1st xxx.toolbar.exe (HEY ANDY!!!)

[robbi]

Hi again, followed all that you recomended, and not one
file was on my system at all.
But the toolbar isnt actually installed on my system, the
red pop up says, it is TRYING to install, so there must be
an install program some where?

Did a good search, and could not find anything ! Downloaded
MS Malicious software removal program, it found nothing ?
Searched my msconfig for start up programs, there was a
file called........

" BackWeb-8876480" command = "\program\backweb-8876480.exe"
location = "SOFTWARE\Microsoft\windows\currentversion\run"


so i went to the regedit screen, and searched that area,
but all i could find was 2 files one says [ab] (default
REG_SZ (value not set).

and the 2nd one is [ab] gcasserv REG_SZ in "c\program
files\microsft antispyware\gcasserv.exe"

So i dont know what this Backdoorweb is, so i disabled it
from the start up registry in msconfig..

I hate to bother you, but the last letter you wrote you
sounded so competant ! (me just a basic webbuilder, and
gamer !

So if you get a spare minute???

Thanks again for all your help, and i hope my feedback, re
the 1st xxx toolbar TRYING TO INSTALL< GETS YOUR INTEREST!

as i cant find where it is trying to start from?

Kind Regards
Robbi !
TOTALLY WEIRD !

 

[Engel]

Hi Robbi


What is backweb-8876480.exe? Is backweb-8876480.exe
spyware or a virus?
-----------------------------------------------------------
Process name: Logitech Desktop Messenger

Product: Mouse/Keyboard/Webcam software

Company: Logitech

File: backweb-8876480.exe

Security Rating:
"backweb-8876480.exe" is installed with the software for
Logitech products. It checks for software upgrades from
Logitech.
It's present under Software => Logitech Desktop Manager,
where it can be uninstalled.

See also
http://www.backweb.com/news/html/rellogitech.html.

Backweb, suggest they only monitor keyboard / mouse
activity, so they know when the computer is inactive, they
claim they don't record key strokes. (source)

From the backweb developer: Compaq, HP, McAffee, F-Secure,
Western Digital, Logitech, Kodak and IBM are some of
BackWeb´s customers. Each of these vendors bundles a
customized BackWeb client into their products that are
then shipped to their end users. These companies use the
BackWeb client to distribute drivers, software updates,
patches and critical information from a secure server at
their site directly to their users' hard-drives. Read
more.

From usatoday.com: One of the adware programs swept up by
Spy Sweeper on my system was BackWeb from BackWeb
Technologies, a company that works with IBM, Hewlett-
Packard, Siemens and others. Talk about mixed messages:
Spy Sweeper assessed BackWeb as a "medium" threat to my
system but nonetheless indicated that the program "is
generally used for legitimate purposes" and "should only
be removed by advanced users after careful research and
consideration." In my case, it arrived with a download of
free Kodak picture software. Kodak says the program is
used legitimately to make sure users have the latest
version of Kodak's software. A BackWeb executive also said
the software isn't spyware. And BackWeb has successfully
lobbied some anti-spyware software companies to have
BackWeb removed from their lists.

The files IAdHide.dll, IAdHide3.dll, dlgli.exe and
tempiadhide3.dll are also part of BackWeb.

Get more detailed information about backweb-8876480.exe
and all other running background processes with Security
Task Manager.

Note: Any malware can be named anything - so you should
check where the files of the running processes are located
on your disk. If a "non-Microsoft" .exe file is located in
the C:\Windows or C:\Windows\System32 folder, then there
is a high risk for a virus, spyware, trojan or worm
infection! Check it out!


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

BackWeb-8876480.exe file information
The process Logitech Desktop Messenger belongs to the
software Logitech Desktop Messenger by Logitech
(www.logitech.com).
Description: BackWeb-8876480.exe is located in a subfolder
of "C:\Program Files" or sometimes in a subfolder of
the "My Files" folder - typically c:\program
files\logitech\desktop messenger\8876480\program\. Known
file sizes on Windows XP are 16384 bytes (80% of all
occurrence), 20480 bytes.
BackWeb-8876480.exe is not a Windows system file. Program
starts when Windows starts (see Registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run). The program is not visible. The application
listens for or sends data on open ports to LAN or
Internet. The application has no file description.
Therefore the technical security rating is 6% dangerous,
however also read the users reviews.

