Masda74

Hi Guys

I have been having an Issue with Two machines. Both Machines have Myway.Mywebsearch on them and I can't get rid of it.
The only way I found out that these machines were infected was because these machines are unable to access the internet at all. Pages can not be found.
The other thing I noticed is that when trying to change the proxy settings the IE properties page stops responding. Cant even get into the Lan Settings.
I used spydoctor to try and clean it. I also used spybot S&D to clean up, but the machine keeps getting infected.
The reason I say this is that as soon as I login I start task manager, in task manager there are processes running with names like EZ2429.exe and they always seem to come back.

I have gone through the 5 step process on one machine.
Step 1 - Could not locate any installed applications that is not meant to be there. There are no illegal apps installed.
Step 2 - Unable to run an online Panda ActiveScan because there is no internet access at the moment on both machines.
Step 3 - Have installed both spy blaster and IE-Spyad. Not sure if I am meant to do some sort of scan or something. I have read the helpfiles and did as specified.
Step 4 - Can not run updates as I am unable to browse the web. I have made sure that auto updates are enabled and I can see it downloading stuff. When it gets to about 45% the icon in the system tray dissapears until I restart the pc and it starts the download process again.
Step5 - DSS results:

Deckard's System Scanner v20071014.68
Run by fwdreception on 2008-06-17 15:13:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as fwdreception.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:14, on 2008-06-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\EZ2429.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe
C:\Program Files\Nortel\Shared Files\NTSPInit.exe
C:\Documents and Settings\fwdreception\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\fwdreception.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.2:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.3;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Completion Notice.lnk = C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe
O4 - Global Startup: TSP Launcher.lnk = C:\Program Files\Nortel\Shared Files\NTSPInit.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm824YYAU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fleetwood.com.au
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1208147200625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1213607010515
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Fleetwood.Portables
O17 - HKLM\Software\..\Telephony: DomainName = Fleetwood.Portables
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Fleetwood.Portables
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Fleetwood.Portables
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Panasonic Trap Monitor Service - Panasonic - C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe
O23 - Service: PBXService - Unknown owner - C:\Inetpub\wwwroot\ConsoleNET\PBXServer.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 6268 bytes

-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 11:27:32 0 d-------- C:\Program Files\SpywareBlaster
2008-06-17 09:32:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 16:57:48 0 d-------- C:\VundoFix Backups
2008-06-16 16:38:09 68096 --a------ C:\WINDOWS\zip.exe
2008-06-16 16:38:09 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-16 16:38:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 16:38:09 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-16 16:38:09 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-16 16:38:09 98816 --a------ C:\WINDOWS\sed.exe
2008-06-16 16:38:09 80412 --a------ C:\WINDOWS\grep.exe
2008-06-16 16:38:09 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-16 15:17:56 0 d-------- C:\WINDOWS\ERUNT
2008-06-16 13:29:36 0 d-------- C:\WINDOWS\pss
2008-06-16 12:14:54 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 12:13:26 0 d-------- C:\Documents and Settings\portadmin\Application Data\Identities
2008-06-13 12:13:10 0 d--h----- C:\Documents and Settings\portadmin\Templates
2008-06-13 12:13:10 0 dr------- C:\Documents and Settings\portadmin\Start Menu
2008-06-13 12:13:10 0 dr-h----- C:\Documents and Settings\portadmin\SendTo
2008-06-13 12:13:10 0 dr-h----- C:\Documents and Settings\portadmin\Recent
2008-06-13 12:13:10 0 d--h----- C:\Documents and Settings\portadmin\PrintHood
2008-06-13 12:13:10 5505024 --ah----- C:\Documents and Settings\portadmin\NTUSER.DAT
2008-06-13 12:13:10 0 d--h----- C:\Documents and Settings\portadmin\NetHood
2008-06-13 12:13:10 0 dr------- C:\Documents and Settings\portadmin\My Documents
2008-06-13 12:13:10 0 d--h----- C:\Documents and Settings\portadmin\Local Settings
2008-06-13 12:13:10 0 dr------- C:\Documents and Settings\portadmin\Favorites
2008-06-13 12:13:10 0 d-------- C:\Documents and Settings\portadmin\Desktop
2008-06-13 12:13:10 0 d---s---- C:\Documents and Settings\portadmin\Cookies
2008-06-13 12:13:10 0 dr-h----- C:\Documents and Settings\portadmin\Application Data
2008-06-13 12:13:10 0 d---s---- C:\Documents and Settings\portadmin\Application Data\Microsoft
2008-05-23 15:37:46 0 d-------- C:\WINDOWS\system32\xnA
2008-05-23 15:37:46 0 d-------- C:\WINDOWS\system32\3056v


-- Find3M Report ---------------------------------------------------------------

2008-06-17 11:31:26 0 d-------- C:\Program Files\Trend Micro
2008-05-29 14:13:50 0 d-------- C:\Documents and Settings\fwdreception\Application Data\AdobeUM
2008-05-08 12:37:57 0 d-------- C:\Program Files\Nortel
2008-05-08 12:32:26 0 d-------- C:\Program Files\Nortel Networks
2008-05-06 13:45:30 0 d-------- C:\Program Files\Java
2008-05-06 13:27:20 0 d-------- C:\Program Files\Personal Call Manager
2008-05-06 13:17:28 0 d--h----- C:\Program Files\Zero G Registry
2008-05-06 12:08:27 0 d-------- C:\Program Files\Windows Live Toolbar
2008-04-17 12:11:03 2670496 --a------ C:\LanCteClient.exe <LANCTE~1.EXE> <Not Verified; InstallShield Software Corporation; InstallShield (R)>
2008-04-09 08:23:52 67 --a------ C:\userinfo.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 22:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 17:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 21:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
Completion Notice.lnk - C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe [2005-12-13 16:45:34]
TSP Launcher.lnk - C:\Program Files\Nortel\Shared Files\NTSPInit.exe [2008-05-08 12:37:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 10:51 24638 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4277007009-1846665919-920732699-1263\Scripts\Logon\0\0]
"Script"=\\Fleetwood.Portables\SysVol\Fleetwood.Portables\Policies\{9CF60388-5D29-4400-861E-2983576B5466}\User\Scripts\Logon\FWDDrives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4277007009-1846665919-920732699-1313\Scripts\Logon\0\0]
"Script"=FWDDrives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4277007009-1846665919-920732699-1318\Scripts\Logon\0\0]
"Script"=FWDDrives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4277007009-1846665919-920732699-1369\Scripts\Logon\0\0]
"Script"=FWDDrives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4277007009-1846665919-920732699-1385\Scripts\Logon\0\0]
"Script"=FWDDrives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4277007009-1846665919-920732699-1508\Scripts\Logon\0\0]
"Script"=FWDDrives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4277007009-1846665919-920732699-1554\Scripts\Logon\0\0]
"Script"=FWDDrives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4277007009-1846665919-920732699-1566\Scripts\Logon\0\0]
"Script"=FWDDrives.vbs


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d8c6498-e58d-11dc-a2f2-001143c9bf74}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-06-17 15:15:16 ------------

Attached Files

extra.txt (12.2 KB, 0 views)