-----Original Message-----
When I start up my machine ( XP Home), I have a BackWeb
process that wants to run as a server over the internet.
Is this normal, or do you think it could be spyware? I'm
currently blocking this from connecting via a firewall.
Overview
Summary: BackWeb is a generic, background downloading
tool that software vendors can incorporate into their
product to download data (e.g. product updates) to the
user's PC. Its operation depends on the instructions
given to it by the individual software vendor who bundles
it.
BackWeb has been associated with numerous large companies
working on a corporate level to deliver timely
information and updates. Essentially, BackWeb is a
communications program whereby a large amount of users
may be contacted in an instant.
Information may be collected from many sources including
applications which may then be delivered to the
collection site. Further, this technology is based upon
an open architecture whereby third-party developers may
develop customized applications to meet their needs.
BackWeb has plug-in module capabilities to further extend
features and capabilities of the core program. One such
established plug-in module is the "BackWeb Polite
Upstream" which allows for the reverse flow of
communications. Communications from the client may be
delivered to the server for assimilation into a
collection point for further processing.
May use port 6670 (as may Deep Throat 1,2 & 3.x,
Foreplay, Reduced Foreplay, WinNuke eXtreame, and other
programs.)
Category: Downloader:
Variants: BackWeb Lite
BackWeb Server
Similar Pests: Downloader
Origins
Group: BackWeb Technologies
By This Group: BackWeb Lite · BackWeb Server
URL:
http://www.backweb.com/corporate/html/contact_us.html
Date of Origin: Variants from February, 2000 to January,
2003
Distribution
Distribution: Bundled with products from HP (HP
Pavilion), Compaq, Network Associates, Real Networks,
Logitec (with their mouse drivers!), IBM, F-Secure,
Western Digital Data Lifeline, Kodak digital camera sync
software, Kodak Software Updater (for Kodak Easyshare
digital cameras), Packard Bell ActivSurf.
Prevalence: BackWeb Lite: 0.1% of all pest reports (80
per 100,000 reports)
BackWeb Server: Fewer than 5 per 100,000 pest reports
More Info
Clot Factor: BackWeb Lite: On average, 49 objects
detected in each machine
BackWeb Server: (insufficient data)
The "Clot Factor" is a measure of how much a pest "gums
up" a machine by adding registry entries, files, and
directories. As more objects are placed in a machine,
manual removal becomes more difficult and more error-
prone.
Countries Affected: In the past three months, we have
received reports of BackWeb in Australia, Austria,
Belgium, Brazil, Canada, China, Denmark, Finland, France,
Germany, Greece, Hong Kong, Hungary, Iceland, Ireland,
Israel, Italy, Japan, Mexico, Netherlands, New Zealand,
Norway, Poland, Russian Federation, Saudi Arabia, Spain,
Sweden, Switzerland, Taiwan, Turkey, United Kingdom,
United States.
Growth: BackWeb Lite: Decreased 36.7% over the last 90
days
Operation
Advertising: Can be used by to distribute advertising.
Websites, ISPs, and software manufacturers include
BackWeb on their site, in their ISP software, or in their
software and, whenever you connect to the Internet,
BackWeb also connects to retrieve advertisements which
are then displayed on your screen, your browser, through
your wallpaper, screen savers and occasionally info
flashes. Not all instances of BackWeb will be configured
to deliver advertising.
"With the My HP Center, consumers have access directly
from the desktop to Internet sites featuring special
offers for HP customers ranging from personal finance and
shopping to digital imaging and music." - HP Also part of
HP Info Express and HP Updates.
Logitech Desktop Manager: Automatically checks for
software upgrades and new products, services and special
offerings from Logitech.
Storage Required: BackWeb: at least 3381KB
BackWeb Server: at least 117KB
Risks
Privacy Issues: BackWeb is often installed on new PCs by
some computer makers and configured to automatically
check for updates whenever the user connects to the
Internet. Checking for updates requires that information
on what is in your machine be sent out to unknown
destinations.
Security Issues: Because BackWeb can be configured to
retrieve and install new software, your system can change
over time without your explicit permission.
Stability Issues: Probably few. Some users have
reported "BackWeb caused an invalid page fault in module
BackWeb.EXE at 017f:004024f9."
Risk: At a minimum, a resource hog that slows your
internet connection. Some would question the need for a
tool to monitor the Internet for updates to your mouse
drivers, as with the Logitech version.
Detection and Removal
Manual Removal: Try uninstalling via the "Add/Remove
Program" icon in the Control Panel, or disable with
Startup Manager.
Look for BackWeb-XXXXXXXX.exe (BackWeb. The XXXXXXXX
denotes the version number) and rename it to BackWeb.ex_
or some other name. This will stop it from running.
To remove it, look for \program files\BackWeb\ and remove
this directory. There may not be an uninstaller.
Western Digital's Data Lifeline BackWeb Lite Installer
(DLGLI.EXE) uses BackWeb to quietly install unknown items
onto your computer. When you install Western Digital Data
Lifeline, a reference to DLGLI.EXE is placed in the
Windows StartUp folder so that it is loaded at startup.
To remove:
Terminate DLGLI.EXE using Windows' End Task (CTRL-ALT-
DEL) dialogue. It may show up as "Downloading
Software..." or "Resuming Downloading of Software..."
Use Find to locate DLGLI.EXE, and delete it.
Locate Iadhide3.dll and delete it.
Remove the entry from the StartUp folder.
Stop Running Processes:
Kill these running processes with Task Manager:
programfilesdir+\kodak\kodak software updater\7288971
\program\backweb-7288971.exebackwebserv.exe
dc1.exe
Clean Registry:
Remove these registry items (if present) with RegEdit:
HKEY_USERS\s-1-5-21-2333004253-142840635-331808302-1009
\software\netscape\netscape
navigator\viewers\application/x-bwpreview
HKEY_USERS\s-1-5-21-2333004253-142840635-331808302-1009
\software\netscape\netscape
navigator\viewers\application/x-iad
Remove Files:
Remove these files (if present) with Windows Explorer:
commonprograms+\startup\kodak software updater.lnk
programfilesdir+\kodak\kodak software updater\7288971
\program\backweb-7288971.exebackwebserv.exe
dc1.exe
dc10.hlp
dc6.r
Research
File Analyses: BackWeb: dc1.exe · dc10.hlp · dc6.r
BackWeb Server: backwebserv.exe
More Info: AllTheWeb, AltaVista, AOL Search, Ask Jeeves,
Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By: Answers that Work
Cexx.org
PestPatrol's Pest Research Center
Last Revised: March 15, 2004
Copyright: © 2004 PestPatrol, Inc. All rights reserved.
© 2004 PestPatrol, Inc. All rights reserved
http://www.safer-networking.org/ Spybot
http://www.javacoolsoftware.com/spywareblaster.html
http://www.wilderssecurity.net/spywareguard.html
http://www.lavasoft.de/ Ad-aware
