Hidden monster

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I seem to have a little monster hidden in my computer and I can't make
it go away. It is located here:
C:\Documents and Settings\windows\Local Settings\Temp\Temporary Internet
Files\Content.IE5AR1V2XT
Inside that last folder there is a small file (I can see that it was
created about 2 months ago and that it is 2.33 KB in size).
As far as I can tell, it is doing nothing bad except that I am 99% sure
it is the file that is preventing virus scans to abort on my computer.
The name of the file is a little under 200 characters long and its name
starts with:  "Type=click&FlightID=15993&AdID=28355....."
The thing about this file is that it can't be deleted, renamed, moved,
or opened. The part of the name that says AdID= makes me wonder if it is
some sort of Ad Ware.
Not only can it not be deleted but I can't delete any folder that
contains it. I discovered this when I was dumping all my .tmp files.
over 1300 .tmp files were stored in C:\Documents and Settings\windows\
and I couldn't delete them as a batch because the little monster was in
the folder farther down the chain. When I right click that file, I only
get 2 choices: "open with" and "send to". I can't actually open it and
the places I can send it to look like they might only copy the bad file
there. I don't want more of them!
When I try to delete the folder that it is in (or any folder farther
back) I get an error message that says: "Cannot delete TYPE_C~1:Cannot
find the specified file."
Does anybody know what this thing is?
Does anybody know how to get rid of it? (I already tried safe mode)
If I don't get an answer here, where might I ask to find the answer?

Sorry to be so wordy,
Steve

Re: Hidden monster

tlswilso@aol.com says...
Quoted text here. Click to load it

http://www.purgeie.com/delinv/index.htm might be worth a try
--
The accident involved dark chocolate.
http://news.bbc.co.uk/1/hi/world/americas/5264566.stm?ls

Re: Hidden monster

Steve wrote:
Quoted text here. Click to load it

It may be a locked file (see below), but if it's a problem because of
the desktop's (Explorer's) limitations, you may have success via the
command line.

Open the the command line window, and try del from there. del can be
used with wild cards. EG,

del AB*

will delete all files with names beginning AB

If del doesn't work, try attrib with wild cards, like this:

attrib *.* -r -s

That will remove the read-only and system-file attribute flags on all
files in that folder. You should then be able to delete the monster.

However, you may get an Access Denied message. This would mean that the
file is locked by Windows, which it does with any files it happens to be
using at the time. It's a bad idea to delete locked files, no matter how
large they are.

Windows may also a lock a file that should be deletable. An incorrect
registry key can cause this. Cleaning the registry will enable deletion
of such files. You should do that whenever you delete or move a number
of files, BTW, since Windows does not automatically remove or rewrite
the relevant registry keys - a major flaw in registry design IMO, but
who am I to criticise the gods at Redmond?

BTW, an uninstall does not remove locked files or shared *.dlls, etc.
You have to reboot before you can delete those. Leftover bits of
uninstalled programs can take up a surprising amount of disk space.

HTH

Re: Hidden monster

x-no-archive: yes

Quoted text here. Click to load it
Couldn't you just boot into safe mode and delete the file? In regular mode
it is probably loading into memory and can't be deleted.
-Pete



Re: Hidden monster

Pete@nospam.com says...

Quoted text here. Click to load it

 He said he'd tried Safe Mode.

--
The accident involved dark chocolate.
http://news.bbc.co.uk/1/hi/world/americas/5264566.stm?ls

Re: Hidden monster

Pete wrote:
Quoted text here. Click to load it
[skip instructions for using command line]
Quoted text here. Click to load it

I think that the command line delete may work in safe Mode if it doesn't
work in regular mode. It depends what's locking the file. Safe Mode
loads a minimal Windows, but I don't know what's left out. It's worth a
try anyhow.

HTH

Re: Hidden monster

On Wed, 06 Sep 2006 10:21:50 -0400, Wolf K wrote:

Quoted text here. Click to load it

Aren't there also freewares for unlocking and deleting such files!?


Morgan O.

Re: Hidden monster

Steve, 9/5/2006, 11:41:21 PM,

Quoted text here. Click to load it

I would try CrapCleaner first.  Even if it doesn't delete that file it
is a valuable tool to clean your PC at any other time.

