Hidden monster

  • Thread starter Thread starter Steve
  • Start date Start date
S

Steve

I seem to have a little monster hidden in my computer and I can't make
it go away. It is located here:
C:\Documents and Settings\windows\Local Settings\Temp\Temporary Internet
Files\Content.IE5\1AR1V2XT
Inside that last folder there is a small file (I can see that it was
created about 2 months ago and that it is 2.33 KB in size).
As far as I can tell, it is doing nothing bad except that I am 99% sure
it is the file that is preventing virus scans to abort on my computer.
The name of the file is a little under 200 characters long and its name
starts with: "Type=click&FlightID=15993&AdID=28355....."
The thing about this file is that it can't be deleted, renamed, moved,
or opened. The part of the name that says AdID= makes me wonder if it is
some sort of Ad Ware.
Not only can it not be deleted but I can't delete any folder that
contains it. I discovered this when I was dumping all my .tmp files.
over 1300 .tmp files were stored in C:\Documents and Settings\windows\
and I couldn't delete them as a batch because the little monster was in
the folder farther down the chain. When I right click that file, I only
get 2 choices: "open with" and "send to". I can't actually open it and
the places I can send it to look like they might only copy the bad file
there. I don't want more of them!
When I try to delete the folder that it is in (or any folder farther
back) I get an error message that says: "Cannot delete TYPE_C~1:Cannot
find the specified file."
Does anybody know what this thing is?
Does anybody know how to get rid of it? (I already tried safe mode)
If I don't get an answer here, where might I ask to find the answer?

Sorry to be so wordy,
Steve
 
Steve said:
I seem to have a little monster hidden in my computer and I can't make
it go away. It is located here:
C:\Documents and Settings\windows\Local Settings\Temp\Temporary Internet
Files\Content.IE5\1AR1V2XT
Inside that last folder there is a small file (I can see that it was
created about 2 months ago and that it is 2.33 KB in size).
As far as I can tell, it is doing nothing bad except that I am 99% sure
it is the file that is preventing virus scans to abort on my computer.
The name of the file is a little under 200 characters long and its name
starts with: "Type=click&FlightID=15993&AdID=28355....."
The thing about this file is that it can't be deleted, renamed, moved,
or opened. The part of the name that says AdID= makes me wonder if it is
some sort of Ad Ware.
Not only can it not be deleted but I can't delete any folder that
contains it. I discovered this when I was dumping all my .tmp files.
over 1300 .tmp files were stored in C:\Documents and Settings\windows\
and I couldn't delete them as a batch because the little monster was in
the folder farther down the chain. When I right click that file, I only
get 2 choices: "open with" and "send to". I can't actually open it and
the places I can send it to look like they might only copy the bad file
there. I don't want more of them!
When I try to delete the folder that it is in (or any folder farther
back) I get an error message that says: "Cannot delete TYPE_C~1:Cannot
find the specified file."
Does anybody know what this thing is?
Does anybody know how to get rid of it? (I already tried safe mode)
If I don't get an answer here, where might I ask to find the answer?

Sorry to be so wordy,
Steve
Click to expand...

It may be a locked file (see below), but if it's a problem because of
the desktop's (Explorer's) limitations, you may have success via the
command line.

Open the the command line window, and try del from there. del can be
used with wild cards. EG,

del AB*

will delete all files with names beginning AB

If del doesn't work, try attrib with wild cards, like this:

attrib *.* -r -s

That will remove the read-only and system-file attribute flags on all
files in that folder. You should then be able to delete the monster.

However, you may get an Access Denied message. This would mean that the
file is locked by Windows, which it does with any files it happens to be
using at the time. It's a bad idea to delete locked files, no matter how
large they are.

Windows may also a lock a file that should be deletable. An incorrect
registry key can cause this. Cleaning the registry will enable deletion
of such files. You should do that whenever you delete or move a number
of files, BTW, since Windows does not automatically remove or rewrite
the relevant registry keys - a major flaw in registry design IMO, but
who am I to criticise the gods at Redmond?

BTW, an uninstall does not remove locked files or shared *.dlls, etc.
You have to reboot before you can delete those. Leftover bits of
uninstalled programs can take up a surprising amount of disk space.

HTH
 
x-no-archive: yes

Wolf K said:
It may be a locked file (see below), but if it's a problem because of the
desktop's (Explorer's) limitations, you may have success via the command
line.

Open the the command line window, and try del from there. del can be used
with wild cards. EG,

del AB*

will delete all files with names beginning AB

If del doesn't work, try attrib with wild cards, like this:

attrib *.* -r -s

That will remove the read-only and system-file attribute flags on all
files in that folder. You should then be able to delete the monster.