External information from Paul Collins:


"Logitech Desktop Messenger" is not required to run at
start up. Installed with the software for Logitech
products. Automatically checks for software upgrades AND
new products, services and special offerings from Logitech
Important: Some malware can camouflage themselves as
BackWeb-8876480.exe, particularly if they are located in
c:\windows or c:\windows\system32 folder. Thus check the
BackWeb-8876480.exe process on your pc whether it is pest.

-----Original Message-----
Hi again, followed all that you recomended, and not one
file was on my system at all.
But the toolbar isnt actually installed on my system, the
red pop up says, it is TRYING to install, so there must be
an install program some where?

Did a good search, and could not find anything ! Downloaded
MS Malicious software removal program, it found nothing ?
Searched my msconfig for start up programs, there was a
file called........

" BackWeb-8876480" command = "\program\backweb- 8876480.exe"
location

= "SOFTWARE\Microsoft\windows\currentversion\run"

so i went to the regedit screen, and searched that area,
but all i could find was 2 files one says [ab] (default
REG_SZ (value not set).

and the 2nd one is [ab] gcasserv REG_SZ in "c\program
files\microsft antispyware\gcasserv.exe"

So i dont know what this Backdoorweb is, so i disabled it
from the start up registry in msconfig..

I hate to bother you, but the last letter you wrote you
sounded so competant ! (me just a basic webbuilder, and
gamer !

So if you get a spare minute???

Thanks again for all your help, and i hope my feedback, re
the 1st xxx toolbar TRYING TO INSTALL< GETS YOUR INTEREST!

as i cant find where it is trying to start from?

Kind Regards
Robbi !
TOTALLY WEIRD !
.

 

[Monitor]

Robbi

So you use a computer for Cancer care, to build web pages
and play games. This is a NO NO.

-----Original Message-----
Hi again, followed all that you recomended, and not one
file was on my system at all.
But the toolbar isnt actually installed on my system, the
red pop up says, it is TRYING to install, so there must be
an install program some where?

Did a good search, and could not find anything ! Downloaded
MS Malicious software removal program, it found nothing ?
Searched my msconfig for start up programs, there was a
file called........

" BackWeb-8876480" command = "\program\backweb- 8876480.exe"
location

= "SOFTWARE\Microsoft\windows\currentversion\run"

so i went to the regedit screen, and searched that area,
but all i could find was 2 files one says [ab] (default
REG_SZ (value not set).

and the 2nd one is [ab] gcasserv REG_SZ in "c\program
files\microsft antispyware\gcasserv.exe"

So i dont know what this Backdoorweb is, so i disabled it
from the start up registry in msconfig..

I hate to bother you, but the last letter you wrote you
sounded so competant ! (me just a basic webbuilder, and
gamer !

So if you get a spare minute???

Thanks again for all your help, and i hope my feedback, re
the 1st xxx toolbar TRYING TO INSTALL< GETS YOUR INTEREST!

as i cant find where it is trying to start from?

Kind Regards
Robbi !
TOTALLY WEIRD !
.

 

[AndyManchesta]

Hey Robbi

Glad to hear your not finding any problems , You still
need to run a complete scan with Ewido Security Suite,
This is quite important if you havent tried it yet.

Its a free scanner and says its just a 14 day free trial
but it still works fine after the 14 days it just stops
the real time protection and Automatic updates which isnt
needed anyway as I usually advise the real time not to be
activated when people use it as it can interfere with
other real time protection you have and updates can be
done manually any time you wish.

Im sure there is something there if this warning keeps
coming so even if Ewido doesnt find it post a Hijack This
Log on here and I will try find the problem for you. Dont
worry about personal data as that will not be shown in a
Hijack Log and my only interest would be in the suspect
files not in anything else you have installed.

First Try Ewido
----------------

Please download, install, and update the free version of
Ewido trojan scanner

http://www.ewido.net/en/download/

When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".

When you run ewido for the first time, From the main
ewido screen, click on update in the left menu, then
click the Start update button.

After the update finishes (the status bar at the bottom
will display "Update successful")

Exit Ewido. DO NOT SCAN yet.


Reboot into Safe Mode

Restart your computer and keep tapping the F8 key on your
keyboard. When you see the list choose Safe Mode, select
the installation that you want to start, and then press
ENTER.

Heres some instructions from Microsoft about starting in
safe mode if needed assuming you have XP:

http://support.microsoft.com/default.aspx?kbid=315222



Run Ewido again.

