I recently lost a computer to BD bladerunner 80.  I am running spy bot
and ad aware daily on this computer a file has showed up called back
web lite . it is not checked by spy bot for fixing.  When I check it
and remove it I get a run error message " invalid Back Web Applicaton
id 1940576"  I used spy bot's restore function, but the critical
notation really bothered me. So I removed it again.  I tried to delete
the file, and am told that I cannot delete the "dll"
This (Back Web) does not show up on my program files even though it
says it is there. There is a whole file folder listed as critical.
Just about all of my computer is there including this back web folder.
I have deleted parts of it  (back web)  I don't seem to be having
trouble with the internet except for the run error message.  Do I
remove this( Back Web) and how?  Do I restore it, and if I do how do I
get rid of the critical message?  Is there something better that spy
bot?.  All of this stuff is in recycle or in spy bots restore.  I am
setting a price of $10.00, but I will negotiate if you have REAL
answers. I went to numerous tech sites with my other computer am out
much time and bucks for nada.

---

Request for Question Clarification by livioflores-ga on 02 Aug 2005 08:33 PDT

Hi!!

My suggestion is to restore all and post a HijackThis log here, for
instructions see:
"HijackThis Tutorial - How to use HijackThis to remove Browser
Hijackers & Spyware":
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

This section is the one that you must read:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse

Download it from here:
http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

This program will tell me your system status, withthis info I will be
able to give you a proper answer to your question, please post the log
WITHOUT fixing anything.

Regards,
livioflores-ga

---

Clarification of Question by norbon-ga on 02 Aug 2005 11:47 PDT

I run spy bot and I get a RED ! by Back Web lite.   It had 58 entries.
 It did not show up on my first few scans,  It was not check marked
for removal.
I cannot get a picture of the file to you it won't paste here/
I opened it and checked the individual entries and removed them now my
computer gives me a run error 1940576.  Do I restore BACK WEB or
continue to try to remove it?  I run a fire wall and virus scanner
alllll the time. Can I stop these attacks?  Without turning off the
internet?  Does this clarify?

---

Clarification of Question by norbon-ga on 02 Aug 2005 12:12 PDT

Clarification 2.  I have previously avoided hi jack this because I did
not think I was s mart enough, I have just proven it I have the log,
but don't understand what to do with it. S

---

Request for Question Clarification by livioflores-ga on 02 Aug 2005 12:23 PDT

If you have generated a HijackThis log please post it here and I will
give you step by step instructions on wht you must do to fix and clean
your computer, it is not so complicated, I am pretty sure that you
will be able to do that and learn something about your computer in the
middle.

Regards,
livioflores-ga

---

Clarification of Question by norbon-ga on 02 Aug 2005 14:37 PDT

here's the rub, I just don't understand how top post the log.Thanks

---

Clarification of Question by norbon-ga on 02 Aug 2005 14:45 PDT

Logfile of HijackThis v1.99.1
Scan saved at 3:14:00 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BrowseBlast Web Accelerator\browseblast.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Documents and Settings\Owner\My Documents\New Folder\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.seark.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.seark.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.seark.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.seark.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Internet Explorer by Seark.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} -
C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5}
- C:\Program Files\BrowseBlast Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program
Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
O4 - Global Startup: BrowseBlast Web Accelerator.lnk = C:\Program
Files\BrowseBlast Web Accelerator\browseblast.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq
Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk =
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100
series\Bin\hpogrp07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21}
- C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.alltel.com
O15 - Trusted Zone: *.AVGINET.EXE
O15 - Trusted Zone: www.grisoft.com
O15 - Trusted Zone: www.kodakgallery.com
O15 - Trusted Zone: www.m-w.com
O15 - Trusted Zone: www.randmcnalley.com
O16 - DPF: {18B35742-FEF5-4DE3-8928-8CAA34C1FEEA} -
http://unabridged.merriam-webster.com/toolbar/install/webinstall.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} -
http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload
Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj
Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
- C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

bingo I did it.

Hi!!

I found some additional info for you, the problem you have is related
to a known bug in Spybot, you need to download and install a patch
from here:
"Spybot - Search and Destroy DSO Exploit Fix 1.3.1 TX":
http://www.majorgeeks.com/download4392.html

If you like this solution just follow the instructions on the above
page and check what happens.

My suggestion is to remove such program via the Windows' Add/Remove
Programs feature, and then using HijackThis fix all items related to
it (if still present):
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq
Connections\1940576\Program\BackWeb-1940576.exe

Then delete the folder C:\Program Files\Compaq Connections\1940576 and
its content.

NOTE:
Do this only if the Spybot Patch does not work or if you prefer to not
have this unuseful program.


As a bonus I suggest you some other fixes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.seark.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.seark.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.seark.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.seark.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Internet Explorer by Seark.net
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} -
C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21}
- C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)

Also is always a good idea to keep the Trusted zone empty, so do the
following fixes only if you want:
O15 - Trusted Zone: www.alltel.com
O15 - Trusted Zone: *.AVGINET.EXE
O15 - Trusted Zone: www.grisoft.com
O15 - Trusted Zone: www.kodakgallery.com
O15 - Trusted Zone: www.m-w.com
O15 - Trusted Zone: www.randmcnalley.com

One more recommendation:
Uninstall the BrowseBlast Web Accelerator, unless you find it very
helpful, in most cases this kind of programs are the origin of
security and performance problems. (use the Add/Remove Programs
feature).

Do the fixes in Safe Mode, you can boot in safe mode by tapping the
key F8 before the Windows' logo be displayed at booting time or see
for other instructions here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

To fix your computer using HijackThis just run HijackThis (with your
PC in safe mode) and click on the button "Do a system scan only", then
check to fix the items to be removed and click on "Fix Checked". See
more detailed instructions here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse

The suggested fixes are not critical, your computer does not appears
to be infected, but fixing such items you will improve your computer
performance and security. Note that they are not related to the
problem that motivates your question so it is your entire choice to
fix them or not.

I hope that this helps you. Note that this answer is not ended until
you are satisfied with it, so please do not hesitate to use the
clarification feature to request for further assistance related to the
question you posted.

Regards,
livioflores-ga

I really appreciate the patience. Thanks