Unsolved
This post is more than 5 years old
43 Posts
0
11774
November 6th, 2004 18:00
Problematic folder: Downloaded Program Files under C:\Windows
I have a Dimension 8250 PC (2.4 GHz, 512MB ram) running XP Home SP1. I suspect that the folder "Downloaded Program Files" located in the C:\Windows directory is damaged or corrupted and, if so, I would like to get advice on how to repair it. Here are details about this problem.
Norton Antivirus 2004 reports that my computer has the adware threat SAHAgent in the folder noted above. NAV identifies three files there: SAHAgent_.exe; SAhHTML_.exe, and SAHUninstall_.exe, but indicates deletion failure when the Delete button is selected in the scan window. Windows Explorer shows no such files in the Downloaded Program Files folder or anywhere else on my computer (with all hidden folders and files and system files displayed.) There are no references to these files in the registry, either. Using instructions from Symantec's web site, I cannot find any evidence that the SAHAgent adware is on my computer (files and registry.) I also am running AdAware SE and Spybot S&D; my computer may once have been infected with the SAHAgent adware but may have been removed by either of these programs. Unfortunately, I had already purged the quarantine/backup files in these programs prior to discovery of this problem, so I cannot check this out.
Presently, Windows Explorer lists three objects in my Downloaded Program Files folder; they are named "Shockwave Flash Object", "SysProWmi Class", and "MrSIDI Control". (The latter is a viewer downloaded from Ancestry.com.) There were also two additional objects that were listed as "Damaged" that I removed, using Control Panel/Internet Options/Temporary Internet Files (Settings button)/View Objects. The name of one of these damaged files was long string of hex characters; I do not recall the precise name of the other file; the word "image" may have been contained in the name.
When I right-click on the folder Downloaded Program Files in Windows Explorer and select Properties, the information box that opens says there are 11 files (and 0 folders), not three files as I would expect from the Windows Explorer listing (unless the objects contain multiple files.)
So presently I have this Downloaded Program File folder that does not contain the adware files that NAV reports are in that folder, and the folder properties reported by Windows Explorer (number of files in that folder) do not agree with the number of objects listed for that folder by Windows Explorer. NAV thinks this folder contains three adware files that do not appear to be present; is NAV reading some sort index file for this folder, rather than the folder itself, that has not or cannot be updated? Is my Downloaded Program Files folder damaged or corrupted? If so, can it be repaired? How can I get NAV to stop reporting the presence of the SAHAgent adware (short of simply telling NAV to ignore it)? I think my computer is not infected with this adware, but is that really true? Is the Downloaded Program Files folder some type of special file (not a DOS file folder)? It is present in Windows Explorer, but does not appear in a "DIR" command for C:\Windows in a Command Prompt window?
I would be very appreciative for any help with this issue!
TAH
dunedin
2.7K Posts
0
November 6th, 2004 22:00
Hi,
Does this help?
http://www.spyany.com/program/article_spy_rm_SAHAgent.html
flgolfnut
71 Posts
0
November 7th, 2004 03:00
dunedin
2.7K Posts
0
November 7th, 2004 11:00
TAH
43 Posts
0
November 7th, 2004 15:00
Dunedin and Flgolfnut -- thanks very much for your responses!
I checked out the removal instructions for SAHAgent at the SpyAny URL you provided. I have not actually performed any of the removal operations described there, but I searched on my computer all folders, registry, and the "Start>Control Panel>Add/Remove Programs" listing for all of the items (files, registry entries, and programs) specified in the SpyAny instructions, including the procedure for manual removal of SAH Agent.
None of the specified items noted above are present on my computer. I would not be able to perform any of the removal operations because there is nothing to remove! This finding adds to my feeling that my computer presently is not actually infected with SAHAgent, though it may have been previously.
I tried searching my registry for the strings "shopathome" and "golden retriever" (an alternate name for the SAHAgent adware.) Several entries were found, and I have copied them below in the hope clue is there as to why NAV continues to report infection with SAHAgent.
Thanks again!
Search for string "shopathome"
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
(Name: 011; data: shopathome)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\zip
(Name: a; data: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome.zip)
[Note: there is no such file "ShopAtHome.zip" on my computer, despite this registry reference to it.]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\S-1-5-21-3849651895-3067381501-290885498-1006\Software\Microsoft\Search Assistant\ACMru\5603
(Name:012; data: shopathome)
HKEY_USERS\S-1-5-21-3849651895-3067381501-290885498-1006\Software\Microsoft\CurrentVersion\Explorer\COMDlg32\OpenSaveMRU\zip
(Name: a; data: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome.zip)
[Note: there is no such file "ShopAtHome.zip" on my computer, despite this registry reference to it.]
