[Requiem]

I recently reformatted my C: Drive and already I find I've been having problems with malware...more specifically, a little nuisance known as Web.exe. Whenever I connect to the internet, several popups appear (from a server called babysandra.net), one such pop up labelled SITEBAR, which informs me of an Internet Explorer Add-In. Not being totally dense, I choose to ignore these pop-ups and search for a way to get rid of them for good.

Neither Ad-aware or Spybot return any results for this, so I decided to take a more manual approach, and eventually I found the Web.exe file. This executable contains the same wrench icon that accompanies the SITEBAR pop-up, so I can only assume that this is the source of my woes. I promptly deleted it and rebooted to see if it had worked.

No dice.

So, running a search on both my C: and E: drives, I discover that the Web.exe file is still there on my C: drive. And the question I am about to obviously impose; How do I get rid of it?

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:17:07 PM, on 09/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\mswin32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\tellcom.exe
C:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ Microsoft Windows Security Center] mswin32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Repair Registry Pro] E:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Microsoft Telecom Center] tellcom.exe
O4 - HKLM\..\RunServices: [ Microsoft Windows Security Center] mswin32.exe
O4 - HKLM\..\RunServices: [Microsoft Telecom Center] tellcom.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Telecom Center] tellcom.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = E:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C90AED3-6C53-4A40-A0B1-7BA3790AE150}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

Thanks for your time and input.

-Requiem

Edited by Requiem, 09 August 2005 - 12:15 PM.

[Advertisements]

Hi Chris,



Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.


2. Remove Infections

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [ Microsoft Windows Security Center] mswin32.exe
O4 - HKLM\..\Run: [Microsoft Telecom Center] tellcom.exe
O4 - HKLM\..\RunServices: [ Microsoft Windows Security Center] mswin32.exe
O4 - HKLM\..\RunServices: [Microsoft Telecom Center] tellcom.exe
O4 - HKCU\..\Run: [Microsoft Telecom Center] tellcom.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Files
C:\WINDOWS\System32\mswin32.exe
C:\WINDOWS\System32\tellcom.exe


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.

[tampabelle]

Hi Chris,



Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.


2. Remove Infections

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [ Microsoft Windows Security Center] mswin32.exe
O4 - HKLM\..\Run: [Microsoft Telecom Center] tellcom.exe
O4 - HKLM\..\RunServices: [ Microsoft Windows Security Center] mswin32.exe
O4 - HKLM\..\RunServices: [Microsoft Telecom Center] tellcom.exe
O4 - HKCU\..\Run: [Microsoft Telecom Center] tellcom.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Files
C:\WINDOWS\System32\mswin32.exe
C:\WINDOWS\System32\tellcom.exe


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.

[Requiem]

Well, uh...thank you for your reply.
I did exactly as you told me to, and I don't have the problem anymore, but a few things of interest;

1. After I ran CleanUp! and ewido, my HijackThis log showed no traces of the files you told me to let it fix.

2. mswin32.exe and tellcom.exe were not in my System32 folder.

3. Running ewido in Normal Mode, it found two other infected files and dealt with them.

4. Both ewido and HijackThis freeze when I attempt to save a log now, so as such I can't post them.

5. My WinXP theme has been replaced with Classic Windows, and I can't switch it back.

-Requiem

[tampabelle]

Are you having trouble with any of other programs ??? or just HJT and Ewido ???


To reconfigure the windows theme -

download http://users.pandora...patchy/luna.zip

Unzip it and MOVE the luna.msstyles which is present in that folder you unzipped to next folder: C:\WINDOWS\Resources\Themes\Luna
Don't move it to anywhere else than that folder!

When moved it there, rightclick on your desktop > properties ... and look if Windows XPstyle is now present again. Choose apply and OK.

[Requiem]

Both HJT and ewido are working okay now. I made the mistake of running both right after startup and the many other applications loading simeltaneously caused them to crash. Problem solved.

Your link to Luna is broken. = )

And I got an error message at startup that read 'Cannot connect to driver 2', but I haven't noticed any tangible problems as of now.

-Requiem

[tampabelle]

Hi Chris,

I have attached luna.zip. You can download luna.zip from here.

Unzip it and MOVE the luna.msstyles which is present in that folder you unzipped to next folder: C:\WINDOWS\Resources\Themes\Luna
Don't move it to anywhere else than that folder!

When moved it there, rightclick on your desktop > properties ... and look if Windows XPstyle is now present again. Choose apply and OK.



Reboot the PC and post a fresh HJT log

[Requiem]

Done! That worked beautifully. Many thanks to you.

Logfile of HijackThis v1.99.1
Scan saved at 10:00:33 PM, on 09/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Repair Registry Pro] E:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = E:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe


That error message is still concerning me, though.

-Requiem

[tampabelle]

The error message could be related to any of the drivers !!!

Please right click on My Computer on your desktop and then click on Properties ----> Hardware ----> Device Manager. Please check all the listed items and let me know if any of the items listed displays a warning !!!

[Requiem]

None are displaying a warning. O.o
How curious...

-Requiem

[tampabelle]

Are you still getting the "Cannot connect to driver 2" error message ????

[Requiem]

Indeed I am...

My computer's been known for doing odd little things such as this...

-Requiem

[tampabelle]

Can you tell me two things -

1) whether any program on your PC is not running

2) any other issues that you noticed

[Requiem]

As of right now, my printer isn't hooked up (as I had to attach it to a laptop elsewhere in the house), but that's all I can think of.

Also, I've noticed that the System Properties window locks up whenever I click on the 'Device Manager' button, though this didn't start happening until now.

EDIT: Well, a new problem has arisen. When I open a link in MSN Messenger (whether it be a sent file or an actual URL), it freezes (the same problem is prevalent with Windows Messenger). I'm lead to assume now that there are several similar problems around the computer...

EDIT #2: Agh! I was forced to do a System Restore because things had gotten really bad (access to the Internet was essentially nullified entirely, yet my computer still told me I was connected; this is fixed), and now the original problem with Web.exe is back, and programs are still locking up...at this point I'm willing to format the whole thing again...

I'm really sorry about all this...

-Requiem

Edited by Requiem, 10 August 2005 - 11:02 PM.

[tampabelle]

Hi,

post back a fresh HJT log.

When you do a system restore, the old settings (including any infections) resurface.

[Requiem]

Here you are.

Logfile of HijackThis v1.99.1
Scan saved at 3:18:00 PM, on 11/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Repair Registry Pro] E:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = E:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C90AED3-6C53-4A40-A0B1-7BA3790AE150}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Mouse Click Monitor (mousecm) - Unknown owner - C:\WINDOWS\System32\mousecm.exe (file missing)

Thanks for bearing with me, here...