Can't get rid of abasa5jrp_.exe (Adware.SAHAgent)
HI:
I need some real help here !
This one has really got me. I have wasted more time on trying to get rid of these files than anything I can think of.
I have spent several hours working on this.
So here it is:
I ran NAV and it came up with ( 1 at-risk file ) The file was found in C:\WINDOWS\Downloaded Programs Files
Filename - ( abasa5jrp_.exe ) Threat name - ( Adware.SAHAgent )
I tried to delete it and NAV could not delete it.
I have Spybot S&D and it finds nothing.
I have been on line for many hours trying the things I have found on forums and still cannot get rid of the files.
I cannot find the program itself. I think what has happened is, I downloaded a program with this Adware in it and then I removed the program. I think I know what program it was. I'm guessing that these are left over files from that program.
I have done everything I can find on line and think of, and they still are there according to NAV and Panda. I have run HJT, CWShredder, Panda, AboutBuster, and AD-Aware with no luck getting rid of them. Panda found two more files related to what NAV found and they were also in C:\Windows\Downloaded Program Files. There is no trace of the programs,that I can find in my Registry.
I have all the right things checked and unchecked to so hidden files and folders. When I go to the downloaded program files folder
and bring up Properties it says it has 12 files. When I open the folder there are 6 downloaded programs in there.
So do I have a problem here or just some left over files ?
I really don't want to do a Clean Install to get rid of this.
I'm here to see if someone can help me with this before I have to resort to a clean install.
Thank you for your time reading this I know it is lengthy but, this where I sand at this point, and I'm looking for some help.
I need some real help here !
This one has really got me. I have wasted more time on trying to get rid of these files than anything I can think of.
I have spent several hours working on this.
So here it is:
I ran NAV and it came up with ( 1 at-risk file ) The file was found in C:\WINDOWS\Downloaded Programs Files
Filename - ( abasa5jrp_.exe ) Threat name - ( Adware.SAHAgent )
I tried to delete it and NAV could not delete it.
I have Spybot S&D and it finds nothing.
I have been on line for many hours trying the things I have found on forums and still cannot get rid of the files.
I cannot find the program itself. I think what has happened is, I downloaded a program with this Adware in it and then I removed the program. I think I know what program it was. I'm guessing that these are left over files from that program.
I have done everything I can find on line and think of, and they still are there according to NAV and Panda. I have run HJT, CWShredder, Panda, AboutBuster, and AD-Aware with no luck getting rid of them. Panda found two more files related to what NAV found and they were also in C:\Windows\Downloaded Program Files. There is no trace of the programs,that I can find in my Registry.
I have all the right things checked and unchecked to so hidden files and folders. When I go to the downloaded program files folder
and bring up Properties it says it has 12 files. When I open the folder there are 6 downloaded programs in there.
So do I have a problem here or just some left over files ?
I really don't want to do a Clean Install to get rid of this.
I'm here to see if someone can help me with this before I have to resort to a clean install.
Thank you for your time reading this I know it is lengthy but, this where I sand at this point, and I'm looking for some help.
0
This discussion has been closed.
Comments
http://www.short-media.com/forum/showpost.php?p=172584&postcount=2
Logfile of HijackThis v1.99.1
Scan saved at 8:22:51 PM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Weather Pulse\weatherpulse.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [OEBackup] C:\Program Files\Genie-Soft\Outlook Express Backup\OEBackup.exe -reminder
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Weather Pulse] C:\Program Files\Weather Pulse\weatherpulse.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109184468250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62468AE8-525D-4648-831D-C810848D9B36}: NameServer = 12.166.20.10 12.166.20.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Download and install Microsoft's Antispyware application.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Reboot your computer into Safe Mode
Run a full scan with MS Antispyware while in Safe Mode. It should be able to delete everything that it finds.
I even turned off system restore while doing it.
The scan found nothing. ( 0 )
I ran NAV after the scan, while in safe mode, and it still
comes up with the ( abasa5jrp_.exe ) ( Adware.SAHAgent ) Threat.
What do you think ?
In light of all the scans coming up clean and nothing shows in your hijackthis log, I would disregard it as a false positive from Norton.
I'm thinking along the same lines but, Panda comes up with :
Incident Status Location
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program
Files\abasa5jrp_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\lkir8l2gm_.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe So there is probably something there.
I have been trying to see these files and cannot find a way to find them.
If they are in that folder I would think there would be a way to see them.
