Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious folder on Ext. Hard Drive


  • Please log in to reply
5 replies to this topic

#1 Sursion

Sursion

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 11 May 2011 - 01:27 PM

Okay, about 2 days ago, I was looking through google images and one of them lead to a damn virus. It was one of those viruses where the entire wbesite turns into a fake virus-scanner and bombards you with pop-ups telling you to download it.

I immediately ctrl-alt-deleted out of the website, and I run a full system scan on both Malware Bytes and Avira. Neither found anything, however, on my external hard drive, there's a mysterious folder named "6506a12a9cce3614cb46802cf625" that I've never seen before, and I didn't put it there. And it's full of bad things like 'setup', 'eula', and other unpleasantness. I'm almost certain this has something to do with the virus, because every couple of minutes, Avira pops up from the task bar saying "Autorun: Blocked", and there's a file in that folder called autorun. I'm almost positive it's associated with what happened a few days ago.

Anyway, now to the actual problem. I tried to delete the folder and it said it was read-only. So I went to properties and tried to uncheck that, and it keeps telling me that access is denied, and it won't let me un-read-only any of the folders inside of it. Therefore, I can't delete it, or any of the folders inside of it. I did manage to delete the single files that weren't in any of the numerous folders, but I fear that won't stop it. I even run rkill, but it didn't close anything related to this folder. Most of the folders contain things that look identical to a fake anti-virus scam thing. There's a bunch of little icons and pictures and stuff.

The external hard drive is a seagate. Thanks for reading and I really hope you can help.

Edit: I just noticed this should of went into the "External Hardware" section of the forum. Sorry :(

Edited by Sursion, 11 May 2011 - 01:32 PM.


BC AdBot (Login to Remove)

 


#2 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:02:16 PM

Posted 11 May 2011 - 02:08 PM

Hello and welcome to the forum!

Is formatting the drive an option for you or do you have things on the drive you need to keep?
In the beginning there was the command line.

#3 Sursion

Sursion
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 11 May 2011 - 02:11 PM

There's stuff on there I need to keep. I never thought viruses would completely bypass my internal drive and go onto my external. That's never happened with any of the other viruses I've gotten since I bought it.

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:16 PM

Posted 11 May 2011 - 02:18 PM

What is the path for this folder, please?

FWIW: Setup and EULA are typical files for installig any number of programs, as well as Windows. I believe that such may also refer to restore/recovery mechanisms, but i cannot be sure since i have no systems with such. The folder could possibly be related to some temporary folder established or one created by backup software. Autorun is also a typical file found for installing from optical drive media.

I would enable all file extensions...go to details view...then post the file contents of this folder.

Louis

#5 Sursion

Sursion
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 11 May 2011 - 02:29 PM

The drive is H:

Inside the "6506a12a9cce3614cb46802cf625" folder, there are about 25 folders, each named 1025, 1028, etc. all the way to 3082. Then there's one folder called 'graphics' with a bunch of pictures (which look a lot like the fake anti-virus program).

In each of the numbered folders, there is:
1 eula.rtf
1 Localized Data.xml
1 Setup Resources.dll


In the 6506a12a9cce3614cb46802cf625 folder itself, seperate from all the other folders, there was autorun, setup, and a bunch of other .dll's. I can't remember what exactly, because I already deleted them. It's only the folders and contents within them that say "access denied."

Edit: I should also mention that the .dll description is in a different language in every folder. I've found spanish, german, and arabic, dutch, etc.

Edit again: I enabled hidden files, and there's a file called $shtdwn$.req in the 6506a12a9cce3614cb46802cf625 folder.

Edited by Sursion, 11 May 2011 - 02:40 PM.


#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:16 PM

Posted 11 May 2011 - 03:57 PM

Post the contents of the EULA file, please. That should easily shed some light and eliminate guessing.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users