Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
Operating System - Microsoft
cancel
Showing results for 
Search instead for 
Did you mean: 

spybot warning

SOLVED
Go to solution
Joe van Raamt
Super Advisor

spybot warning

Spy bot detected Back Web Lite as a threat, but could not remove it. Should be removed? this is the write up about it:
Description
Comes with Western Digital Data Lifeline as well as with HP & Compaq systems. If you intended to install the normal BackWeb, please add BackWeb to your exclude list. But if you know nothing about installing BackWeb, chances are good that it is the 'lite' version. This one connects to a Cameocast server (Source: http://www.cexx.org/dlgli.htm), and you can read Cameo's privavy statement above.

Privacy Statement
BackWeb: Stay in the loop With BackWeb's reporting capabilities, you'll know who received each delivery, when they received it, and how they interacted with it.
CameoCast: CameoCAST pushes content to your hard drive while you are online.
[...]This information such as the type of browser being used, its operating system, and your IP address, is gathered in order to enhance your online experience.

c'est la guerre
24 REPLIES
Pat
Honored Contributor

Re: spybot warning

Hi, Joe,

It came on my Pavilion. It's listed in add/remove programs as HP Update and can be removed. I've removed it from my system.

I'd had it listed twice with another anti-spyware (SBC/Yahoo) application but was warned the last time about removing it. When I did, I received the following and ended up doing a System Recovery.
http://h10025.www1.hp.com/ewfrf/wc/genericDocument?lc=en&cc=us&docname=c00061410

Once you perform the recovery, you're not bothered with the "Invalid Backweb ... " message again. You're then directed to add/remove programs to remove the application but check HP's site for available updates.

Many organizations are using Backweb including SBC/Yahoo from what I've been told.

Thanks for the warning.

Pat
Joe van Raamt
Super Advisor

Re: spybot warning

Hi Pat,
Is the Backweb program from HP the same as this "Back Web Lite"? It only started showing the last few scans with spybot. On our HP pc it does not come up, this pc was made by a computer company (Microage)
c'est la guerre
Cheryl G.
Acclaimed Contributor
Solution

Re: spybot warning

Backweb is basically the same program in all forms,it is the use of it by whomever that differs.I for one do not like any form of software running unauthorized on my machines,good or bad.
Look in C:\Documents and Settings\All Users\Start Menu\Programs\Startup for any reference to backweb or anything else you don't recognize and delete it.
Also look in the registry for a run key for backweb.Start,Run and type regedit.Expand Hkey_Local_Machine\Software\Microsoft\Windows\Current Version\Run.Once you click on Run a list will appear on right side for all items having an entry to startup with Windows.If backweb is there,right click and delete it.
Reboot and run Spybot S&D again.
``````````````````````
**Clicking the KUDOS star on the left is a way to say 'Thanks'**
*To help others find solutions, click 'Accept as Solution' on a Reply that solves your issue*
Cheryl G.
Acclaimed Contributor

Re: spybot warning

If you are not comfortable editing the registry,a-squared HijackFree is a free utilty to stop programs from running at startup.No installation,just click the downloaded file to use.Handy for all sorts of items actually,easy to disable and re-enable items as you need.
http://www.majorgeeks.com/download4516.html
``````````````````````
**Clicking the KUDOS star on the left is a way to say 'Thanks'**
*To help others find solutions, click 'Accept as Solution' on a Reply that solves your issue*
Joe van Raamt
Super Advisor

Re: spybot warning

Thanks for the help. I keep on learning from all the members to this forum.
c'est la guerre
Joe van Raamt
Super Advisor

Re: spybot warning

Hi Cheryl,
I followed all the steps, and could find no reference to backweb lite in Doc/set./all users etc. and neither in hkey_local machine etc. however, when I ran spybot again, the backweb lite entries showed up again. I went to search and they showed up there as zipfiles. I deleted them and ran spybot again. They are stil there. (see attachment)I went through the whole procedure again with the same results. Any suggestion?
c'est la guerre
Pat
Honored Contributor

Re: spybot warning

Joe,

Have you deleted the files from Spybot's recover/restore file?

I believe they make a backup in case you want to restore them.

You can open the recovery/restore file and delete them from there.

Pat

Joe van Raamt
Super Advisor

Re: spybot warning

Hi Pat, I have tried that now also, but the result is the same (see attachment)i did delete from the recovery feature and restarted. While I am at it, I see many files being scanned that I have no clue as to where I can find them how they came on my pc (maybe my son when he was using it?) Like: coolsearch, gain gator, hippy...,zwax, ras dial etc. it went too fast to get all the exact file names. i tied the search feature of windows.
c'est la guerre
Joe van Raamt
Super Advisor

Re: spybot warning

Hi Pat, I have tried that now also, but the result is the same (see attachment)i did delete from the recovery feature and restarted. While I am at it, I see many files being scanned that I have no clue as to where I can find them how they came on my pc (maybe my son when he was using it?) Like: coolsearch, gain gator, hippy...,zwax, ras dial etc. it went too fast to get all the exact file names. i tried the search feature of windows.
c'est la guerre
Pat
Honored Contributor

Re: spybot warning

If you don't have Hijack This, download it and save it to your desktop. Read the instructions on this page.

http://tomcoyote.com/hjt/

Go into Safe Mode and Run it. Save your hijack log. Once you've run the scan, you can safely delete the files if you do not have a program that requires them.

Can you think of any software you've recently downloaded that would warrant the usage of backweb lite when it first began showing up on your system?

I've read F-secure anti-virus uses backweb lite also.