However, you may get an Access Denied message. This would mean that the
file is locked by Windows, which it does with any files it happens to be
using at the time. It's a bad idea to delete locked files, no matter how
large they are.

Windows may also a lock a file that should be deletable. An incorrect
registry key can cause this. Cleaning the registry will enable deletion of
such files. You should do that whenever you delete or move a number of
files, BTW, since Windows does not automatically remove or rewrite the
relevant registry keys - a major flaw in registry design IMO, but who am I
to criticise the gods at Redmond?

BTW, an uninstall does not remove locked files or shared *.dlls, etc. You
have to reboot before you can delete those. Leftover bits of uninstalled
programs can take up a surprising amount of disk space.

HTH
Click to expand...
Couldn't you just boot into safe mode and delete the file? In regular mode
it is probably loading into memory and can't be deleted.
-Pete
 
Couldn't you just boot into safe mode and delete the file? In regular mode
it is probably loading into memory and can't be deleted.
-Pete
Click to expand...

He said he'd tried Safe Mode.
 
It may be a locked file (see below), but if it's a problem because of
the desktop's (Explorer's) limitations, you may have success via the
command line.

Open the the command line window, and try del from there. del can be
used with wild cards. EG,

del AB*

will delete all files with names beginning AB

If del doesn't work, try attrib with wild cards, like this:

attrib *.* -r -s

That will remove the read-only and system-file attribute flags on all
files in that folder. You should then be able to delete the monster.

However, you may get an Access Denied message. This would mean that the
file is locked by Windows, which it does with any files it happens to be
using at the time. It's a bad idea to delete locked files, no matter how
large they are.

Windows may also a lock a file that should be deletable. An incorrect
registry key can cause this. Cleaning the registry will enable deletion
of such files. You should do that whenever you delete or move a number
of files, BTW, since Windows does not automatically remove or rewrite
the relevant registry keys - a major flaw in registry design IMO, but
who am I to criticise the gods at Redmond?

BTW, an uninstall does not remove locked files or shared *.dlls, etc.
You have to reboot before you can delete those. Leftover bits of
uninstalled programs can take up a surprising amount of disk space.

HTH
Click to expand...

Aren't there also freewares for unlocking and deleting such files!?


Morgan O.
 
Steve, 9/5/2006, 11:41:21 PM,
I seem to have a little monster hidden in my computer and I can't
make it go away. It is located here: C:\Documents and
Settings\windows\Local Settings\Temp\Temporary Internet
Files\Content.IE5\1AR1V2XT Inside that last folder there is a small
file (I can see that it was created about 2 months ago and that it is
2.33 KB in size). As far as I can tell, it is doing nothing bad
except that I am 99% sure it is the file that is preventing virus
scans to abort on my computer. The name of the file is a little
under 200 characters long and its name starts with:
"Type=click&FlightID=15993&AdID=28355....." The thing about this file
is that it can't be deleted, renamed, moved, or opened. The part of
the name that says AdID= makes me wonder if it is some sort of Ad
Ware. Not only can it not be deleted but I can't delete any folder
that contains it. I discovered this when I was dumping all my .tmp
files. over 1300 .tmp files were stored in C:\Documents and
Settings\windows\ and I couldn't delete them as a batch because the
little monster was in the folder farther down the chain. When I right
click that file, I only get 2 choices: "open with" and "send to". I
can't actually open it and the places I can send it to look like they
might only copy the bad file there. I don't want more of them! When
I try to delete the folder that it is in (or any folder farther back)
I get an error message that says: "Cannot delete TYPE_C~1:Cannot find
the specified file." Does anybody know what this thing is? Does
anybody know how to get rid of it? (I already tried safe mode) If I
don't get an answer here, where might I ask to find the answer?

Sorry to be so wordy,
Steve
Click to expand...

I would try CrapCleaner first. Even if it doesn't delete that file it
is a valuable tool to clean your PC at any other time.

Otherwise you might try taking Ownership of that file/folder through
Properties/Security/Advanced permissions.
 
Pete said:
x-no-archive: yes

"Wolf K" <[email protected]> wrote in message
Click to expand...
[skip instructions for using command line]
Couldn't you just boot into safe mode and delete the file? In regular mode
it is probably loading into memory and can't be deleted.
-Pete
Click to expand...

I think that the command line delete may work in safe Mode if it doesn't
work in regular mode. It depends what's locking the file. Safe Mode
loads a minimal Windows, but I don't know what's left out. It's worth a
try anyhow.

HTH
 
badgolferman said:
Steve, 9/5/2006, 11:41:21 PM,



I would try CrapCleaner first. Even if it doesn't delete that file it
is a valuable tool to clean your PC at any other time.
...............
.......
Click to expand...

