Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Empty Folders


  • Please log in to reply
15 replies to this topic

#1 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:19 AM

Posted 01 February 2007 - 10:54 PM

I just found 2 strangely titled folders in my Windows\System 32

Both folders are empty and as they are not files per se I cannot scan them on JottiScan or VirusTotal.

I have for the time being deleted them and they are in the recycle bin, but I wish to know if in fact these are legit. files: vcmgcd32.dll and iifgfgf.dll

Note: I have run the onecare live safety scan which came up clean, I have run the BitDefender on-line scan which identified files I'd already placed in the recycle bin, and they weren't from either of those folders, and some system restore points, I'm trying to run F-Secure on-line scan but thus far it either stops downloading the needed files or gives me an error message code (16) and tells me to close the browser and start again: I'm on my 6th start by the way.

Spybot, Ad-Aware, AVG Anti-Virus all come up clean. Have yet to run the SUPERAntiSpyware scan and a full-system scan with Avast. I'll do that after this trial of F-Secure which hopefully will actually scan this time. I've run sfc /scannow just in case, all clear there. Ran chkdsk which deleted 857 unused index entries and otherwise all clear there. Also, I used ATF cleaner to delete all files but prefetch and recycle bin.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

BC AdBot (Login to Remove)

 


m

#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:01:19 PM

Posted 02 February 2007 - 01:25 AM

I have done some searching.

Check this thread and look for vcmgcd32.dll. It appears to be PE_SALITY.AS-O. Info
I did made the connection based on the file name and the log, so i am not 100 sure.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:19 AM

Posted 02 February 2007 - 09:37 AM

vcmgcd32.dll is related to Sality.Q. Only found a couple references to iifgfgf.dll but it appears to be bad.

You should have submitted to jotti's virusscan or virustotal.com for analysis.

If your having problems with the F-Secure Online Scanner, then try Trend Micro Housecall or
Panda ActiveScan <- Accept default settings.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:19 AM

Posted 02 February 2007 - 01:58 PM

You should have submitted to jotti's virusscan or virustotal.com for analysis.


I tried to submit them: it was my first action, but because they are folders, empty folders at that, I couldn't submit them. I browsed to the folder name, clicked on it, and I got the option of open. I clicked on open, fhe folder opened, clicked on open again and the open button faded out and nothing else happened. I could try again as I still have the two folders in my recycle bin.

Just tried it again after moving them to a folder I created specially for them, and the same thing happened. I clicked on the folder name, was given the option of open, the folder opens, I click on open again and the open button faded out. I simply cannot upload them to Jottiscan and Virustotal.

F-Secure came up again with the error (ID: 16). I'm considering downloading the trial version of the non-online AV, disable AVAST while off-line of course, install the F-Secure trial using the total uninstall program, run it and see what it comes up with.

SUPERAntiSpyware - found nothing in safe mode.
Ditto for AdAware, Spybot, AVG AntiSpyware.

I'll try the Panda and Housecall on-line scans after I do my Avast! scan. Incidently, in case it wasn't clear from the first post, Bit-Defender on-line scan did not flag these two folders, and they weren't yet in the recycle bin either.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:19 AM

Posted 02 February 2007 - 02:23 PM

Ok OB, I misunderstood. I thought you said you had two strange folders and two files. Didn't realize you meant to say the folders themselves had those file names as you asked if they were legit after speaking about the folders.

To clarify further, the folders were empty and their names do not exist as actual files anywhere on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Walkman

Walkman

  • Banned
  • 1,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 AM

Posted 02 February 2007 - 03:06 PM

If I may.......

It would be a good idea to put those folders on a floppy disk and get them out of the recycle bin. Also, until you're sure what those folders really are, it wouldn't be a good idea to restore them back to it's orginal, nor any place on your system.

Why not run a registry scan of those folder names and see what comes up. And also, alter the search by removing the extension from the searches, because they may lead to a related program that may have put them there.

I also found that scanning files on floppy disks compared to files on an operating system will sometimes give different results. Use the same softwares you have and scan them while they're on the floppy.

For future references, there is a FREE program that searches your computer for empty folders. Actually, that's the name of the program (Empty Folders). I have used it for about 4 years now. it'll find every empty folder on your computer, and delete them if you select it to.

But if you already made out a HJT report or similar, that's a start, but the main thing is to monitor any strange behaviors of your computer. If nothing is out of the ordinary, then it may not be what you think it could be. It could be something you installed, but then deleted. That happens alot too. If you have any installation monitoring programs, look through those logs, you may find something useful to go on.

Again, I'm just giving some ideas that are worth the try.

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:19 AM

Posted 02 February 2007 - 04:54 PM

To clarify further, the folders were empty and their names do not exist as actual files anywhere on your system?


Yes, the folders were and are empty. I've sent them back to the recycle bin by the way. I don't think those names exist as files elsewhere on the system, but then I didn't think to do a search for the names. I'll do that later tonight after I get home and Avast! has finished scanning. Hopefully it will be finished when I get home, but if it found something I have to provide input before it will continue. I'll let you know what I find or don't find.

