New spyware

  • Thread starter Thread starter Michael Ingram-Scott
  • Start date Start date
M

Michael Ingram-Scott

Spybot has detected a new spyware program "BackWeb lite"
but cannot get rid of it (Microsoft Antispyware, Adware
and AOL antispyware don't detect it). Anyone else with
this problem and can suggest a way of getting rid of this
spyware? Please help, thanks
 
Michael Ingram-Scott said:
Spybot has detected a new spyware program "BackWeb lite"
but cannot get rid of it (Microsoft Antispyware, Adware
and AOL antispyware don't detect it). Anyone else with
this problem and can suggest a way of getting rid of this
spyware?
Click to expand...

This might not be spyware at all - be careful. Backweb can be used by
legitimate applications to update themselves - Logitech keyboard or mouse
drivers are an example.
 
I agree with Robin Walker.

For example: F-Secure Antivirus 2005 uses BackWeb as the mechanism to bring
in their definition updates.

HP uses backweb for vaguely similar uses.

Frankly, in the case of Logitech and HP, I'm unconvinced of the need to have
the app on the machine--how many critical updates can a mouse need?

However, if you are running F-Secure, as I am--removing this might have
significant repercussions.

I'd investigate further.
 
Hello Bill.

i aggree also, but backweb is also there in a lot of trojans if i take a
look in the Trend Virus Encyclopedia.
So housecall can maybe do the trick and if notting is found you can by
happy!

regards >*< TOM >*<

Bill Sanderson schreef:
 
I don't like this detection by Spybot Search & Destroy. It doesn't
distinguish in any way between "good" backweb and "bad" backweb.

I'm very clear that backweb is used to distribute ads--in some cases even
when it is put in by a trusted vendor. However, you don't want to remove it
if it is doing some work you value, like providing antivirus definition
updates.

I think the key is finding the executable and seeing whether it is in a
location that appears related to a vendor whose product you've knowingly
installed.

In my case, when I do a command line dir search for backw*.*, this is the
result:

Directory of D:\Program Files\F-Secure Anti-Virus

02/02/2005 09:48 PM <DIR> backweb
0 File(s) 0 bytes

Directory of D:\Program Files\F-Secure
Anti-Virus\backweb\4476822\6.3.2.62-4476822L\Program

02/02/2005 09:48 PM 2,150,444 backweb.dll
02/02/2005 09:48 PM 142,636 backweb.tlb
2 File(s) 2,293,080 bytes
---------------------------------------------------------------
It is crystal clear that this backweb is related to my antivirus, and I
don't want Spybot Search & Destroy or anything else messing with it.

It does give me pause, though, to consider whether there might well be
multiple instances of backweb on a given machine--both good and bad ones.

I'll have to look again at what information Spybot Search & Destroy gives
the user about the detection--whether or not you can distinguish where it
is, for example.


--
 
OK - I reinstalled Spybot Search & Destroy on my machine, version 1.4, and
updated it and ran another detection.

This still stinks, and I'm gonna uninstall Spybot Search & Destroy (again!)

It finds 61 instances of Back web, and the full text of what it finds is at
the end of this message.

NOTHING in the detected registry entries--it doesn't seem to worry about the
actual executables--makes any reference to F-secure.

So I would never know that I was deleting the software that my chosen
antivirus vendor uses to provide updates (and I might add that this is a
nearly invisible update mechanism--one of the best I've seen.)

So--I don't trust this particular detection on the part of Spybot Search and
Destroy.

Even if I read their write-up about BackWeb, I am none the wiser:
Company: http://www.backweb.com/
Product: BackWeb lite
Threat: Adware/Spyware
Company URL:
_http://www.backweb.com/_

Company product URL:

_http://www.backweb.com/products/html/backweb_eaccelerator.html_

Company privacy URL:

_http://www.cameocast.com/legal/privacypolicy.asp_

Functionality

Installs unknown items & advertisement popups on your system.

Description

Comes with Western Digital Data Lifeline as well as with HP & Compaq
systems. If you intended to install the normal BackWeb, please add BackWeb
to your exclude list. But if you know nothing about installing BackWeb,
chances are good that it is the 'lite' version. This one connects to a
Cameocast server (Source: http://www.cexx.org/dlgli.htm), and you can read
Cameo's privavy statement above.

Privacy Statement

BackWeb: Stay in the loop With BackWeb's reporting capabilities, you'll know
who received each delivery, when they received it, and how they interacted
with it.

CameoCast: CameoCAST pushes content to your hard drive while you are online.