I just haven't found a way to do it.
Then again the program they are suppose to come from just doesn't seem to be there or anywhere.
I'm beginning to think they are just left over files.
My question is, why can't I find them ?
Thanks for your time Sam I appreciate it and maybe I can come up with something before long.
Thanks.
C:\WINDOWS\Downloaded Program Files
You should see some things listed that you recognize and some that you may not. Start with the ones that you don't. Right click and select Properties. The click on Dependency. You're looking for the filenames that Panda found.
abasa5jrp_.exe
u6f6uftuc_.exe
lkir8l2gm_.dll
Let me know what you find.
I put down the Code Base from the General tab to so you could see where these files come from.
As you can see they are from SYMANTEC,PANDASOFTWARE,SUN JAVA,MSN MESSENGER, and MICROSOFT UPDATE.
I don't see anything there to be a problem. I don't think any of these programs downloads spyware like SAHAgent.
I will tell you where I think it came from was WeatherBug. I had it downloaded and decided to get rid of it so I uninstalled it.
I think that is where the problem might have originally came from.
1. General - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
Dependency - C:\WINDOWS\DOWN...\SYMADATA.DLL
2. General - http://www.pandasoftware.com/activescan/as5/asinst.cab
Dependency - C:\WINDOWS\DOWNLOA...\ASINST.DLL
C:\WINDOWS\DOWNLOA...\ASINSY.NIF
3. General - http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
Dependency - C:\WINDOWS...\JINSTALL-1_5_0_01.INF*
4. General - http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
Dependency - (There was nothing here)
5. General - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
Dependency - C:\WINDOWS\DOWN...\LSSUPCTL.DLL
C:\WINDOWS\DOWN...\LSSUPCTL.INF
6. General - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
Dependency - ...\MSNMESSENGERSETUPDOWNLOADER.INF
...\MSNMESSENGERSETUPDOWNLOADER.OCX
7. General -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109184468250
Dependency - C:\WINDOWS\DOWNLO...\WUWEB.INF*
C:\WINDOWS\SYSTE...\WUWEB.DLL*
abasa5jrp_.exe
u6f6uftuc_.exe
lkir8l2gm_.dll
Let me know what you come up with.
Sam, last night I took a more drastic move toward this situation.
I deleted all the programs in the ( Downloaded programs folder ) and a removed all the programs related to them
through ( Add and Remove Programs )
The Downloaded Programs folder was clean ( Empty ) nothing in it at all.
I installed NAV and run a scan on the empty folder. It came up with the same thing (C:\WINDOWS\Downloaded Program Files\abasa5jrp_.exe) ( Adware.SAHAgent )
I checked the folder and it was indeed empty. I went to properties on the folder and it said it had (6) files.
I'm not sure what is going on here but, let us say that NAV and Panda are right. That would seem to mean that 3 of those 6 files are the SAH Adware files and the other 3 are files that make up the empty folder. If that is truly the case then that must mean
that the SAH Adware files has got imbedded in the files that make up the Downloaded Programs Files folder.
How that could happen, I have no idea but, if that is true I think I'm looking at a clean install of the OS to be able to ever get rid of
them.
There's one more program(A2) that you might want to try. It's very good at detecting spyware, as well as trojan viruses.
http://www.emsisoft.com/en/software/free/
Thanks
I downloaded a2 and ran the scan on my complete system three times.
It came up clean every time.
I even ran a scan twice after that on that particular folder, ( Downloaded Programs Files ), Nothing !
I don't have any idea where these antivirus programs are coming up with the
results they come up with.
The spyware, adware, and programs like HJT come up clean every time.
I don't know if it is possible or not but, this is a reformatted drive with a clean install on it. I just reinstalled the OS about two weeks ago. I'm wondering if they can read through the first layer and find this stuff on the old layer under the new one ?
That's about all I can think of.
Anyway Sam, I think I'm going to call this case closed and just go on till something comes up and proves that I need to do something more.
It must be a false positive somehow.
I thank you for you time and effort. I can see by the posts in ShortMedia that you are a busy man and I don't think you or I should spend anymore time on this. There are too many other problems out there that need the attention more than this does.
Sam I will be checking back in from time to time at ShortMedia to see if there is anything I can help with.
This is just the first time I had not been able to come up with a rock solid solution to a problem with my computers.
Thank you Sam again, best of luck to you and yours, and may all your dreams be in color !
nickw