jarrycanada
join:2004-12-02
Schenectady, NY
| strange file HBEPGUID.TXT
I found this strange file on one of my systems. here is the weird part it's just a .txt file but I found it in the C:\Documents and Settings\All Users\Documents\HBEPGUID.TXT whats srange about it is that if I delete it it just comes back in a number of hours. it's got this strange number in it that just keeps changing.
e8cd3a8e-073f-4bd2-a6cc-1173c7f30160|000E0CB14FC7
I've scanned my system all day and know a lot about computers but this one is just bugging the hell out of me. anyone ever seen anything like that before? or know what it may be ? |
|
Cudni
La Merma - Ciudad Fronteriza
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
edit:
March 22nd, @09:38PM
| check for malware/spyware using tools listed and if still have problems post in SCU forum
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
also see
»forums.cnet.com/5208-6142_102-0.···=2735652
edit: one further link
»www.castlecops.com/t217151-HBEPG···der.html
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006-2007 |
|
jarrycanada
join:2004-12-02
Schenectady, NY
| reply to jarrycanada
I've seen the cnet stuff already. I can't really find anything about that would create such a file. I've scanned my system with AVG, a-squared Free, Windows Defender, AVG Anti-Spyware 7.5, AVG Anti-Rootkit Free, Spybot - Search & Destroy, Ad-Aware 2007, list goes on system running normal. no strange out going connections. |
|
Cudni
La Merma - Ciudad Fronteriza
Premium,MVM
join:2003-12-20
Someshire
·BTOpenworld
| reply to jarrycanada
try filemon to track it
»technet.microsoft.com/en-us/sysi···642.aspx
what is inside the .txt file if anything?
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006-2007 |
|
jarrycanada
join:2004-12-02
Schenectady, NY | just that number
e8cd3a8e-073f-4bd2-a6cc-1173c7f30160|000E0CB14FC7 |
|
Damon85
Premium
join:2004-12-25
Louisville, KY
edit:
March 22nd, @10:55PM
| Just taking a stab in the dark, but that looks like a SID, a pipe, and then a MAC address. You might want to check those to see if they have any meaning to you. A good place to search for the SID might be to open up regedit and run a search for it -- that might at least lead you to more information about the origin of the file.
Edit: Sorry, I didn't mean SID but I forgot the actual name of them... At any rate, check in the registry to see if it exists there. |
|
anon101
@verizon.com | reply to jarrycanada
It's a text (TXT) file. Open it with Notepad and see what it says. Probably "Happy Easter from the Easter Bunny".  |
|
jarrycanada
join:2004-12-02
Schenectady, NY
| reply to jarrycanada
anon101, I did open it with notepad. it just says
i've got two numbers so far.
278cd9b7-9f46-4742-9430-328be6c44b79|000E0CB14FC7
e8cd3a8e-073f-4bd2-a6cc-1173c7f30160|000E0CB14FC7
Damon85 is right the last number is my mac address. but the other numbers don't come up at all. I seached the drive and the registry now for them. |
|
jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK
·AT&T Southwest
| search the registry also for "HBEP" since this file is apparently storing a process-identifying GUID value together with the MAC of your network card. It quite well may be something innocent. However I would expect a search of the registry for just the GUID portion of the current file's content to have at least one hit, probably in the HKLM hive...
--
Jim Kyle |
|
anon101
@verizon.com
| reply to jarrycanada
well, it doesn't look too harmful. Judging from the name (HBEPGUID) seems like an ID of some sort along with a MAC address. Maybe they found a new way to set cookies?
I would tend to believe you have something running on your system that checks if the item is there, and if not rewrites it. Open Task Manager and see what is running. Kill any processes you don't know about. Check your startup programs. Most likely there is something in there that starts up with your system. Have you run a HijackThis? |
|
jarrycanada
join:2004-12-02
Schenectady, NY
| reply to jimkyle
I searched for HBEP and any of the set of numbers found nothing. I would think nothing of this file but what scares me is the folder I found it in. I run HijackThis all the time. I don't see anything new in there. getting to the point I am thinking about just reinstalling the os. sad part is the system runs fine. no strange error messages. no weired log files or anything showing up on my firewall logs. I nuked the IE internet folder and all the cookies. |
|
anon101
@verizon.com
| I don't think you need to go to the extent of reloading OS. Maybe try something like file monitor with filtering to find out what is happening. I don't have this program so I don't know how to set it up. In any event, I would be curious as to what was happening before I reloaded new OS.
