Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BackWeb lite


  • This topic is locked This topic is locked
19 replies to this topic

#1 kpalys

kpalys

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Location:Minnesota
  • Local time:03:17 PM

Posted 29 April 2005 - 10:46 AM

Hi,

During my weekly run of Spybot, BackWeb lite entries showed up in red. There were 5 entries, 3 were deleted and the other two won't delete. The message I receive is:

"Some problems couldn't be fixed; the reason could be that the associated files are still in use (in memory).
This could be fixed after a restart.
May Spybot-R&D run on your next startup?"

I clicked yes; restarted the computer. Spybot ran again and the same two entries appeared again. I clicked on no and Spybot said "2 problems could not be fixed. Restart your computer."

Which I did. I have run Spybot several times and get the same response. I have not installed any new software lately, so I'm not sure were this came from.

How do I get rid of this? Should I submit a HJT log?

Thanks, Kathy

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:17 PM

Posted 29 April 2005 - 05:13 PM

Hi kpalys and welcome to the BC forums. BackwebLite is used by an increasing number of vendors for support. Whether it is a needed/valid process depends on who you talk to. To analyze what is happening on yor computer we will need a HijackThis log. You can post one here by doing the following.

We need a complete HijackThis (HJT) log file to be able to analyze what is happening on your computer. If you do not have a copy of HijackThis or do not have the latest version (1.99.1) then download it from here: HijackThis_sfx.exe. Double-click on the file you just downloaded and click on the UnZip button to install the program. It will be installed to the C:\Program Files\HijackThis\ directory by default.

Start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 kpalys

kpalys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Location:Minnesota
  • Local time:03:17 PM

Posted 29 April 2005 - 05:41 PM

Thanks. Here is the HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 5:40:14 PM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\SpywareGuard\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A1DAC8C-074D-440F-8707-7009A672D7D1} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:17 PM

Posted 29 April 2005 - 09:40 PM

Hi kpalys. After reviewing your log I see no signs of viruses or malware at this time. Your log is clean. Dow you have the names and locations of the files that Spybot targeting for removal? They could very well be legitimate files that Spybot does not like.

Post back with whatever additional information that you have.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 kpalys

kpalys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Location:Minnesota
  • Local time:03:17 PM

Posted 29 April 2005 - 10:39 PM

Hi OT,

Below is what I cut and pasted from the BackWeb listings:

BackWeb lite: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\BackWeb

BackWeb lite: User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\BackWeb

Hope this helps.

Thx, kpalys

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:17 PM

Posted 30 April 2005 - 10:56 AM

Hi kpalys. Those listings do not tell me which application backweb is associated with because the other entires have already been removed. My guess is it is part of the Dell printer software. Many manufacturers are using backweb for updates today. Just prior to when these entires started appearing did you install any new hardware or software?

You can check to see if backweb is installed by going to Start>Control Panel>Add or Remove Programs and seeing if backweb is listed in the installed applications. If so, you can either leave it installed or remove it from there.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 kpalys

kpalys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Location:Minnesota
  • Local time:03:17 PM

Posted 30 April 2005 - 11:19 AM

OT,

Thanks for the reply.

I checked the Add/Remove programs and BackWeb is not listed.

My concern is that it is telling me it is in memory each time I reboot.
- I have not installed any new software
- I don't think it would be the Dell printer, since that has been installed for over a year (without ever getting this message before).

I went back to the first log that shows other BackWeb entries (some of which were fixed by Spybot. Here they are:

BackWeb lite: Netscape viewer (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Viewers\application/x-iad

BackWeb lite: Netscape viewer (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers\application/x-iad

BackWeb lite: Netscape viewer (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Viewers\application/x-bwpreview

BackWeb lite: Netscape viewer (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers\application/x-bwpreview

BackWeb lite: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-18\Software\BackWeb

BackWeb lite: User settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-21-2239523909-242941995-1905409915-1006\Software\BackWeb

BackWeb lite: User settings (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Software\BackWeb


Does this help any further? Are there any next steps?

Thanks, kpalys

Edited by kpalys, 30 April 2005 - 11:28 AM.


#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:17 PM

Posted 30 April 2005 - 12:42 PM

Ahh. that makes more sense. In this instance the backweb application is part of a plugin for your Netscape browser. Backweb is used for various preview plugins, music downloads etc. To remove it you will have to remove the plugins from your Netscape browser. It boils down to whether or not you want the functionality of the plugin.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 kpalys

kpalys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Location:Minnesota
  • Local time:03:17 PM

Posted 30 April 2005 - 12:56 PM

OT,

Not to sound to ignorant, I wasn't aware that I am using Netscape browser. Is this different than IE? Otherwise, where would it have come from, do I need it, or how do I get rid of it? I don't download music, but not sure how you tell about the preview plugin.

Thx, kpalys

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:17 PM

Posted 30 April 2005 - 01:45 PM

Do you have any type of graphic file viewers installed like Kodak's EasyShare program. You don't have to have Netscape installed to have the viewers added when you install various software packages. The simply install everything so that if you have it now or install it later the components are already present.

A typical example. In my registry I have 185 references to backweb. I have never had backweb installed on my machine but various software packages add those entries into the registry so that if I ever would that software would utilize it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 kpalys

kpalys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Location:Minnesota
  • Local time:03:17 PM

Posted 30 April 2005 - 01:56 PM

OT,

I don't believe I have Koday Easyshare but probably have other graphic file viewers installed.

Not to beat a dead horse, why does the BackWeb show up now when I run Spybot and has never shown up before? Is it new to Spybot? Why is it in memory and how do I get it out?

Thanks for your patience.

kpalys

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:17 PM

Posted 30 April 2005 - 08:47 PM

Hi kpalys. I don't believe that it is in memory. It is not showing up there in the running processes. To verify that, press the Ctrl, Alt and Del keys at the same time and in the Task Manager click on the Processes tab. Look through the list of processes and see if there is a process named Backweb. If there is one, click on it to selct it and then click on the End Process button. You could also look in the Applications tab and use the End Task button but I doubt that it will be there either. It would have shown up in the HijackThis log.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 kpalys

kpalys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Location:Minnesota
  • Local time:03:17 PM

Posted 30 April 2005 - 11:45 PM

OT,

Well, of course you right. They don't show up in the task manager or the application. I will assume from this that I don't need to be concerned that it is showing up when I run Spybot. So, I guess we can consider this closed.

Thanks for your help.

kpalys

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:17 PM

Posted 01 May 2005 - 12:09 AM

Hi kpalys. One other question. When you run Spybot do you disable TeaTimer (the resident protection)?

Try this:
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure Advanced Mode is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck Resident TeaTimer and OK any prompts
  • Restart your computer.
After your computer restarts run Spybot and do the scan. Let it fix what it will. After you are done you can re-enable TeaTimer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 kpalys

kpalys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Location:Minnesota
  • Local time:03:17 PM

Posted 01 May 2005 - 12:47 AM

OT,

Followed your instructions for disabling TeaTimer, rebooting and re-running Spybot. Unfortunately, all results were exactly the same.

Regards, kpalys




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users