Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Odd Directory In Doc And Set Called Vw?


  • Please log in to reply
4 replies to this topic

#1 Jory

Jory

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 07 June 2006 - 07:48 PM

Late last night I found an odd directory in my document and settings\owner DIR called vw, and inside found odd files that contained only letters and digits, here is one of the file names,

77NFYWDH6USMQ0EHUOIHU0QKJNNSOIY

So I did a search for the directory it and came across this site. Before I did any of the suggested scans I scanned my computer with AVG Free Edition in safe mode with system restore off, it found nothing. I then did all the suggested scans, and they too found nothing. Although when I tried to do the Panda Anti-virus scan it would let me scan the computer, there was errors on the page, and when I clicked on the device I wanted to scan I would just sit at the page. I used IE 6 for all the scans, and let system restore off for all of them. I did however leave my Telus Anti-virus, Anti-spy, and firewall on during the scans.

I decided to scan my other computer in the same manner and found nothing, but Trend micro would crash about 3-5 mins into the scan (it was scanning around document and settings), I opened the java console and found this error, "java.hc.impl.lib.engine.commonengineimp#Native File Scanner Error=89, I also noticed that error while scanning this computer. Panda Anti-virus had the same problem as this computer. I will post another log after I get this computer clean. Hereís my log....


Logfile of HijackThis v1.99.1
Scan saved at 5:46:41 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...arm1=seconduser
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\freebhor.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133997437942
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CED5DE0D-AA08-4890-A943-1291B11F4CF7}: NameServer = 154.11.129.187,154.11.129.59
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe


Thank you in advanced for all your help,

Jory

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 17 June 2006 - 09:27 PM

Log looks fine - can you give more details on the folder - any reason not to delete it
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Jory

Jory
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 18 June 2006 - 04:13 PM

Well the only information I can give u on the folder is the path, the date it was created, the size of the files and their names. I donít want to delete it because Iím not sure if it is needed for a program(s) or service(s) on this comp.

Location: C\documents and settings\%username%\vw\

File names:
77NFYWDH6USMQ0EHUOIHU0QKJNNSOIY
CATM5J0LB9ZTMQXO4PNI4OA9Z5JF4R9
HO6YAC2B0BIIAZ50QGL7JE2T2443PVD
O94NZUA5ZCICBXR61NV2L3LJB6JCPT7

Date created: May 2 2006 5:29, the files were created at the exact same time as the folder

Each file is 42 bytes and the folder is 168 bytes

I don't know much more about these files because i don't use this computer much, i just think they look suspicious.
I also noticed these files in the Temp directory in local settings on both of my comps, if they are of any concern, I donít know.....

File names: xx2 to xx11

xx2 to xx6 were created on the 7th of this month and the rest were created on the 13 of this month.

The size of the files is 0 bytes

Other wise I think this computer is pretty clean, Iím just a little paranoid about this type of stuff.

Thanks for all your help, you guys rock!

Jory

P.S. I've seen on other HJT posts that the nameserver was something to be removed, i believe that it is created in your registery when you set up static IPís. I have 3 entries on my other computer, I thought this one had the same but looking over the HJT log again, I notice that thereís only one entry on this comp, should I be concerned about the other entries on my other computer? Here is what the other entires on my other computer look like

O17 - HKLM\System\CCS\Services\Tcpip\..\{CED5DE0D-AA08-4890-A943-1291B11F4CF7}: NameServer = 154.11.129.59,154.11.129.187

O17 - HKLM\System\CCS1\Services\Tcpip\..\{CED5DE0D-AA08-4890-A943-1291B11F4CF7}: NameServer = 154.11.129.59,154.11.129.187

O17 - HKLM\System\CCS2\Services\Tcpip\..\{CED5DE0D-AA08-4890-A943-1291B11F4CF7}: NameServer = 154.11.129.59,154.11.129.187

Thank you again for your help MFDnSC

Jory

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 18 June 2006 - 04:27 PM

There are a certain set of those that indicat a wareout infect otherwise I leave the O17's

You can always rename the folder and then see if anybod complains
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 Jory

Jory
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 23 June 2006 - 06:19 PM

I renamed the folder 4 days ago and there doesn't seem to be any problems with the operation of the system or its programs, yet.

How ever I have noticed that I can't login to any hotmail accounts (it loads very slowly and never seems to finish) and Ad-aware seems to be having problems updating its definitions.

I downloaded the definitions manually and did a scan with no results.

I figured out that the cookies created when logging onto hotmail seem to cause the problem. I need to delete them, and then put in my account information and login to order to be able to access hotmail accounts.

This is happening to both of the computers I have connected to my router, so I believe I am dealing with some type of worm.

Just yesterday I got Panda active scan to work, but the only thing it found was an .exe called killit.exe that came with the HP computer, and from the information I found on it, it was a harmless thing to have on your computer. I also recently scanned the comp again with trend micro with no results.

Thank you again for all your help,

Jory




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users