HKEY_USERS\S-1-5-21-3849651895-3067381501-290885498-1006\Software\Microsoft\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005(5))
Search for string "golden retriever"
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
(Name: 014; data: goldenretriever)
HKEY_USERS\S-1-5-21-3849651895-3067381501-290885498-1006\Software\Microsoft\Search Assistant\ACMru\5603
(Name:014; data: goldenretriever)
dunedin
2.7K Posts
0
November 7th, 2004 17:00
A lot of these entries are just "History" which you could get rid of by deleting history in IE
Some more are in Spybot`s backup of deleted items and they won`t do any harm there.
If your machine is running without problems I would be inclined to ignore Norton
Your other option which would identify them properly and allow for deletion is to download and run HijackThis.
Do not try to delete anything yourself.
Hijack This http://www.majorgeeks.com/download3155.html
Make a special folder in My Documents to download it to. Set it to "Scan" and then to create its "Log". This will be long, but copy all of it into Notepad and post it to be checked.
TAH
43 Posts
0
November 7th, 2004 18:00
Dunedin -- thanks!
My machine seems to be running fine, so for the time being I will just ignore Norton's reporting of SAHAgent. Later I will download HijackThis and generate a log file, as you recommended.
Thanks, again!
TAH
dunedin
2.7K Posts
0
November 7th, 2004 21:00
You are very welcome.
You`ll know it is time to run HijackThis if you start getting pop-ups or are hijacked to their site
JRosenfeld
2 Intern
•
4.4K Posts
0
November 8th, 2004 22:00
Most of those registry entries (the ones with MRU in the key name) are just the caches of file names you have searched for. It does not mean the files are or were on your drive. For example the first one just records the fact that you searched for 'shopathome' in search companion. The names you searched for are listed in the Search Assistant\AcMRu key. If you use search, type s in the box 'all or part of a file name', 'shopathome' would appear (together with any other previous searches starting with s) as suggestions in a dropdown list below the box.
Such entries remain until you clear the cache. You can do that in several ways. e.g. using Spybot (in advanced mode, settings tab, file sets, check usage tracks to include these), or Adaware SE also gives the option to clear MRU entries.Or you can deete them manually in search (highlight the entries that appear one at a time and press delete key), or you can right click and delete in the registry.
The entries in a \P3P\history\ key were put there (not sure if it is by Spybot, Adaware or Spywareblaster as I have all three) to block those sites from downloading things. The key should contain one Dword, called default and with a value 0x00000005. Leave those, they are protecting you.
As for the folder c:\windows\downloaded program files, it contains the active X controls you have downloaded at some point. These include embedded files (right click on one of them, click properties, dependency tab, you'll see a list of files; some may be system files the active X control uses, and then the path to the file will point to the Windows folder the file is in; but other files are embedded in the activeX control: the path points to the C:\Windows\downloaded program folder, but the file is not separately listed there. For example SysProWMI Class (the Dell system profiler activeX control) depends on the file C:\Windows\download...\syspro.inf*, but that file does not show in the folder contents.
You might check what files MrSidi control depends on. I don't have that one. The other two you mentioned are OK.
You can safely remove an ActiveX control (right click, remove). Should you need it again when visiting the site it got downloaded from, it will just be downloaded again.
Message Edited by JRosenfeld on 11-09-2004 12:46 AM
Message Edited by JRosenfeld on 11-09-2004 12:50 AM
TAH
43 Posts
0
November 9th, 2004 20:00
JRosenfeld -- thanks very much for your informative and useful response!
FYI, the object in Downloaded Program Files pertaining to the image viewer Mr Sid has these file dependencies: MRSIDI.INF (in C:\Windows\Downloaded Program Files), MRSID.ICO in (C:\Windows), and MRSID.OCX (in C:\Windows).
Do you have any idea why NAV 2004 continues to report the three SAHAgent adware files in Downloaded Program Files folder, even though these files are not present in this or any other folder on my computer? Could there be some kind of table of contents for the Downloaded Program Files folder that somehow did not get updated when the SAHAgent adware was removed by (I assume) the AdAware SE and/or SPYBOT 1.3 programs I am running?
Thanks, again!
TAH
JRosenfeld
2 Intern
•
4.4K Posts
0
November 9th, 2004 22:00
No, I do not know why NAV 2004 is reporting that. The only thing I can suggest is that you look through their pages on SAHAgent and check out whether you have any of the registry entries they indicate (try the first link on this search results page first as it seems the most relevant).
http://search.symantec.com/custom/us/query.html
What happens if you let NAV fix what it thinks is the problem?
TAH
43 Posts
0
November 9th, 2004 23:00