Unknown folder

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a unknown folder in the C:\ directory with 25 random capital
letters, currently VWJVFHNEGOVACCHMPVZEUOQJM.

It's always empty and Windows will not delete it. If I erase it during
boot with any of several erase programs it will reappear again with
another 25 random capital letters.

I've scanned the system with Avira, Avast and Malwarebytes with no
detection, apart from a false positive from Avira called
mikes-enhanced-dune2000-trainer.exe, downloaded from
http://michaelshadle.com/projects/dune2000/ and been using for a long
time without trouble.


Anyone know what could be causing this directory to keep reappearing?


Using XP Pro SP3.


Re: Unknown folder

Hello,

Use Unlocker to find out which process is preventing it from being deleted
http://ccollomb.free.fr/unlocker /

You can also use it to force-remove all file handles and delete the folder.

--
Regards,
Singapore Computer Home Repair Service
http://www.bootstrike.com/ComputerService /
Video Conversion VHS Video8 Hi8 Digital8 MiniDv MicroMv
http://www.bootstrike.com/VHSVideoConvert /
Quoted text here. Click to load it



Re: Unknown folder

On Thu, 30 Jul 2009 02:41:43 +0800, Singapore Computer Service wrote:

Quoted text here. Click to load it

< http://www.anta.net/misc/nnq/nquote.shtml

FYI

Re: Unknown folder

Singapore Computer Service wrote:
Quoted text here. Click to load it

It says no handle found. When unlocker deletes the folder another appears.

Re: Unknown folder

On 7/29/2009 8:15 PM, Iapetus wrote:
Quoted text here. Click to load it

You can try to track what is creating the folder with Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx which
contains functionality of erstwhile sysinternals products filemon and
regmon. Check out the page for a description.

HTH

--
Diabolic Preacher
As Is

Re: Unknown folder


| On 7/29/2009 8:15 PM, Iapetus wrote:
Quoted text here. Click to load it


| You can try to track what is creating the folder with Process Monitor
| http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx which
| contains functionality of erstwhile sysinternals products filemon and
| regmon. Check out the page for a description.

| HTH

| --
| Diabolic Preacher
| As Is

Or use Process Explorer to do likewise.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Unknown folder

David H. Lipman wrote:
Quoted text here. Click to load it

As it's created during the boot up Process Explorer or Monitor wont be
able to say what program is causing its creation.


Re: Unknown folder


Quoted text here. Click to load it
capital
Monitor
which
and
Rooot Kiiiiiiit.

^_^



--

http://www.youtube.com/watch?v=COaoYqkpkUA

cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
   _____  ____  ____ __ /\_/\ __      _ ______   _____
  / __/ |/ / / / / // // . . \ \ |\ | / __ \ \  \  __\
 _\ \/    / /_/ / _  / \     / \ \| \| \ \_\ \ \__\  _\
/___/_/|_/\____/_//_/   \_@_/   \__|\__|\____/\____\_\


Re: Unknown folder

"Iapetus"  wrote

Quoted text here. Click to load it

maybe x-setup or another startup manager could help you.
http://www.x-setup.net /



Re: Unknown folder


| David H. Lipman wrote:

Quoted text here. Click to load it







| As it's created during the boot up Process Explorer or Monitor wont be
| able to say what program is causing its creation.


Then it could be protected by a RootKit and is hidden by the OS such as in an
ADS or at
least controlled through priveledges.

Run a full scan with Gmer.
http://www.gmer.net /

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Unknown folder

On Thu, 30 Jul 2009 18:09:54 -0400, "David H. Lipman"

Quoted text here. Click to load it

Pretty geeky! :) Have you found it more effective than others?

Art

Re: Unknown folder


| On Thu, 30 Jul 2009 18:09:54 -0400, "David H. Lipman"

Quoted text here. Click to load it

| Pretty geeky! :) Have you found it more effective than others?

| Art

Yes and I have contact with the author.
Gmer just recently updated his Anti RootKit scanner for the latest TDSS threats.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Unknown folder

On Fri, 31 Jul 2009 16:17:46 -0400, "David H. Lipman"

Quoted text here. Click to load it

How do you use it? I downloaded it and ran a full scan. It filled the
scan window with hundreds of paths/filenames, but nothing seemed to be
highlighted as any kind of threat. Did I miss anything, or is that how
it is?


Re: Unknown folder


| On Fri, 31 Jul 2009 16:17:46 -0400, "David H. Lipman"


Quoted text here. Click to load it





| How do you use it? I downloaded it and ran a full scan. It filled the
| scan window with hundreds of paths/filenames, but nothing seemed to be
| highlighted as any kind of threat. Did I miss anything, or is that how
| it is?


Most threats would be in Red.  Others listings are more subtle to recognize.
Limit them
by closing as much running software as possible.
Read the Gmer example pages for hints.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



GMER reports meaning (Was: Re: Unknown folder)

David H. Lipman wrote:
Quoted text here. Click to load it
[...]| How do you use it? I downloaded it and ran a full scan. It filled the
Quoted text here. Click to load it

I've installed Ubuntu, along with XP and Win7. GMER listed only MBR
sectors, some were marked "rootkit like behaviour". I suspect GMER is
picking up grub's replacement of the Windows MBR. I don't see any
evidence of bad behaviour in Windows, so I don't think GMER's warnings
are serious. Is this a reasonable inference?

TIA
wolf k.

Re: GMER reports meaning (Was: Re: Unknown folder)


| David H. Lipman wrote:

[...]|| How do you use it? I downloaded it and ran a full scan. It filled the
Quoted text here. Click to load it




| I've installed Ubuntu, along with XP and Win7. GMER listed only MBR
| sectors, some were marked "rootkit like behaviour". I suspect GMER is
| picking up grub's replacement of the Windows MBR. I don't see any
| evidence of bad behaviour in Windows, so I don't think GMER's warnings
| are serious. Is this a reasonable inference?

| TIA
| wolf k.

Yes.  A second opionion on the LOG wouldn't hurt.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: GMER reports meaning (Was: Re: Unknown folder)

Wolf K wrote:
Quoted text here. Click to load it

Hello Wolf & Dave:

The most recent GMER (1.0.15.15011), when run on my (GRUB) dual-boot
RHEL5/XP Pro SP3 x86 32bit system, fails to show any comments like
"rootkit like behaviour".

However, this might best be described as comparing apples to oranges
and could be inconclusive without further and much closer like
comparisons.

HTH

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: GMER reports meaning (Was: Re: Unknown folder)



| Hello Wolf & Dave:

| The most recent GMER (1.0.15.15011), when run on my (GRUB) dual-boot
| RHEL5/XP Pro SP3 x86 32bit system, fails to show any comments like
| "rootkit like behaviour".

| However, this might best be described as comparing apples to oranges
| and could be inconclusive without further and much closer like
| comparisons.

| HTH

| Pete
| --
| 1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Gmer has to run from within the possibly affected OS.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: GMER reports meaning (Was: Re: Unknown folder)

David H. Lipman wrote:

Quoted text here. Click to load it

Has the report gotten any easier to decipher for the layman?  I tried it 2
years ago and had to email the author for his interpretation because frankly,
I didn't understand it.


Re: GMER reports meaning (Was: Re: Unknown folder)


| David H. Lipman wrote:

Quoted text here. Click to load it

| Has the report gotten any easier to decipher for the layman?  I tried it 2
| years ago and had to email the author for his interpretation because frankly,
| I didn't understand it.


Because of the low level nature of its functionality, there are always areas
that may need
more expert interpretation.  Most well known malware and hooks will however be
identified.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline