Avast WEBforum
Other => General Topics => Topic started by: CocaRola on July 14, 2011, 02:44:31 PM
-
Hello, I have this folder called ".hAWabAzAr" in "C:\Users\(name)" and I have no idea where it came from.
There's 2 files inside of it "2491ed2347c513da277245650ba73a6b" and "d7f3fad84ed21f80e3f7ce90ec7ba697", if I open them with a text editor there's just more random numbers inside of them.
I can't think of any program/software on my computer that would use that folder.
.hAWabAzAr was created 2011-05-19 and last changed/edited a few minutes after it was created.
I scanned the folder with the latest version of avast! (Free Antivirus) '6.0.1203' and '110714-0' (database) and it was clean.
I even did some searches about it on Google, Yahoo! & Bing but didn't find anything useful, except for the fact that most searches pointed to "http://www.thekeyfinder.net/" and "http://www.hawabazar.com/".
-
Any help or information is appreciated. :)
-
Upload the file(s) to www.virustotal.com and post the results!
-
Upload the file(s) to www.virustotal.com and post the results!
2491ed2347c513da277245650ba73a6b - https://www.virustotal.com/file-scan/report.html?id=ca13cae456429fbf80e7c7afb2efcff8454ccf7ee0a4b4ff14c04d24332993e7-1310651210
d7f3fad84ed21f80e3f7ce90ec7ba697 - https://www.virustotal.com/file-scan/report.html?id=e6818e9d7d6eb5b0a35c0149d4591f484c2a4e9127f6ac4a5ad3ac246e199312-1310651384
-
Nothing to worry about,have a nice day.
-
I would really like to know where this came from. My hawabazar folder and files appeared on Feb. 18th of this year. I have been googling it ever since I became aware of it this March. Maybe some sort of tracking from a website? I went to hawabazar.com and it looks like an Arabic site (which I never visited).
For what it's worth, my folder had one text file with a different set of numbers - 36fc7a5f02d1e9e9d52b7759d038d15b
If anyone has any info, I would appreciate the feedback!
-Cheers
-
"There's 2 files inside of it "2491ed2347c513da277245650ba73a6b" and "d7f3fad84ed21f80e3f7ce90ec7ba697"
look at this i think maybe because of microsoft update, microsoft update usually search for free space for temporary to install update, and sometimes it forgot to delete this temporaty folder...
read this http://ask-leo.com/can_i_delete_these_randomly_named_folders.html
to delete this folder you must take ownership.
and for the folder with name ".hAWabAzAr", maybe you can take ownership for this folder and delete safely
-
If you package up a copy and upload it to mediafire/rapidshare/megaupload/etc. I'd be willing to take a look at it for you. I'm an incredibly skilled computer expert (and yes, I've got a bit of an ego, lol) and can analyze it by hand for you, see if I can find anything to be scared of that AV might not detect due to it being new.
-
Let's see what those skills can find out, shall we? 8)
Here is the link:
http://www.filesonic.com/file/2557877184/.hAWabAzAr.7z (http://www.filesonic.com/file/2557877184/.hAWabAzAr.7z)
Thanks for looking into this!
-
Hi R1Nick,
Analyzing the link you gave for suspicious malscript detected the following to be suspicious:
And thsi, the suspicious part of that link is found to reside here:
-partner.googleadservices.com/gampad/service.js suspicious
[suspicious:2] (ipaddr:64.233.169.167) (script) -partner.googleadservices.com/gampad/service.js
status: (referer=-www.filesonic.com/file/2557877184/.hAWabAzAr.7z)saved 5175 bytes 6dd283cf6a29dba6a5ad64c6aad86ebe35dfed3b
info: [javascript variable] URL=
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
info: file: -saved partner.googleadservices.com/gampad/service.js to (6dd283cf6a29dba6a5ad64c6aad86ebe35dfed3b)
Hope this will help,
polonus
-
The link is not what is to be analyzed, it is the file that I have uploaded.
-Cheers