[...]This information such as the type of browser being used, its operating
system, and your IP address, is gathered in order to enhance your online
experience.

Nothing in their description above, or in the detected items, enables me to
make an informed decision about this detection. This could be done better.
It is really obvious that the backweb executables on my system are in
F-secure's installation folders.

-------------------------------------------
BackWeb lite: File extension (Registry key, nothing done)
HKEY_CLASSES_ROOT\bwpfile

BackWeb lite: File extension (Registry key, nothing done)
HKEY_CLASSES_ROOT\.bwp

BackWeb lite: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\BackWeb

BackWeb lite: User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\BackWeb

BackWeb lite: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-776561741-1606980848-1060284298-1003\Software\BackWeb

BackWeb lite: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\BackWeb

BackWeb lite: Netscape viewer (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Netscape\Netscape
Navigator\Viewers\application/x-bwpreview

BackWeb lite: Netscape viewer (Registry value, nothing done)
HKEY_USERS\S-1-5-21-776561741-1606980848-1060284298-1003\Software\Netscape\Netscape
Navigator\Viewers\application/x-bwpreview

BackWeb lite: Netscape viewer (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Netscape\Netscape
Navigator\Viewers\application/x-bwpreview

BackWeb lite: Interface (IBackWebDisplaySettings4_2) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{001B3F20-D866-11D1-8B4C-00609761C47A}

BackWeb lite: Interface (IBackWebChannel4_2) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{025632A0-BCEC-11D1-8B35-00609761C47A}

BackWeb lite: Interface (IBackWebDirectoryEntry) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0C6E0440-0B50-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebDownloadTimeConstraint) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0D1F7C83-8123-11D0-B5CA-0000B43698D6}

BackWeb lite: Interface (IBackWebDownloadTimeConstraintCollection) (Registry
key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0D1F7C84-8123-11D0-B5CA-0000B43698D6}

BackWeb lite: Interface (IBackWebExtension) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0F4FE440-983F-11D0-9B9C-444553540000}

BackWeb lite: Interface (IBackWebGeneralSettings) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC3-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebDialerSettings) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC4-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebCommSettings) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC5-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebDisplaySettings) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC6-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebSetup) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC7-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebDirectory) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{15030BC0-0B52-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebStoryFieldCollection) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{1D91D9E0-004B-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWeb2) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{23F43240-F78D-11D0-9A50-00AA004812C2}

BackWeb lite: Interface (IBackWebInfoPakDownloadServices) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{2DE07D90-DC04-11D0-A875-0000B43699FC}

BackWeb lite: Interface (IBackWebSetupNotifications) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{2F099AF0-6329-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebChannelTableNotifications) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{2F523082-5A0B-11D0-9B9C-444553540000}

BackWeb lite: Interface (IBackWebSetup4) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3667E7B0-4F28-11D1-8ADB-00609761C47A}

BackWeb lite: Interface (IBackWebFileAccess) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3AF78A6E-6F14-11D1-A884-0000B43699FC}

BackWeb lite: Interface (IBackWebInfoPakFilesCollection) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3AF78A71-6F14-11D1-A884-0000B43699FC}

BackWeb lite: Interface (IBackWebInfoPakFile) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3AF78A74-6F14-11D1-A884-0000B43699FC}

BackWeb lite: Interface (IBackWebOpenInfoPakFile) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3AF78A77-6F14-11D1-A884-0000B43699FC}

BackWeb lite: Interface (IBackWebDirectoryNotifications) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{41CEBDC0-32C1-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebStoryTableNotifications) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{44230BC0-3105-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebInfoPakNotifications) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{4A3666F3-5F2D-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWeb) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{53FCF355-5323-11D0-A864-0000B43699FC}

BackWeb lite: Interface (IBackWebChannelCollection) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{53FCF35A-5323-11D0-A864-0000B43699FC}

BackWeb lite: Interface (IBackWebChannel) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{53FCF35B-5323-11D0-A864-0000B43699FC}

BackWeb lite: Interface (IBackWebStoryField) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{5B1E13A0-004B-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebDirectoryEntryCollection) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{5DF6CE40-0B50-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebFileAccessViaDir) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{608FE360-6FB2-11D1-A885-0000B43699FC}

BackWeb lite: Interface (IBackWebInfoPak4_2) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{610141C2-7701-11D1-B042-004095903824}

BackWeb lite: Interface (IBackWebAlertSettings) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{72B62B40-17D1-11D1-96A7-F8E906C10000}

