Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Found a file c:\logs\passwd.txt any ideas

  • Please log in to reply
1 reply to this topic

#1 Patrick Mattson

Patrick Mattson

  • Members
  • 1 posts
  • Local time:09:38 PM

Posted 06 July 2014 - 06:11 PM

I have a customer that things have always been just a little off on their server.  Poking around I found a folder c:\logs in it are a few files.  The file that has me most concerned is c:\logs\passwd.txt.  It is some how collecting user names and passwords.  I just recently created a few new accounts and their user names and password were in there.


They have a second server different domain so I created a new password.  From what I can tell this item is only scanning this server.


Couple other files I found: G2NDW, OTj, and qVR.  From what I can tell this are zero byte files.  I am attaching a screenshot.


I have run malwarebytes, hijackthis, checked scheduled tasks, tdsskiller, rootkit revealer, and few other things.  Nothing is jumping out at me.  Does anyone have any ideas on other tools I can try to run or may have a clue as to what this program is.





BC AdBot (Login to Remove)


#2 sflatechguy


  • BC Advisor
  • 2,266 posts
  • Gender:Male
  • Local time:10:38 PM

Posted 07 July 2014 - 11:42 AM

Is Oracle Endeca Information Discovery installed on that server? The installation will create that file if it was installed without admin rights. https://community.oracle.com/thread/2604987?start=0&tstart=0


OTj is a Java library.


Not sure about G2NDW. If qvr is a file extension, it depends on what the file name itself is. If the extension is preceded by something like Win32.Virtumonde, it's a Trojan. However, there are some legitimate files that use that extension as well.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users