Otherwise you might try taking Ownership of that file/folder through
Properties/Security/Advanced permissions.

Re: Hidden monster

badgolferman wrote:
Quoted text here. Click to load it

I downloaded CCleaner and used it. The monster and the folder that it
WAS in are gone!
As I write this, I'm first trying to run Trend micro Housecall to see if
it can now finish the scan. As I was just watching, I noticed it was
taking a very long time scanning C:\WINDOWS\TEMP.  It seemed to be
scanning millions of .exe files. It was moving too fast to read the
names of the files but reading the first 3 or 4 digits of the files'
names, it appeared to be running through the same group of files over
and over for at least 20 minutes. (It has now moved on to a different
folder.)
Now I'm looking at what is inside C:\WINDOWS\TEMP.  Properties says that
TEMP folder contains 21,860 files and 7 folders and is 349 MB in size
but the size on disk is 690 MB. Well that seems kind of huge!
Inside, there are indeed many thousands of .exe files. A typical name:
bwgo00ae8174.exe.  They all seem to start with bwgo. There are also a
few files such as earnmoney.ico and netflix.ico. I checked the
properties of these two and the created and modified dates are from
June,2003. Now the obvious questions:

Why are there thousands of .exe files in a TEMP folder?
Is there any way that these are supposed to be there?
CCleaner didn't seem to care about them and just left them alone. What
should *I* do?

Steve
PS  Housecall is still scanning. It's working its way through the
program files right now. It's time for bed so I'll find out in the
morning if it managed to finish.

Re: Hidden monster

Steve, 9/7/2006,12:35:49 AM, wrote:

Quoted text here. Click to load it

Check the options of Crap Cleaner.  Make sure everything under System
except for Recycle Bin is checked.  If that doesn't do it then just
empty the folder manually.

Those .exe files are usually from installations.  Do you install files
as you download them or first save to a folder and then install?

--
"Good judgment comes from experience, and a lot of that comes from bad
judgment." ~ Will Rogers

Re: Hidden monster

badgolferman wrote:
Quoted text here. Click to load it

I do sometimes download things that way but I don't think I have
downloaded over 21,000 things in my whole life.
Also, every single one of those 21,000+ .exe files starts with "bwgo0",
no exceptions. I spot checked several of them and they all seem to be
exactly 16.0 KB in size.
The variety of dates and shear number of files makes me think that
something has been leaving those files in there on a regular basis since
I started using this computer. Weird.

Steve

Re: Hidden monster

On this special day, Steve wrote:

Quoted text here. Click to load it

read
http://www.liutilities.com/products/wintaskspro/processlibrary/backweb-8876480/
http://support.f-secure.com/enu/corporate/supportissue/av5/usage/usage-issue-2003011500.shtml

and update the program.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away, just so,
at no cost.

Re: Hidden monster

Gabriele Neukam wrote:
Quoted text here. Click to load it
http://www.liutilities.com/products/wintaskspro/processlibrary/backweb-8876480/
Quoted text here. Click to load it
http://support.f-secure.com/enu/corporate/supportissue/av5/usage/usage-issue-2003011500.shtml
Quoted text here. Click to load it

Thank you, Gabriele. Those sites tell me where the problem is/was. I say
was, because I was using F-Secure for my virus program until about 9
months ago. I don't think I have Backweb on my computer right now but
I'll try to find out.

Thanks also to Ken for spelling it all out for me. Thanks to everyone
who offered advice on this series of questions. I've scanned for viruses
successfully with 3 different programs now and everything seems to be
working just fine. (The 3rd one was the free F-secure scan I found after
reading the above links.)

Steve

Re: Hidden monster

tlswilso@aol.com says...
Quoted text here. Click to load it
Backweb creates temporary files named bwgo*.exe to your temporary
folder.

Backweb is currently being distributed as a standalone program for
receiving notifications from various sources.

Backweb is also used by F-Secure Antivirus which uses backweb to get
it's database updates from f-secure. If you have F-Secure Anti-virus
5.x installed, this is most likely the case.
 
As far as the size on disk is concerned, that is expected.  No matter
what size or how small a file is, it's size on disk will be based on
sector size.  If this is 32kb and your files are 16 kb, they will still
use 32kb on disk.

Site Timeline