Didn't realize you meant to say the folders themselves had those file names as you asked if they were legit after speaking about the folders.

Put it down to my late night lack of clear writing :flowers: . It didn't help matters any that I wrote "legit. files: . . ." as though the two terms were interchangeable when they're not.


--------------------------
Walkman: That is an interesting idea to transfer the folders and scan again. I don't have a floppy drive however. I use USB flash drives, and I have a lot of stuff on them that I don't want to risk getting infected. I'll try out those alternate searches you suggested and see what I come up with. Thanks for the info. about the empty folders program. I'll have to check into that.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 02 February 2007 - 04:58 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:19 AM

Posted 02 February 2007 - 09:45 PM

Just a quick update here:

Avast! AV scan came up clean.

I searched for both folder names without using the extension using search, and only the aforementioned folders were found. I also used find in the registry editor to search for both names, and there they were only found in search assistant which was to be expected as I had just been using search.

I also searched for the three mutexes that F-Secure mentioned on the link quietman7 provided and came up empty.

There has been no strange internet traffic or out-going requests.

All my security programs are working fine. System boots properly. I don't notice any strange behaviour at all unless you want to include failed on-line scanner issues.

For whatever reason, the panda online scan won't work. The big green button on the page where you enter your e-mail address doesn't work. The page also says there's an error on it. Yes, I do have java scripts enabled for the site in my firewall and javascripts enabled in Internet Explorer and I have the latest version of Java as well. Maybe it doesn't work with IE7?
-------
I have a list of various on-line scanners. I'm going to try them out one at a time. The eTrust Antivirus scanner just finished downloading, so I'm going to scan with it in just a few minutes here.

When I finish with whatever on-line scanners I can get to work, I'll go ahead and install the trial version of F-Secure and see what it finds.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 Walkman

Walkman

  • Banned
  • 1,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 AM

Posted 03 February 2007 - 02:56 PM

Orange Blossom

Something hit me, but I missed it in your last post, but I'm remembering it because of what my Spybot S&D found just a few minutes ago. For some reason when I saw:

I searched for both folder names without using the extension using search, and only the aforementioned folders were found. I also used find in the registry editor to search for both names, and there they were only found in search assistant which was to be expected as I had just been using search.


On the computer I'm on now, MS Search Assistant was found with the Sypbot S&D.... and for some reason, alarms started going off in my head, then I found what I had saved since 2002 or so. It explains what people aught to know about the MS Search Assistant.

Win-XP Search Assistant silently downloads files
http://www.theregister.co.uk/2002/04/11/wi...ntly_downloads/


And the site below shows you right there on their site how to clean and erase your Search Assistant and other programs that are in your registry and are potential threats to your computer.

Search Assistant may compromise your privacy, clean and remove its tracks
-we kill spam for pleasure-
http://www.codeode.com/privacymantra/locations/index.html

But, anyway, it dawned on me when I saw your last post, and then I had found it too on this computer. I remember now,.. it's just been sooo long since I had saw it on any of my computers. But I definitely did an operation of the problem, and I remember that it was something that I didn't want on my computer.

This is something I thought you may want to know, and passing you something more to further your checks and scans.

#10 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:19 AM

Posted 03 February 2007 - 07:48 PM

If I may ask a question to Walkman at this point.

Very interesting information about the Search Assistant.

However I am not quite clear as to what exactly the Privacy Mantra utility does.
I realize it "Cleans and Erases Privacy Tracks".....but in your Clipboard??
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:19 AM

Posted 03 February 2007 - 08:19 PM

Update:

The e-Trust security advisor on-line scan found one file in system restore identified as infected with Zipper.2779.I which I submitted for analysis. E-mail correspondence from CA Security Advisor since says that preliminary findings show the file to be clean.

Housecall on-line scan failed: download error issues, likely because I'm on dial-up out here.

I managed to do a Kaspersky on-line scan and it came up clean.

Tried to install the F-Secure trial which worked until the reboot stage at which point the computer froze at the desktop. I'm not sure why; perhaps disabling Avast! was not sufficient to avoid problems. I had to do a hard shutdown using the tower button, go into safe mode and use system restore. I've since removed the remains of the F-Secure trial.
---------------------
I trust that completely demolishing those two odd folders still residing the the recyle bin is okay?
---------------------

Win-XP Search Assistant silently downloads files
http://www.theregister.co.uk/2002/04/11/wi...ntly_downloads/


I discovered that interesting fact when Windows Explorer attempted to connect to the internet a few months ago. My immediate thought had been: why on earth does Windows Explorer need to send stuff to the internet? I researched the ISP, discovered the MS-Search connection and immediately placed a permanent block on Windows Explorer.

I have programs that I use regularly to erase my privacy tracks - including those of Search Assistant.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 Walkman

Walkman

  • Banned
  • 1,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 AM

Posted 04 February 2007 - 05:55 AM

However I am not quite clear as to what exactly the Privacy Mantra utility does.
I realize it "Cleans and Erases Privacy Tracks".....but in your Clipboard??


