WebInstall.exe in HJT log

Discussion in 'adware, spyware & hijack cleaning' started by Antti, Feb 25, 2004.

Thread Status:
Not open for further replies.
  1. Antti

    Antti Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    10
    Location:
    Helsinki, Finland
    Hi,
    I ran hijackthis and found this object in the log:

    O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R

    What could it be? Looks rather 'adwareish' and therefore suspicious to me.
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi antti,

    Welcome aboard :)

    That entry is safe to remove. Most likely a failed install by some ActiveX control drive-by, bundled downloadware (like Movie Networks etc)

    If you wish you can post your HijackThis log here so we can do a cehck up together

    Hope this helps

    Cheers,
     
  3. Antti

    Antti Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    10
    Location:
    Helsinki, Finland
    Thanks! :)
    Here's the complete log:

    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\United Devices\UD.EXE
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\United Devices\ud_1396140.exe
    C:\Program Files\United Devices\ud_1396140_0.dir\ud_ligfit_Release.exe
    C:\Program Files\AnalogX\CookieWall\cookie.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\CWShredder1500\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helsinki.fi/yliopisto/palvelut/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sertek.com.tw/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.107-big.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.107-big.dll
    O4 - HKLM\..\Run: [LaunchApp] LaunApp
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Acer\Launch Manager\LaunchAp.exe"
    O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Acer\Launch Manager\PowerKey.exe"
    O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Acer\Launch Manager\HotkeyApp.exe"
    O4 - HKLM\..\Run: [KeyHook] "C:\Program Files\Acer\Launch Manager\KeyHook.exe"
    O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Acer\Launch Manager\CtrlVol.exe"
    O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - Startup: Officen käynnistys.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.sertek.com.tw/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/sikes/fi/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.6578125
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi antti,

    That's indeed the only entry that should be fixed :

    O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R

    Please confirm if you have put restrictions and control limits in IE yourself :

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Cheers,
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    And would you do me a favor and see if from "Add/Remove Programs" in the Windows® Control Panel you can find DownloadWare.B or DownloadWare ?

    Thanks
     
  6. Antti

    Antti Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    10
    Location:
    Helsinki, Finland
    Hi again!

    Actually I don't know what those restrictions could be. First I thought they could have something to do with Spybot S&D's "Lock IE start page ..." or "Lock hosts file read-only ..." -features, but after disabling them both and rebooting those registry entries still remain.

    I did a guick check with regedit. This one seems to be called "NoBrowserOptions" (something that is supposed to restrict me from gaining access to internet options??):
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    And this one is "Homepage" (something that should prevent me from changing my IE homepage??):
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    I can still access Tools->Internet-options and even change my homepage at will.

    Primrose,
    Neither DownloadWare.B nor Downloadware did exist on Add/Remove Programs list.
     
  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Antti,

    You're right , within SpyBot you can set indeed these restrictions.

    The reason I asked is sometimes a hijack can edit the control panel in IE, leaving you unable to reset startpage etc. You'll see a greyed out box then, for instance.

    They look legit in your case.

    Hope all is well again

    Cheers,
     
  8. Antti

    Antti Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    10
    Location:
    Helsinki, Finland
    Okay,
    Thanks a lot! :)
     
  9. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    You're welcome :)

    Feel free to come back if you have any more questions

    Cheers,
     
Thread Status:
Not open for further replies.