I downloaded CCleaner and used it. The monster and the folder that it
WAS in are gone!
As I write this, I'm first trying to run Trend micro Housecall to see if
it can now finish the scan. As I was just watching, I noticed it was
taking a very long time scanning C:\WINDOWS\TEMP. It seemed to be
scanning millions of .exe files. It was moving too fast to read the
names of the files but reading the first 3 or 4 digits of the files'
names, it appeared to be running through the same group of files over
and over for at least 20 minutes. (It has now moved on to a different
folder.)
Now I'm looking at what is inside C:\WINDOWS\TEMP. Properties says that
TEMP folder contains 21,860 files and 7 folders and is 349 MB in size
but the size on disk is 690 MB. Well that seems kind of huge!
Inside, there are indeed many thousands of .exe files. A typical name:
bwgo00ae8174.exe. They all seem to start with bwgo. There are also a
few files such as earnmoney.ico and netflix.ico. I checked the
properties of these two and the created and modified dates are from
June,2003. Now the obvious questions:

Why are there thousands of .exe files in a TEMP folder?
Is there any way that these are supposed to be there?
CCleaner didn't seem to care about them and just left them alone. What
should *I* do?

Steve
PS Housecall is still scanning. It's working its way through the
program files right now. It's time for bed so I'll find out in the
morning if it managed to finish.
 
Steve said:
I downloaded CCleaner and used it. The monster and the folder that it
WAS in are gone! As I write this, I'm first trying to run Trend
micro Housecall to see if it can now finish the scan. As I was just
watching, I noticed it was taking a very long time scanning
C:\WINDOWS\TEMP. It seemed to be scanning millions of .exe files. It
was moving too fast to read the names of the files but reading the
first 3 or 4 digits of the files' names, it appeared to be running
through the same group of files over and over for at least 20
minutes. (It has now moved on to a different folder.) Now I'm looking
at what is inside C:\WINDOWS\TEMP. Properties says that TEMP folder
contains 21,860 files and 7 folders and is 349 MB in size but the
size on disk is 690 MB. Well that seems kind of huge! Inside, there
are indeed many thousands of .exe files. A typical name:
bwgo00ae8174.exe. They all seem to start with bwgo. There are also a
few files such as earnmoney.ico and netflix.ico. I checked the
properties of these two and the created and modified dates are from
June,2003. Now the obvious questions:

Why are there thousands of .exe files in a TEMP folder?
Is there any way that these are supposed to be there?
CCleaner didn't seem to care about them and just left them alone.
What should I do?

Steve
PS Housecall is still scanning. It's working its way through the
program files right now. It's time for bed so I'll find out in the
morning if it managed to finish.
Click to expand...

Check the options of Crap Cleaner. Make sure everything under System
except for Recycle Bin is checked. If that doesn't do it then just
empty the folder manually.

Those .exe files are usually from installations. Do you install files
as you download them or first save to a folder and then install?
 
badgolferman said:
Steve, 9/7/2006,12:35:49 AM, wrote:




Check the options of Crap Cleaner. Make sure everything under System
except for Recycle Bin is checked. If that doesn't do it then just
empty the folder manually.

Those .exe files are usually from installations. Do you install files
as you download them or first save to a folder and then install?
Click to expand...

I do sometimes download things that way but I don't think I have
downloaded over 21,000 things in my whole life.
Also, every single one of those 21,000+ .exe files starts with "bwgo0",
no exceptions. I spot checked several of them and they all seem to be
exactly 16.0 KB in size.
The variety of dates and shear number of files makes me think that
something has been leaving those files in there on a regular basis since
I started using this computer. Weird.

Steve
 
Backweb creates temporary files named bwgo*.exe to your temporary
folder.

Backweb is currently being distributed as a standalone program for
receiving notifications from various sources.

Backweb is also used by F-Secure Antivirus which uses backweb to get
it's database updates from f-secure. If you have F-Secure Anti-virus
5.x installed, this is most likely the case.

As far as the size on disk is concerned, that is expected. No matter
what size or how small a file is, it's size on disk will be based on
sector size. If this is 32kb and your files are 16 kb, they will still
use 32kb on disk.
 
Gabriele said:
read
http://www.liutilities.com/products/wintaskspro/processlibrary/backweb-8876480/
http://support.f-secure.com/enu/corporate/supportissue/av5/usage/usage-issue-2003011500.shtml

and update the program.
Click to expand...

Thank you, Gabriele. Those sites tell me where the problem is/was. I say
was, because I was using F-Secure for my virus program until about 9
months ago. I don't think I have Backweb on my computer right now but
I'll try to find out.

Thanks also to Ken for spelling it all out for me. Thanks to everyone
who offered advice on this series of questions. I've scanned for viruses
successfully with 3 different programs now and everything seems to be
working just fine. (The 3rd one was the free F-secure scan I found after
reading the above links.)

Steve
 
Back
Top