BackWeb lite: Interface (IBackWeb4) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{740904E0-0BFB-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebPlayer) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{8028B940-4932-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebAllInfoPakCollection) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{8131F530-649E-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebChannelDownloadServices) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9132E380-DC21-11D0-A875-0000B43699FC}

BackWeb lite: Interface (IBackWebItemDownloadServices) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{93BF8F00-DBE8-11D0-A875-0000B43699FC}

BackWeb lite: Interface (IBackWebChannel2) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9647FB70-DC0F-11D0-A875-0000B43699FC}

BackWeb lite: Interface (IBackWebStoryCollection) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9DB46422-FF61-11D0-9951-444553540000}

BackWeb lite: Interface (IBackWebAllStoryCollection) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9DB46423-FF61-11D0-9951-444553540000}

BackWeb lite: Interface (IBackWebStory) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9DB46424-FF61-11D0-9951-444553540000}

BackWeb lite: Interface (IBackWebChannelVariableCollection) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A4BC67F0-6C90-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebChannel4) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{AEE96320-2131-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebCommunications) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{BAD37BC0-2231-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebChannelCollection4) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{BCD0C200-69C1-11D1-8AF8-00609761C47A}

BackWeb lite: Interface (IBackWebFilterSettings) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C8CEEEE0-17D6-11D1-96A7-F8E906C10000}

BackWeb lite: Interface (IBackWebApplicationNotifications) (Registry key,
nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{D0894D60-6C6C-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebGeneralSettings2) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E01AD640-F87D-11D0-9A50-00AA004812C2}

BackWeb lite: Interface (IBackWebInfoPakCollection) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EB1FFFC1-5688-11D0-A865-0000B43699FC}

BackWeb lite: Interface (IBackWebInfoPak) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EB1FFFC2-5688-11D0-A865-0000B43699FC}

BackWeb lite: Interface (IBackWebChannelVariable) (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{FEFCA7F0-6C8E-11D0-A866-0000B43699FC}
 
I'll toss my dime in behind Bill. Careful just yanking that out. The name
sounds nefarious, but it's purpose might not be.

Ron Chamberlin
MS-MVP
 
Bill Sanderson said:
I don't like this detection by Spybot Search & Destroy. It doesn't
distinguish in any way between "good" backweb and "bad" backweb.

I'm very clear that backweb is used to distribute ads--in some cases even
when it is put in by a trusted vendor. However, you don't want to remove
it if it is doing some work you value, like providing antivirus definition
updates.

I think the key is finding the executable and seeing whether it is in a
location that appears related to a vendor whose product you've knowingly
installed.

In my case, when I do a command line dir search for backw*.*, this is the
result:

Directory of D:\Program Files\F-Secure Anti-Virus

02/02/2005 09:48 PM <DIR> backweb
0 File(s) 0 bytes

Directory of D:\Program Files\F-Secure
Anti-Virus\backweb\4476822\6.3.2.62-4476822L\Program

02/02/2005 09:48 PM 2,150,444 backweb.dll
02/02/2005 09:48 PM 142,636 backweb.tlb
2 File(s) 2,293,080 bytes
---------------------------------------------------------------
It is crystal clear that this backweb is related to my antivirus, and I
don't want Spybot Search & Destroy or anything else messing with it.

It does give me pause, though, to consider whether there might well be
multiple instances of backweb on a given machine--both good and bad ones.

I'll have to look again at what information Spybot Search & Destroy gives
the user about the detection--whether or not you can distinguish where it
is, for example.
Click to expand...

Suggestions to the master:-)
- ask F-secure about the use of backweb
- disconnect from internet; uninstall F-Secure; clean up system; check for
backweb occurrences; re-install F-Secure; compare.

Jan
 
OldBoy said:
Suggestions to the master:-)
- ask F-secure about the use of backweb
- disconnect from internet; uninstall F-Secure; clean up system; check for
backweb occurrences; re-install F-Secure; compare.
Click to expand...
If I were a master, I wouldn't have time to hang out here!

Asking F-Secure about backweb is a great idea. They need to hear from the
customers that it makes them look bad.

I'll do some of your second suggestion when my 6 month trial (courtesy of
www.microsoft.com/protect) expires, and I move to something else, perhaps
Microsoft Antivirus.
 
Bill Sanderson said:
If I were a master, I wouldn't have time to hang out here!
Click to expand...

Helping people is in the genes, don't resist it:-)
Asking F-Secure about backweb is a great idea. They need to hear from the
customers that it makes them look bad.