Good one. The below link explains one reason it's so good, and what other programs just don't get to tackle with.... just like you saying "The Clipboard?"..... hey,,,, I never thought of that one either. I would have never thought of the clipboard.

If you click on the threats, you'll see that there is no manual way to clean/erase your Clipboard. The software does it. Just the Clipboard alone, are there many programs that specifically targets the Clipboard? I never thought of it. I know about the MRU lists.
======================================================================

Index.dat files - What are index.dat files? How to remove index.dat files?

Abstract
Index.dat files are a privacy issue. Every web site you ever visited remains in this file, even after you have removed all temporary internet files and history. Index.dat files are locked by the system and hence not possible to delete or modify. The primary purpose of this article is to explain index.dat files and how they compromise your privacy and what you can do about this.

Privacy Mantra is FREE and will clean and delete index.dat files.
http://www.codeode.com/privacymantra/locat....dat/index.html

Read that link directly above, and it'll explain what you should know about the index.dat files on your computer. And once I read between the lines of the index.dat file, I soon realized that the so-called tracks that many of the programs out there that erases your tracks, really don't do it at all, because your tracks are logged in the index.dat files, and many programs don't deal on that level.

index.dat files are so hard to remove.. but the Privacy Mantra will remove them.

Here is the screen shot of it too.
http://www.codeode.com/privacymantra/index.html

And, on this page, you'll see all of the programs/threats it targets:
http://www.codeode.com/privacymantra/locations/index.html

which are the mainstream ones that most computer user uses on a daily basis, and I'm sure many of those tracks are still left on our computer, and we don't realize it. Just think about that last document you wrote. It's logged, and it's contents. Alot of programs just delete references to files or such, but don't actually remove them from your computer. If all else fails, it will most likely be in your index.dat file.

And the best thing I like about this program is that it functions on the registry level, which is where the problems are stored. It cleans everything on that list in seconds.... and I haven't seen any program that can tackle a list like this program in such a short period of time. This works so fast, you can run this twice a day. I know for sure, now that I'm using this, I'm going to run mine every day. And still use whatever else I have, and now I would have more privacy. Just look at that list.... all of those programs track us, and those are the ones we use on daily basis.

Out of the 48 threats it lists, I have just 9 threats on 4 computers, and 10 threats on 2 computers.

#13 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:19 AM

Posted 04 February 2007 - 11:33 AM

Thank you for such a great explanation Walkman!

I may give this a try.

If you click on the threats, you'll see that there is no manual way to clean/erase your Clipboard

FWIW,I erase my Clipboard the following way;
Bring up a dos page and type clipBrd/click okay/click edit in the Clipboard Viewer Menu/then click delete/then yes to prompt.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#14 Walkman

Walkman

  • Banned
  • 1,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 AM

Posted 04 February 2007 - 12:00 PM

FWIW,I erase my Clipboard the following way;
Bring up a dos page and type clipBrd/click okay/click edit in the Clipboard Viewer Menu/then click delete/then yes to prompt.

Cool... I'll remember that. I started to to say in my other post (that they don't mention... talking about manual cleaning, although there has to be one if software can do it) according to the manual cleanup of the Clipboard.

But, it'll take away the manual work of doing so, so that's even better for me. I don't think anyone can ever remember every registry location, code of reference and such, on such a vast scale of computers, so some things work very well, and some things don't.

TMacK, why don't you submit that in to them and see if they'll include it in their site. It's sure worth it. I started out in DOS, and was so good at manipulating the autoexec.bat file back in the day. I made my computer do things it didn't do by default.

Still, this is something I will use to clean out my computer.

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,696 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:19 AM

Posted 04 February 2007 - 05:25 PM

Are there any other scans I should use in regard to the issue I posted about to be certain there isn't something lurking on my system?

Summary of Scans: Avast! AV - clean, SUPERAntiSpyware - clean, Spybot - clean, AdAware - clean, AVG AntiSpyware - clean (mistakenly ID'ed as AVG AntiVirus in my original post)

BitDefender found some files in System restore and the recycle bin: the two folders in question weren't among them. I found those later on my own when looking through the Windows folder.
Couldn't get F-Secure on-line scan to work - error code (ID:16)
Couldn't get Housecall on-line scan to work - download errors during updating process
Couldn't get Panda on-line scan to work - something wrong with green start scan button. Don't know why, javascripts and activeX are both allowed for the site.
The e-Trust security advisor on-line scan found one file in system restore identified as infected with Zipper.2779.I which I submitted for analysis. E-mail correspondence from CA Security Advisor since says that preliminary findings show the file to be clean.

Couldn't get F-Secure trial version to work - system froze at desktop upon reboot. Related to failure of F-Secure on-line scan?

sfc /scannow didn't find any problems
no unusual internet traffic
no strange behaviour on computer if you discount the failure of on-line scans. What's strange is that Panda on-line scan used to work for me before, but then I had ZoneAlarm Security Suite and IE6. Also, F-Secure on-line scan has worked for me in the past once I had successful download of the files. Again, I had ZoneAlarm Security Suite and IE6 at the time.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users