Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ms_webcheckmonitor


  • Please log in to reply
8 replies to this topic

#1 Giosmetal

Giosmetal

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 06 March 2006 - 08:07 PM

Hey guys, Im new to the community. I wouldn't call myself a computer expert but I'm definitely not a novice; I can usually solve most problems I encounter. However, my most recent problem has left me stumped! Your help would be greatly appreciated :thumbsup:

This "hidden" executable keeps making uninvited appearances in my task bar. It has no name, lasts around a second and returns once every ~15 minutes. After countless attemps, I was finally able to "catch" it and maximize-- thus finding out its name: MS_WebcheckMonitor

I've done a little bit of research but no one really seems to know what this is used for. I'm pretty confident its a part of IE.. but why the heck is it popping up so much? Theres definitely something wrong.

I tried renaming Webcheck.dll in safemod but that didn't work. I think malicious code is using the webcheck as a disguise..

Anyone got any ideas? I've already had my HJT log analyzed on another site and they said it was clean-- however I'll post it again anyways.


Logfile of HijackThis v1.99.1
Scan saved at 8:01:36 PM, on 3/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Teamspeak\TeamSpeak.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135353007125
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Thanks.

[removed code tags]

Edited by Daisuke, 07 March 2006 - 04:39 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:10 AM

Posted 07 March 2006 - 02:47 PM

Hi There! :thumbsup:

I am currently working on your log

I will get back to you as soon as possible.

David :flowers:

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:10 AM

Posted 08 March 2006 - 12:33 PM

Hi there Giosmetal and welcome to BleepingComputer.

You are correct that "ms_webcheckmonitor" has something to do with Internet Explorer. MS_WebcheckMonitor is a hidden window, run by explorer's thread and handled
by webcheck.dll - It is used for handling our IEOffline favorites.

There is an option which can be used to turn off this offline service and i think that this is the best option to use at the moment. Please open internet explorer and click on the Tools tab at the top of the screen. In the drop down box click on Internet Options and from that window that pops up click on the Advanced tab. Then please uncheck the "Enable offline items to be synchronized on a schedule" tickbox - it should be visible near the top. This should turn that service off.

Then please reboot and let me know if this solves the problem. If not we may have to dig a little deeper to find the route of the problem. One good thing to note is that your HijackThis log is clean :thumbsup:

David

#4 Giosmetal

Giosmetal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 08 March 2006 - 05:52 PM

Hi David,

Firsly, thanks for your time; it's greatly appreciated :thumbsup:

Unfortunately, the settings change you recommended did not solve my problem.

I'm not sure if this is relevant information but I've noticed webcheck always pops up after my startup programs have loaded. It also pops up regardless if I'm using IE.

Thanks

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:10 AM

Posted 10 March 2006 - 11:33 AM

Hi Giosmetal

Pleae open notepad and copy and paste next in it:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" /s >> look.txt
start notepad look.txt


Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and please post back the results that will open in notepad.

David

#6 Giosmetal

Giosmetal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 10 March 2006 - 01:37 PM

Oh whoa, I just found something out: The hidden window isn't called "Ms_WebcheckMonitor" anymore, its changed to "Connections Tray".

I'm going to ask google about this.

btw, here are the results of the batch file:

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Thanks

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:10 AM

Posted 10 March 2006 - 02:57 PM

Hi Giosmetal

I think that this problem is caused by your HP printer, and its processes that are running in the background. These applications can be disabled without affecting your printer of its performance. In your system tray in the bottom right hand corner please look for the two icons that correspond to either:

HP Digital Imaging Monitor
or
HP Component Manager

Please right click on both and either click exit or disable. I would like you to disable these processes for the time being - you may have to look in the options of the programs to find out how to stop them running at start-up. Then please press control + alt + delete to open the taskmanager. Click on the processes tab and search for the following process:

hpcmpmgr.exe

Highlight that entry then click end process.

Then please click on start > run and type: msconfig. In the window that opens click on the far right tab > startup. Please untick:
HP Component Manager and HP Digital Imaging Monitor in there and press ok.

Does the pop-up still appear now? Please reboot and let me know if the windows still pops-up.
Also, have you tried to unregister the webcheck.dll at all? Have you done anything else which may have affected the pop-up?

David

Edited by D-Trojanator, 10 March 2006 - 03:05 PM.


#8 Giosmetal

Giosmetal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 11 March 2006 - 01:26 PM

:thumbsup: Success.

You were right, it was my HP updater. (hpcmpmgr.exe)

Thanks alot for your help David.

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:10 AM

Posted 11 March 2006 - 08:20 PM

Hi Giosmetal

This is excellent news, and i'm glad that you got it solved. Thanks for posting the solution as people searching for an answer to this problem in the future may find it helpful. I normally post an all clean speech after finishing a HijackThis log but i don't see anything wrong in your log at all - it's clean! Continue to run your Mcafee anti-virus on a regular basis and make sure it is kept up to date. I think that's all that needs to be said - glad it sorted in the end.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users