System folder names changing to very odd names

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

theplace2b

Thread Starter
Joined
Jan 4, 2006
Messages
11
I noticed recently that my system and other folder names have changed on their own! :eek: What the -h- happened? I have never seen anything like this before. These folders appear on all of my drives c:, d:, g: and they are random. It looks like they are of another language, maybe? :rolleyes: Actually, the wording makes no sense at all...> It looks like most of these folders previously existed.

Things I have done: Ran Anti-V program + Ewido Suite = No viruses, trojans, malware, etc. Ran three adware programs (ad-aware, spywareblaster, spyware doctor) = Clear. Checked all running processes and startup tab in mscofig = no peculiar programs detected. Ran regseeker = Phenominal amount of invalid keys, etc. (3,000+) very unusual to the norm!!!

Any help would be greatly appreciated...:)

System Spec's: WinXP SP1-current updates, 384 RAM, AMD 1.15 GHz processor
 
Joined
Apr 12, 2004
Messages
165
That is very strange. By any chance, have you ran any kind of recovery software lately (eg. to recover lost or deleted data)? If you had any malicious software, one of the antimalware programs should have detected something. Did you get the latest definitions installed for them before running scans? You better post a hijackthis log anyway. If I see anything on it, I will let an expert in security know because I am still training.

Please download this self extracting file to your Downloads folder in My Documents or some other place where you will find it easily:
* Now go to the folder you saved "HijackThis_sfx.exe" in. Double click "HijackThis_sfx.exe" and select "Unzip". When done click "OK".
* Close the WinZip self Extractor window.
* To find HijackThis go to C:\Program Files\HijackThis.
 
Joined
Dec 9, 2000
Messages
45,855
What kinds of names are they changing to? If Windows couldn't recognize them you would be in big do-do.

I'm thinking you have a damaged font problem of some kind.

Have you tried doing a System Restore to a date that precedes the problem? These can be undone if not helpful.
 

theplace2b

Thread Starter
Joined
Jan 4, 2006
Messages
11
I have not run any recovery software at all. Actually, I made no changes that I can remember. I did get all the def updates for all programs I ran before running them. I try to keep a tight ship with only the vital programs installed, plus a few I personally like. I keep up on my PC as far as keeping it clean, uncluttered, and in order as much as possible. I run scans almost daily! I can be quite anal about it...:D

Below is my hijack log:.....Thank you for your assistance, I hope somebody can help!

Logfile of HijackThis v1.99.1
Scan saved at 9:13:29 PM, on 1/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Programs\Weather Watcher\ww.exe
C:\WINNT\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\System32\svchost.exe
D:\Programs\Rainlendar\Rainlendar.exe
C:\WINNT\system32\ntvdm.exe
C:\Documents and Settings\All Users\Start Menu\Programs\IE &

OE\iexplore.exe
C:\Documents and Settings\Suzie\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http

://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://

www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http

://www.download.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http

://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydial/*http://

www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Suzie's Domain...Enter If You Dare
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no

file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:

\Programs\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

D:\Programs\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F

7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C

71AC} - D:\Programs\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:

\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:

\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!

\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.

dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /

STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MSConfig] C:

\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [WeatherWatcher] D:\Programs\Weather Watcher\ww.exe
O4 - Startup: Rainlendar.lnk = D:\Programs\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:

\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:

\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:

\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-

AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D

5} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-

000103C116D5} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14

E84} - D:\Programs\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045

C3C96} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5

C9-0050045C3C96} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C

04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan

Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6

.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/

native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.

zangocash.com/cab/Zango/ie/bridge-c18.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:

\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:

\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman

Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.

EXE
 

theplace2b

Thread Starter
Joined
Jan 4, 2006
Messages
11
Exactly, and I failed to mention that some of my programs failed to load also! Had to reinstall them..(yahoo messenger, rainlendar, AVG-anti-v, and a few others. *But, these particular proggies were installed on my D: drive. For example, a few of the names are: APEDUOZU>RGNMUWYT>BRPPORJG>CSQQPSKH
These are just a few examples, they are all over the place! On every drive...
 

theplace2b

Thread Starter
Joined
Jan 4, 2006
Messages
11
See, that is the very thing I wanna try to stay away from *system restore*, I wanted to see if I could manually fix the problem first; hoping that maybe it's not a serious one. But, if absolutely necessary, I will do that.
 
