Unknown folder

[Iapetus]

I have a unknown folder in the C:\ directory with 25 random capital
letters, currently VWJVFHNEGOVACCHMPVZEUOQJM.

It's always empty and Windows will not delete it. If I erase it during
boot with any of several erase programs it will reappear again with
another 25 random capital letters.

I've scanned the system with Avira, Avast and Malwarebytes with no
detection, apart from a false positive from Avira called
mikes-enhanced-dune2000-trainer.exe, downloaded from
http://michaelshadle.com/projects/dune2000/ and been using for a long
time without trouble.


Anyone know what could be causing this directory to keep reappearing?


Using XP Pro SP3.

 

[Singapore Computer Service]

Hello,

Use Unlocker to find out which process is preventing it from being deleted
http://ccollomb.free.fr/unlocker/

You can also use it to force-remove all file handles and delete the folder.

--
Regards,
Singapore Computer Home Repair Service
http://www.bootstrike.com/ComputerService/
Video Conversion VHS Video8 Hi8 Digital8 MiniDv MicroMv
http://www.bootstrike.com/VHSVideoConvert/

 

[Diabolic Preacher]

I have a unknown folder in the C:\ directory with 25 random capital
letters, currently VWJVFHNEGOVACCHMPVZEUOQJM.

You can try to track what is creating the folder with Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx which
contains functionality of erstwhile sysinternals products filemon and
regmon. Check out the page for a description.

HTH

 

[David H. Lipman]

From: "Diabolic Preacher" <[email protected]>



| You can try to track what is creating the folder with Process Monitor
| http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx which
| contains functionality of erstwhile sysinternals products filemon and
| regmon. Check out the page for a description.

| HTH

| --
| Diabolic Preacher
| As Is

Or use Process Explorer to do likewise.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

 

[Aardvark]

Hell

< http://www.anta.net/misc/nnq/nquote.shtml >

FYI

 

[Iapetus]

Hello,

Use Unlocker to find out which process is preventing it from being deleted
http://ccollomb.free.fr/unlocker/

You can also use it to force-remove all file handles and delete the folder.

It says no handle found. When unlocker deletes the folder another appears.

 

[Iapetus]

From: "Diabolic Preacher" <[email protected]>




| You can try to track what is creating the folder with Process Monitor
| http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx which
| contains functionality of erstwhile sysinternals products filemon and
| regmon. Check out the page for a description.

| HTH

| --
| Diabolic Preacher
| As Is

Or use Process Explorer to do likewise.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

As it's created during the boot up Process Explorer or Monitor wont be
able to say what program is causing its creation.

 

[§ñühw¤£f]

Iapetus <[email protected]> pinched out a steaming pile

As it's created during the boot up Process Explorer or Monitor wont be
able to say what program is causing its creation.

Rooot Kiiiiiiit.

^_^



--

cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
_____ ____ ____ __ /\_/\ __ _ ______ _____
/ __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
_\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
/___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\

 

[chris]

"Iapetus" wrote

As it's created during the boot up Process Explorer or Monitor wont be
able to say what program is causing its creation.

maybe x-setup or another startup manager could help you.
http://www.x-setup.net/

 

[1PW]

I have a unknown folder in the C:\ directory with 25 random capital
letters, currently VWJVFHNEGOVACCHMPVZEUOQJM.

It's always empty and Windows will not delete it. If I erase it during
boot with any of several erase programs it will reappear again with
another 25 random capital letters.

I've scanned the system with Avira, Avast and Malwarebytes with no
detection, apart from a false positive from Avira called
mikes-enhanced-dune2000-trainer.exe, downloaded from
http://michaelshadle.com/projects/dune2000/ and been using for a long
time without trouble.


Anyone know what could be causing this directory to keep reappearing?


Using XP Pro SP3.

Hello Iapetus:

In the event that §ñühw¤£f is correct, try running GMER:

<http://www.gmer.net/#files>

HTH

Pete

 

[David H. Lipman]

From: "Iapetus" <[email protected]>



| As it's created during the boot up Process Explorer or Monitor wont be
| able to say what program is causing its creation.


Then it could be protected by a RootKit and is hidden by the OS such as in an ADS or at
least controlled through priveledges.

Run a full scan with Gmer.
http://www.gmer.net/

 

[Aardvark]

Stuff

I went to the grave of the unknown folder once. At least, I think that's
what it was. Y'see I was young at the time and hadn't yet learnt to read.