Filemon: »www.microsoft.com/technet/sysint···mon.mspx |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
edit:
March 23rd, @05:06PM
| reply to jarrycanada
Since at one time someone posted they also found with word BETTER OFF BirthDay in a HBEPGUID.TXT maybe it does have something to do with HP software packages that are installed by default on some of those installation disks that can make cards with your printer with either graphic or actual photos and text.
They even have on line places to do that..for consumer greeting cards.
»h30393.www3.hp.com/printing/app/···rds.aspx
But if the HBEPGUID really is a clue to why the text file was created..I was thinking along the lines of the episode guide site and what a user might download there..
»epguides.com/HeyPaula/
»www.tv.com/hey-paula/episode-7/e···ary.html
»epguides.com/WhostheBoss/
BETTER OFF BirthDay
»www.tv.com/whos-the-boss/better-···ary.html
but maybe the HB part is happy birthday..and the EP is printer
Good luck in the mystery ..sure would be nice to know what it is all these people have in common.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
jarrycanada
join:2004-12-02
Schenectady, NY | reply to jarrycanada
I ran that program but it's a little beyond my ability to understand it. |
|
jarrycanada
join:2004-12-02
Schenectady, NY
edit:
March 23rd, @10:32PM
| reply to jarrycanada
I was thinking that too |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Maybe it is even Epson Printer
»www.google.com/search?hl=en&sa=X···&spell=1
What kinde of printer do you have and what software is installed for it?
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
jarrycanada
join:2004-12-02
Schenectady, NY
edit:
March 23rd, @06:13PM
| reply to jarrycanada
well I got both hehehe, that computer was my old computer so it had a epson rx700 and now it's got a hp printer. When I am done scanning it with microsoft live i'll try uninstalling all the printer drivers and see if that goes away.
I am sorry but I don't understand the birthday card thing. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by jarrycanada  :well I got both hehehe, that computer was my old computer so it had a epson rx700 and now it's got a hp printer. When I am done scanning it with microsoft live i'll try uninstalling all the printer drivers and see if that goes away. I am sorry but I don't understand the birthday card thing. And you may have never used that feature 
EPSON Stylus Photo RX700, EPSON RX700 Printer, EPSON C11C583001 ...You can even create photo greeting cards using your favorite photo and your own hand-written message.
»www.supermediastore.com/epson-st···ter.html
see also..
»www.google.com/search?hl=en&q=ep···G=Search
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
DiscardedVet
Premium
join:2005-04-06
Sturgis, SD
| reply to jarrycanada
I am by far not in the levels of some of the tech folks here, but I do hold my own.
One thing I do for suspicious files is time correlation. The time that file was created, correlate it with what Internet activity there was (history, IE cache, firewall logs, etc), as well as do a PC file search for files both created and accessed at the same time.
MANY times this action has brought me to a sound conclusion of what the file stems from.
Best of luck to ya 
D-Vet
--
Bush is the Prez....Think Patriot Act II....This outspoken dissident....In jail I'll be soon. |
|
jarrycanada
join:2004-12-02
Schenectady, NY
edit:
March 23rd, @10:28PM
| reply to Name Game
has nothing to do with my printer.
all bets are off now.
I was playing around with that tool anon101 told me to use. I deleted my copy of HBEPGUID.TXT and rebooted. Then I checked my shared folder again. Nothing, good. Then I ran File monitor and waited and waited. That was the hard part.
CCSVCHST.exe was creating this file. so I uninstalled norton and am waiting to see if this file will show up again. I think it has something to do with fact that my copy of norton is about to run out in a month or so so it has to report back home to make sure I am not stealing it.
Two hours file still hasn't shown up again.
I got a new copy sitting right here waiting to be installed. but thats another day. Too much fun with Norton Internet Security. One thing I love about norton is that you can never fully uninstall that app, you have to alwasy get that one little tool that does it for ya. |
|