My experience in removing Backweb with an anti-spyware tool instead of through Add/Remove Programs was posted above. I had to do a system recovery then remove from Add/Remove Programs.

Pat


Joe van Raamt
Super Advisor

Re: spybot warning

I did try F-secure one time as it was provided for free from my cable server. However it did not seem to scan all files like Norton, so I reverted back to Norton. Iwas reluctant to do a complete restore as I have some diffiulty re doing all the re install of programs. I have now another problem with the removal of a trojan, but I suppose I should start a new thread?
c'est la guerre
Pat
Honored Contributor

Re: spybot warning

Norton makes a backup copy of any files (trojans) removed. They still show up as being in the system even though they were removed. Delete them from the backup folder.

Use an online scanner such as trendmicro's housecalls or bitdefender.com

Pat

Joe van Raamt
Super Advisor

Re: spybot warning

sorry to ask a dumb question, but where do I find this backup log in Norton? I tried to find it through 'search", but nothing came up.
c'est la guerre
Pat
Honored Contributor

Re: spybot warning

I believe you have to look into Report then click on the Quarantined Items. That should show a list of backup items kept. Right click on each and delete (or hold down CNTRL to delete several).
When prompted by a warning re: removal, click on Yes
Close Norton
Pat
Joe van Raamt
Super Advisor

Re: spybot warning

It does not show in there either, but yet if I run the scanner again it pops up like this attachment.
c'est la guerre
Joe van Raamt
Super Advisor

Re: spybot warning

Sorry, I sent the wrong attachment, This is what shows after the scan: I tried to empty the cache and Temp. Internet files to no avail.
Source: ipreg32.dll
Description: The compressed file ipreg32.dll within C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\666N6D4H\ipreg32[1].cab is infected with the Trojan.Domcom virus.
Click for more information about this threat : Trojan.Domcom
c'est la guerre
Pat
Honored Contributor

Re: spybot warning

Trojans hide in system restore points also. Have you turned off system restore and run another virus scan to ensure the system is clean? They also may affect the installed scanner; so it is best to perform a complete system scan at one of the online scanners available.

Did you read this Symantec Article?

http://securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html

Pat

Joe van Raamt
Super Advisor

Re: spybot warning

Yes I did read the article and did scan after turning off the restore feature. I will do that again and try an on line scanner.
c'est la guerre
Pat
Honored Contributor

Re: spybot warning

When you located the file, had you done a search and did you include the option to look for hidden files and folders in the search?

Make sure when you search for a file to check the 3 items listed below.

Start/Search/All Files and Folders/scroll down click More Advanced Options.

Scroll down and make sure these 3 options are checked.

1. Search System Folders
2. Search Hidden Files and Folders
3. Search Subfolders


Also, did you download HiJack this and run it in Safe Mode? You should be able to delete the file with that program.

Have you looked into your Browser Addons? Tools>Internet Options>
Click the Programs Tab
Click Add-ons

Check to see if there's a BHO identified as DownCom Module. If so, disable it.

IPreg32.dll is an UNSAFE Application/Process Description


http://www.superadblocker.com/I/IPREG32.DLL-2157.html

Pat
Joe van Raamt
Super Advisor

Re: spybot warning

did the st./Se./all files and the three options. It found the file and i did delete it from there.
Then I started in safe mode and did the HJT scan (could find no reference to the trojan).
Then I run Norton again and the trojan was still there. For some reason Norton can not delete the virus, It says could not repair, computer is still infected.
See pic of add ons, i could not find it in Netscape.
Should I download the program you mentioned below?
http://www.superadblocker.com/I/IPREG32.DLL-2157.html
c'est la guerre
Joe van Raamt
Super Advisor

Re: spybot warning

Latest HJT log file
c'est la guerre
Joe van Raamt
Super Advisor

Re: spybot warning

BTW, Micro's virus scanner did not detect a virus.
c'est la guerre
Pat
Honored Contributor

Re: spybot warning

I don't know anything about the Super Ad Blocker program. It's a free trial and may be of help, but "Not responsible....." since I have no knowledge pro or con regarding ad blocker.

I'm just now looking at the Hijack File, so that may take a few moments and it's almost 11:00p.m. I may not get back to you until tomorrow.

Ron Kinner's the "Old Pro" at reading Hijack files.

Pat
Pat
Honored Contributor

Re: spybot warning

The hijack log looked good. This one has been recommended removed on other forums

http://www.daniweb.com/techtalkforums/thread5425.html

but I understand it comes with RealPlayer and downloads patches/updates. It's been described as Malware.

DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31c65bb9aec318606800/netzip/RdxIE601.cab


Did you look for the Registry Values to Delete the Trojan?

Click Start > Run.
Type regedit
Click OK.


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"loader32 " = "%AppData%\SysDown\sys[5 random numbers].exe"


Navigate to and delete the following registry subkeys:

HKEY_CLASS_ROOT\CLSID\{031B6D43-CBC4-46A5-8E46-CF8B407C1A33}
HKEY_CLASS_ROOT\TypeLib\{4A31E565-08CB-4272-8817-7BF729B6A96F}
HKEY_CLASS_ROOT\Interface\{CC1725CD-1EFA-4D88-8987-5EBF66347856}
HKEY_CLASS_ROOT\DownCom.CDownCom.1
HKEY_CLASS_ROOT\DownCom.CDownCom


Exit the Registry Editor.


When Norton continued to Scan a virus on my unit, I located the file in Quarantine and deleted. Once I'd dont that, it did not show up in scans. Other scanners had not detected it at all. You might start a search for the Norton Files and see if you can locate and delete it there.

Pat