 

[Art]

Run a full scan with Gmer.
http://www.gmer.net/

Pretty geeky! Have you found it more effective than others?

Art

 

[David H. Lipman]

From: "Art" <[email protected]>

| On Thu, 30 Jul 2009 18:09:54 -0400, "David H. Lipman"

| Pretty geeky! Have you found it more effective than others?

| Art

Yes and I have contact with the author.
Gmer just recently updated his Anti RootKit scanner for the latest TDSS threats.

 

[Spriva]

From: "Art" <[email protected]>

| On Thu, 30 Jul 2009 18:09:54 -0400, "David H. Lipman"


| Pretty geeky! Have you found it more effective than others?

| Art

Yes and I have contact with the author.
Gmer just recently updated his Anti RootKit scanner for the latest TDSS threats.

How do you use it? I downloaded it and ran a full scan. It filled the
scan window with hundreds of paths/filenames, but nothing seemed to be
highlighted as any kind of threat. Did I miss anything, or is that how
it is?

 

[David H. Lipman]

From: "Spriva" <[email protected]>

| On Fri, 31 Jul 2009 16:17:46 -0400, "David H. Lipman"

| How do you use it? I downloaded it and ran a full scan. It filled the
| scan window with hundreds of paths/filenames, but nothing seemed to be
| highlighted as any kind of threat. Did I miss anything, or is that how
| it is?


Most threats would be in Red. Others listings are more subtle to recognize. Limit them
by closing as much running software as possible.
Read the Gmer example pages for hints.

 

[Pennywise]

How do you use it? I downloaded it and ran a full scan. It filled the
scan window with hundreds of paths/filenames, but nothing seemed to be
highlighted as any kind of threat. Did I miss anything, or is that how
it is?

Do you read? http://en.wikipedia.org/wiki/Rootkit

Or would you rather a PayPal account be set up for you.

Of course you didn't run this Gmer program from your OS, use a USB
boot drive or BOOT CD, the HP program SP27213.exe can create a
bootable USB pen drive, freebies.

 

[David H. Lipman]

From: "Wolf K" <[email protected]>


[...]|| How do you use it? I downloaded it and ran a full scan. It filled the

| I've installed Ubuntu, along with XP and Win7. GMER listed only MBR
| sectors, some were marked "rootkit like behaviour". I suspect GMER is
| picking up grub's replacement of the Windows MBR. I don't see any
| evidence of bad behaviour in Windows, so I don't think GMER's warnings
| are serious. Is this a reasonable inference?

| TIA
| wolf k.

Yes. A second opionion on the LOG wouldn't hurt.

 

[1PW]

From: "Spriva" <[email protected]>

[...]| How do you use it? I downloaded it and ran a full scan. It filled
the

| scan window with hundreds of paths/filenames, but nothing seemed to be
| highlighted as any kind of threat. Did I miss anything, or is that how
| it is?


Most threats would be in Red. Others listings are more subtle to
recognize. Limit them by closing as much running software as possible.
Read the Gmer example pages for hints.

I've installed Ubuntu, along with XP and Win7. GMER listed only MBR
sectors, some were marked "rootkit like behaviour". I suspect GMER is
picking up grub's replacement of the Windows MBR. I don't see any
evidence of bad behaviour in Windows, so I don't think GMER's warnings
are serious. Is this a reasonable inference?

TIA
wolf k.

Hello Wolf & Dave:

The most recent GMER (1.0.15.15011), when run on my (GRUB) dual-boot
RHEL5/XP Pro SP3 x86 32bit system, fails to show any comments like
"rootkit like behaviour".

However, this might best be described as comparing apples to oranges
and could be inconclusive without further and much closer like
comparisons.

HTH

Pete

 

[David H. Lipman]

From: "1PW" <[email protected]>


| Hello Wolf & Dave:

| The most recent GMER (1.0.15.15011), when run on my (GRUB) dual-boot
| RHEL5/XP Pro SP3 x86 32bit system, fails to show any comments like
| "rootkit like behaviour".

| However, this might best be described as comparing apples to oranges
| and could be inconclusive without further and much closer like
| comparisons.

| HTH

| Pete
| --
| 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]

Gmer has to run from within the possibly affected OS.