Click on the Scanner button in the left menu, then click
on Complete System Scan. This scan can take quite a while
to run.

If ewido finds anything, it will pop up a notification.
We have been finding some cases of false positives with
the new version of Ewido, so we need to step through the
fixes one-by-one. If Ewido finds something that you KNOW
is legitimate (for example, parts of AVG Antivirus,
pcAnywhere and the game "Risk" have been flagged),
select "none" as the action. DO NOT check "Perform action
with all infections". If you are unsure of an entry,
select "none" for the time being. I'll see that in the
log you will post later and let you know if ewido needs
to be run again.

When the scan finishes, click on "Save Report". This will
create a text file. Save to desktop or somewhere you can
find the file.


Finally, reboot into normal mode and post the log from
the Ewido scan.

If you have tried this and nothing was found then post a
Hijack This Log either on here or to my email and I will
try end this constant Warning popup you are seeing.

Regarding the Backweb entries Ive just posted on that on
the topic below your's and can see Engel,Bill and others
have posted about this so read some of them for more
detail on that. I do not think its connected to this
warning in anyway but things will get easier once I see a
Hijack This Log or a Ewido Scan log.

Chat to you soon

Andy

 

[Robbi]

Hi again..we must stop meeting like this !, lol.

HEy i went to the website of 1stxxx
toolbar "http://www.isearchtech.com/ " and they also give
a way out to uninstall there toolbar, but since it is not
installed, it is irrelevant to me, but i will follow your
suggestions again !

I also wrote to the company, and requested to know why
their toolbar trys to install every morning on our system,
and i want to know where the hidden install software is,
lets see if i get an answer ?

If i dont there must be some way of reporting them for
illegally installing unknown software ! or software, not
at the user's request???

Let me know if there is, and i will follow your advise.

Thanks again, or tanks awfully !...lol
sorry just teasing you for being a pommie, tho' i am an
Aussie living in Santa fe USA now ! i cant talk about bad
accents !

Take care !

Robbi

 

[AndyManchesta]

Hi Robbi

You can file a complaint against IST (Intergrated Search
Technologies) with the Attorney General in New York:

http://www.oag.state.ny.us/ onlin...laint_alert.jsp

But this really depends where they are and what they have
on your system and it would help to know what site put it
there so I advise digging abit deeper using at least
Ewido and see what is revealed, It also depends where IST
are based if they are not in the US then the above
address may not be the right place to file a complaint.

I wouldnt advise you use anything from there site
regarding uninstalling files as they may be unsafe,
Aurora from Direct Revenue have a similar uninstall site
but this logs your ISP & IP address then leaves as they
describe a "Marker" on your system also cookies which I
assume is meant to track the user. I will test the
uninstall files abit later to see what they contain and
if they do work in removal but like you say at this stage
you do not have IST on your system so its not needed, Its
more likely to be a Trojan Downloader but again its
unusal to just try bring xxx.toolbar and nothing else to
your system if it was a Trojan so Its hard to comment
untill I know you have run the scans I mentioned .

Regards

Andy the pommie

 

[AnddyManchesta]

Not sure whats happeded to the link I posted, I just got
back in and can see the link is wrong, Sorry about that
Here's the full address I meant to post :


http://www.oag.state.ny.us/online_forms/complaint_alert.js
p


I will test YSB and IST's uninstall files now and repost
if I get anything usefull from it.

Andy

 

[AndyManchesta]

Hi Again Robbi

The uninstall site is a con Ive just checked it, If fact
it makes things harder as it removes the entries from
Add/Remove screen and the Start up entries but leaves
alot of the Registry entries,dll's,Programfile folders &
ActiveX components in place so its only a matter of time
before anyone who uses it will get infected again.

After using the uninstall on the site I then had to
remove the ActiveX and ProgramFiles Folders then Registry
entries and used MS Antispy which then found another 40
registry entries which Id missed so its really not a good
idea to use anything on that site all it does is hide
itself.

A good example of this is with the ActiveX for IST,If you
right clicked it and view properties it said IST
xxx.toolbar but after using the uninstall from thier site
all the details about the ActixeX have been removed so
viewing properties now doesnt show any information, the
ActiveX is still there though but they changed it abit to
remove the reference to IST. Cheeky little monkeys

Go for Ewido and see whats revealed,

Andy