size and is associated with an executable that has a (random ?) eight character filename made of numbers and both upper and lowercase letters.

AVG is showing all of THESE items with a white Exclamation Mark on a blue square ---->

LATEST IDENTIFIED THREATS
-------------------------------------

02:25:10 July 21 2008
------------------------------
Trojan horse Generic 10.AOWW
C:\Documents and Settings\Username\Local Settings\Temp\laPVPS16.exe

Backup copy
Infected
35k

00:15:33 July 21 2008
-----------------------------
Trojan horse Generic 10.AOWW
C:\Documents and Settings\Username\Local Settings\Temp\6LIwQRi8.exe

Backup copy
Infected
35k

22:37:11 July 19 2008
-----------------------------
Trojan horse Generic 10.AOWW
C:\Documents and Settings\Username\Local Settings\Temp\OE6uXE4.exe

Backup copy
Infected
35k

16:12:04 July 16 2008
-----------------------------
Trojan horse Generic 10.AOWW
C:\Documents and Settings\Username\Local Settings\Temp\507Q1HGX.exe

Backup copy
Infected
35k

14:37:09 July 16 2008
-----------------------------
Trojan horse SHeur.BTTO
C:\Documents and Settings\Username\Local Settings\Temp\g3d1s31b.exe

Backup copy
Infected
21k

17:15:04 July 15 2008
-----------------------------
Trojan horse Generic 10.AOWW
C:\Documents and Settings\Username\Local Settings\Temp\db5R3i4k.exe

Backup copy
Infected
35k

That completes my list of everything that has been identified recently and therefore seem to be the most likely links to my modem problems.

I will, however, also list all the historical problems that AVG has stored going back to the end of 2006

OLDER THREATS
--------------------
11:19:32 December 12 2007
------------------------------------
Trojan horse Downloader.Generic6.XFR
C:\Documents and Settings\Username\57286.exe

Backup copy
Infected
10k

11:19:23 December 12 2007
------------------------------------
Trojan horse Downloader.Generic6.XFR
C:\Documents and Settings\Username\99840.exe

Backup copy
Infected
10k

22:04:35 April 1 2007
----------------------------
Trojan horse PSW.Generic2.UDB
C:\WINDOWS\system32\ipv6monl.dll

Backup copy
Infected
53.21k

That completes all the items that are labelled with the white exclamation mark on the blue square. I have some additional items that have a different symbol beside them. It is a red exclamation mark on a yelloe envelope which I think probably indicates that they are items that I received via e.mail and that have been "moved" and thus could not be "healed" or restored.

OLDER MOVED OBJECTS
------------------------------
16:38:35 July 28 2007
-----------------------------
Trojan horse Downloader.Agent.OES
bsaver.zip
Moved object
Infected
18.9k

11:48:29 July 26 2007
-----------------------------
Trojan horse Downloader.Agent.NZZ
funny.zip
Moved object
Infected
18.8k

22:08:23 February 5 2007
----------------------------------
Virus found Downloader.Tibs
Greeting Card.exe
Moved object
Infected
49.46k

20:29:20 February 5 2007
----------------------------------
Virus found Downloader.Tibs
Postcard.exe
Moved object
Infected
49.46k

19:18:37 January 27 2007
----------------------------------
Virus found Downloader.Tibs
Full News.exe
Moved object
Infected
30.66k

13:03:54 January 27 2007
----------------------------------
Virus found Downloader.Tibs
Full Clip.exe
Moved object
Infected
28.69k

03:04:11 January 22 2007
----------------------------------
Virus found Downloader.Tibs
Greeting Card.exe
Moved object
Infected
28.69

20:28:49 January 21 2007
----------------------------------
Virus found Downloader.Tibs
Greeting Card.exe
Moved object
Infected
46.13k

19:50:49 January 21 2007
----------------------------------
Virus found Downloader.Tibs
greeting card.exe
Moved object
Infected
46.13k

12:10:21 December 31 2006
-------------------------------------
Virus found Downloader.Tibs
greeting postcard.exe
Moved object
Infected
17.15k

01:07:02 December 31 2006
-------------------------------------
Virus found Downloader.Tibs
greeting card.exe
Moved object
Infected
17.15k

That is my entire log from AVG.

Separately in Malwarebyte's Anti-Malware's Quarantine I have ---->

Date = 14 July 2008
Vendor = Backdoor.Bot
Category = Registry Value

Items = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft works portfolio (Data: C:\Program Files\Microsoft Works\WksSb.exe/AllUsers

Thank you for looking at this.

[Broni]

Run the F-Secure online scan for Viruses, Spyware and RootKits: http://support.f-secure.com/enu/home/ols.shtml

This scanner works with Internet Explorer only

    * Go to the F-Secure Online Virus Scanner
    * Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
    * Allow the Active X control to be installed on your computer, then click the Accept button
    * Click Full System Scan and allow the components to download and the scan to complete.
    * If malware is found, check Submit samples to F-Secure then select Automatic cleaning
    * When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
    * Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

    * When the cleaning option is presented, Uncheck Submit samples to F-Secure
    * Click Automatic cleaning
    * When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
    * Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post along with a fresh HijackThis log.

Note:

    * This scan will only work with Internet Explorer
    * You must have administrator rights to run this scan
    * This scan can take over an hour so please be patient

[Tatterdemalion]

Huge thanks for your continued support.

Here are the findings from my F-Secure online scan -->

Scanning Report

Friday, July 25, 2008 20:01:05 - 23:07:30

Computer name: COMPUTERNAME
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 2 malware found

Trojan-Dropper.Win32.Joiner (virus)
System

Trojan-Dropper.Win32.Joiner.fa (virus)
C:\DOCUMENTS AND SETTINGS\USERNAME\DESKTOP\SOFTWARE INSTALLERS\3D MAPS\SETUP.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 74410
System: 4748
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS
C:\DOCUMENTS AND SETTINGS\USERNAME\LOCAL SETTINGS\TEMP\~ROMFN_00000864
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{152D9D64-4A9B-45EA-9735-4BB30F31747A}.BIN
C:\WINDOWS\SYSTEM32\0QAMSHR6.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SAM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-07-25
F-Secure AVP: 7.0.171, 2008-07-25
F-Secure Pegasus: 1.20.0, 2008-04-15
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

I am making an addition to this post.

Whilst I was running the F-Secure Scan my AVG Resident Shield appeared two or three times reporting "Threat Detected !".

Although that machine is no longer connected to the internet, the message has appeared again and I am being told that I may choose to Ignore, (get) Info, Heal or Move to Vault. The details are --->

"Threat Detected ! While opening file C:\WINDOWS\System32\0qamSHR6.exe
Trojan horse Downloader.Generic7.AACU"

[Tatterdemalion]

Please let me know what I should do next.