Joined
Apr 12, 2004
Messages
165
I didn't go over the whole log, but I did see a couple of things that don't look right. I would rather an expert check it over for you and give you instructions.

C:\WINNT\system32\ntvdm.exe why is this running? ntvdm.exe is process that belongs to the Windows 16-bit Virtual Machine. It provides an environment for a 16-bit process to execute on a 32-bit platform. This program is important for the stable and secure running of your computer and should not be terminated.
C:\Documents and Settings\All Users\Start Menu\Programs\IE &
OE\iexplore.exe The normal location of iexplore.exe is C:\Program Files\Internet Explorer\iexplore.exe There's a LOT of bugs you need to worry about if the exe is running in any location other than that one.
 
Joined
Dec 9, 2000
Messages
45,855
It is a bit unusual to see ntvdm running. Usually it is only invoked for legacy programs or games of some kind.

I assume you have manually configured Internet Explorer to run on startup?

You may have file system problems and a check of the integrity of the drive would be in order -- either by running chkdsk or getting a diagnostic utility from the drive vendor or both.

Personally I would do a System Restore before doing this and see if it completes successfully and resolves problems.

I would also do some backups of any data that is particularly valuable first. You may find yourself facing the need for a clean install.

If you really want to spend a lot of time troubleshooting, run eventvwr.msc and have a look at the System and Applications logs for errors.

You can double click to read descriptions, and there is a little double-paper copy icon that can be used to copy the description to the clipboard for pasting.
 

theplace2b

Thread Starter
Joined
Jan 4, 2006
Messages
11
C:\WINNT\system32\ntvdm.exe why is this running? ntvdm.exe is process that belongs to the Windows 16-bit Virtual Machine. It provides an environment for a 16-bit process to execute on a 32-bit platform. This program is important for the stable and secure running of your computer and should not be terminated.
C:\Documents and Settings\All Users\Start Menu\Programs\IE &
OE\iexplore.exe The normal location of iexplore.exe is C:\Program Files\Internet Explorer\iexplore.exe There's a LOT of bugs you need to worry about if the exe is running in any location other than that one.

I honestly could not tell you of anything for the process ntvdm.exe or IE's location, I didn't do anything on my end to change the course of either one!
 

theplace2b

Thread Starter
Joined
Jan 4, 2006
Messages
11
Ok, well...that might explain the running of ntvdm.exe, I did dl some of the older games, such as pacman, asteroids, etc. awhile ago. As far as configuring IE, I did no such thing, not sure of why the change. I will run chkdsk first and if all else fails, I will do a sys restore I suppose. Hopefully something will give.
Thank you for your help!
 

theplace2b

Thread Starter
Joined
Jan 4, 2006
Messages
11
chkdsk found no errors, it was found to be "clean"...on to system restore! I'll keep you updated...
 
Joined
Dec 9, 2000
Messages
45,855
How are you launching Internet Explorer? Actually I don't see an autorun for it, so you must be launching it from a shortcut some place?

Do you have c:\Program Files\Internet Explorer\iexplore.exe

It's possible when you did an install of IE at one time you simply manually selected a non-standard location to install it in.
 

theplace2b

Thread Starter
Joined
Jan 4, 2006
Messages
11
You wrote..."Do you have c:\Program Files\Internet Explorer\iexplore.exe"?

Actually, I do have that very path for IE, but I do also rely on my shortcuts, and that is how I initiate many programs, including IE, yes.
 
Joined
Dec 9, 2000
Messages
45,855
The shortcut you are using is pointing here:

C:\Documents and Settings\All Users\Start Menu\Programs\IE & OE\iexplore.exe

You can verify that by right clicking on it and selecting "properties". You will see a "target" path there.

It sounds like you have two separate folders with IE in them. Perhaps someone copied them over.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
theplace2b said:
Exactly, and I failed to mention that some of my programs failed to load also! Had to reinstall them..(yahoo messenger, rainlendar, AVG-anti-v, and a few others. *But, these particular proggies were installed on my D: drive. For example, a few of the names are: APEDUOZU>RGNMUWYT>BRPPORJG>CSQQPSKH
These are just a few examples, they are all over the place! On every drive...
What is inside these folders?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top