I'll do some of your second suggestion when my 6 month trial (courtesy of
www.microsoft.com/protect) expires, and I move to something else, perhaps
Microsoft Antivirus.
Click to expand...

Give Sophos (www.sophos.com) a try; small business and corporate use only:-(

Jan
 
Bill,
Your suggestion of doing a directory search on a questionable file sound
like good SOP. I just did a search for backw*.* on my C drive and found that
Backweb is used by Kodak EasyShare software. It had a 2002 Last modified
date, so I think it's a valid part of the Kodak Software (a freeware package
that came with some photos we had developed.).
/s/ Cliff
 
OldBoy said:
Give Sophos (www.sophos.com) a try; small business and corporate use
only:-(
Click to expand...

I've got a couple of small non-profit customers who will need to decide
about a corporate antivirus soon--I'll check them out. The name is
familiar, but I don't have any clear sense about them otherwise.
 
That's a good start. The question, of course, is where do you go from that
start.

Unfortunately, the information returned by Spybot Search & Destroy doesn't
allow you to determine conclusively that their detection relates to Kodak's
instance of BackWeb.

So--one way to test this would be to uninstall the Kodak software and then
re-scan.

The question is whether there might be multiple backwebs on a given
machine.

This seems like overkill--the likelihood is that a) the Kodak software is
the source of the detection, and b) this is commercial adware anyway--not
really something worth spending a great deal of time chasing--especially if
you aren't, in fact, seeing ads from it. However, to be rigorous, we need
to somehow be certain that the Kodak installation is the source of the
detection.

For my part, I'm perfectly happy assuming that the Backweb that Spybot finds
on my system is from F-Secure. If I uninstall F-Secure at some later date,
and the detection remains, I'll clean it, or dig deeper, and feel
embarassed!

--
 
Good suggestion. I've run that on my machine without it ever detecting
Backweb, I believe, but it has been a good while--maybe time to try it
again.

--
 
Tom, (Your msg is below)

Thanks for the link to "Housecall" from Trend Micro. I guess this is a safe
program - 10-4??
I'll give it a try later. I have wanted to try some other programs.

Right now I'm about to update to the new MsAs Version 614 and don't want to
do anything "weird".
I'll get back to you in a few days. To my knowledge, I'm not having any
problems, although I'm only running MsAs for Spyware, and F-Protect for
Viruses, and of course, the monthly MS Malicious Software Removal Tool. I
did previously have some spyware and I had the local computer shop do a
"tune up" that included removing any spyware and installing WinXP Sp2. After
that I had one brief problem doing the Manual Windows updates (that seems to
be fixed now in that both Manual and Automatic Updates are working.). I had
one questionable file and I put it in Quarantine (will delete it soon) and I
had MsAs (and the firewall) block something called f00dbed0.exe. I did a
Google on f00dbed0.exe and came up dry. It's tried to ?install? a couple of
times since and I've always blocked it.
Since I've apparently not had problems, I've only been running "normal"
scans. Although once I did run a scan in Safe Mode, but it came up clean
too. Any suggestions to imprpove my security?

Thanks again,
/s/ Cliff
 
Done. 17 cookies--no information about them, and when I click on the name
of the cookie I get a search result with 0 items found.

No trojans/worms

6 viruses==a;; in various temp areas. 4 are various java_bytever.x
versions, all living in a java cashe.

there is an html_mhredir.a, filename MSITS[1].OTM, living in the TIF, and,

troj_swizzor.dq, living as Application Data]CompBeepEnc\Bytewipe.oxe.

None of these is anything I'd give a second thought to--they aren't genuine
infections--just viral files that are sitting in places where they haven't
managed to do any harm.

No mention of backweb whatsoever.

I did the full-blown scan, viruses, spyware, and security vulnerabilities.

Trend Micro says I am missing MS05-009, which I am going to look into--I
apply critical patches on the day they are released, and don't know why that
one would appear to be still unpatched.

--
 
Housecall is Trend Micro's online antivirus/spyware/security patch scanner.
Definitely safe--and very useful.

--
 
Trend Micro says I am missing MS05-009, which I am going to look into--I
apply critical patches on the day they are released, and don't know why that
one would appear to be still unpatched.
Click to expand...

I vaguely recall Belarc Advisor telling me the same thing.
http://www.belarc.com/free_download.html

It had something to do with upgrading to IE 6 SP 1 after W2K SP4 or
some such thing.
(I said it was a vague recollection, didn't I?)

;-)

Bob Vanderveen
 
Back
Top