You are here:
Computer Security & Viruses/Webwatcher removal
Advertisement
Question
QUESTION: I really want to remove webwatcher, but I can't find it with any of my
spyware/virus/adware scanner programs. I've searched for the file in safe
mode by using the search option in the folder menu and typing the .exe
name of the program in run, but it's still not there. How can I remove it?
ANSWER: Hi Alice
Please follow the instructions below:
Please download Malwarebytes' Anti-Malware to your desktop from here:
http://www.besttechie.net/tools/mbam-setup.exe
Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to
o Update Malwarebytes' Anti-Malware
* then click Finish.
* If an update is found, it will download and install the latest version.
*Click the box to run a Full Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Save that log to your desktop.
Next, please download HijackThis to your desktop from here:
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
Make sure you close EVERY open window and ALL browser windows. The only thing that should be open is the HijackThis program.
Double-click on the file you just downloaded.
Click on the "Install" button.
Upon install, HijackThis should open for you.
Should it not open, go to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe
Choose 'Do a system scan and save a log file'.
Copy the text file which opens in Notepad and paste it into your follow-up to me, along with the log from Malwarebytes.
* Do not fix any entries in HijackThis, as they may be harmless.
Brian
---------- FOLLOW-UP ----------
QUESTION: followup:
Here are the logs you requested:
MALWAREBYTES LOG:
Malwarebytes' Anti-Malware 1.37
Database version: 2229
Windows 5.1.2600 Service Pack 3
04/06/2009 19:01:42
mbam-log-2009-06-04 (19-01-42).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 205041
Time elapsed: 1 hour(s), 21 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:13:33, on 04/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\veladd\atisvc_ncqox.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\wpsscannersvc.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\veladd\atisvc_ncqox.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dad\Local Settings\Temp\{9D013CE0-
7EE8-4973-8E75-7C14B57D217F}\{80CD64AA-7406-4508-BFDF-
2DFE7F1F8EF0}\AutoConnect.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\WTMKM.exe
C:\Program Files\Common Files\Ulead
Systems\AutoDetector\monitor.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Documents and Settings\Alice 2\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ShortKeys2\shklite.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?
LinkId=69157
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?
LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-
7695ECA05670} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-
FA578C2EBDC3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}
- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} -
(no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-
5164760863C6} - C:\Program Files\Common Files\Microsoft
Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-
79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-
79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AutoConnect] "C:\Documents and
Settings\Dad\Local Settings\Temp\{9D013CE0-7EE8-4973-8E75-
7C14B57D217F}\{80CD64AA-7406-4508-BFDF-
2DFE7F1F8EF0}\AutoConnect.exe" BCMALL
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program
Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky
Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MacrokeyManager] WTMKM.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common
Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program
Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program
Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows
Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alice
2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe"
/nosplash /minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User
'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User
'Default user')
O4 - Global Startup: ShortKeys Lite.lnk = C:\Program
Files\ShortKeys2\shklite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-
4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky
Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-
f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-
4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-
11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-
FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-
1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KA
SPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: avgrsstarter -
C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program
Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: atisvc_ncqox - Unknown owner -
C:\WINDOWS\system32\veladd\atisvc_ncqox.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ,
s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab -
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program
Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn,
Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program
Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) -
Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: WPS Wi-Fi Scanner Service (wpsscannersvc) - Skyhook
Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi
Service\wpsscannersvc.exe
O23 - Service: WTService - Unknown owner -
C:\WINDOWS\system32\atwtusb.exe
--
End of file - 8989 bytes
ANSWER: Hi Alice
Sorry for the delay in response, as I have been away for the weekend. Your log files are clean except for one entry. Please start HijackThis and run a Scan Only. Place a check mark in the box next to the following item, close any open browser windows, then click the Fix Checked button:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} -(no file)
Now that the computer is cleaned, on to the WebWatcher removal.
1. Open your web browser and navigate to a website that offers an anti-key logging software utility such as Spybot Search and Destroy (see Resources). Locate the downloads area of the web page and click on the download link. Wait for the program's installation file to finish downloading.
2. Close your web browser and return to the computer's desktop. Double-click the "My Computer" icon. Navigate through the folders on your computer's hard drive and find the location where your downloaded files are saved. Double-click the installation file.
3. Click on "Allow" if your operating system brings up a new window asking if you want to let the program run. Follow the instructions to install the anti-key logging program. Restart your computer.
4. Press the F8 key on your keyboard repeatedly when the logo for your computer's manufacturer appears on the screen. Scroll down through the menu options and highlight the "Safe Mode" entry. Press "Enter" to load the computer's operating system in safe mode.
5. Open the "Start" menu and click on the search box. Type in the phrase "atww" and wait for the search results to populate. Right-click on the "atww" folder in the search results and then choose the "Delete" option.
6. Open the anti-key logging program by double-clicking its desktop icon. Click on the "Update" button and wait for the program's latest detection algorithms to download. Click on the "Search for Problems" link and wait for the program to finish scanning your computer. Click on "Remove Selected Problems" once the scan has finished to remove the WebWatcher program.
Let me know if you have further questions.
Brian
---------- FOLLOW-UP ----------
QUESTION: I removed the process like you said, and then did a search for 'atww' in
safe mode, but nothing came up. Sooo.. I did a scan and went
downstairs to watch a movie while it scanned because it takes a long
time, but a member of my family decided to start messing with my
computer, and fixed the problems that came up before I could see what
they were. I don't think that webwatcher was removed, though, because
firefox and various other programs are still blocked.
Hi Alice
If the program is still there you should locate the file atww5.3.0.exe. If it is not there, then the program is not installed on your system. You can also try using the free program Revo Uninstaller, which can remove any installed program. Download it from here:
http://www.revouninstaller.com/
Hope that helps. Cheers!
Brian
Related Articles
- Default Program Windows 7 - How to Change the Default Program for a Specific File Extension in Windows 7
- Default Program Vista - How to Change the Default Program for a Specific File Extension in Windows Vista
- Microsoft Word -- Word Files Won't Open in Word
- How to Associate .EML Files and Attachments with Windows Mail or Outlook Express - About Email
- Ubuntu Desktop Guide - Change the default "Open with" program for a file type
Computer Security & Viruses
Answers by Expert:
Brian Benosky
Expertise
I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.
Experience
I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here:
http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm
I am also a Top Contributor of General Computing answers in Yahoo! Questions.
Education/Credentials
College Educated
Self-taught Computer Skills
©2012 About.com, a part of The New York Times Company. All rights reserved.