Hello, I have this folder called “.hAWabAzAr” in “C:\Users(name)” and I have no idea where it came from.

There’s 2 files inside of it “2491ed2347c513da277245650ba73a6b” and “d7f3fad84ed21f80e3f7ce90ec7ba697”, if I open them with a text editor there’s just more random numbers inside of them.

I can’t think of any program/software on my computer that would use that folder.

.hAWabAzAr was created 2011-05-19 and last changed/edited a few minutes after it was created.

I scanned the folder with the latest version of avast! (Free Antivirus) ‘6.0.1203’ and ‘110714-0’ (database) and it was clean.
I even did some searches about it on Google, Yahoo! & Bing but didn’t find anything useful, except for the fact that most searches pointed to “http://www.thekeyfinder.net/” and “http://www.hawabazar.com/”.

Any help or information is appreciated.

Upload the file(s) to www.virustotal.com and post the results!

2491ed2347c513da277245650ba73a6b - https://www.virustotal.com/file-scan/report.html?id=ca13cae456429fbf80e7c7afb2efcff8454ccf7ee0a4b4ff14c04d24332993e7-1310651210
d7f3fad84ed21f80e3f7ce90ec7ba697 - https://www.virustotal.com/file-scan/report.html?id=e6818e9d7d6eb5b0a35c0149d4591f484c2a4e9127f6ac4a5ad3ac246e199312-1310651384

Nothing to worry about,have a nice day.

I would really like to know where this came from. My hawabazar folder and files appeared on Feb. 18th of this year. I have been googling it ever since I became aware of it this March. Maybe some sort of tracking from a website? I went to hawabazar.com and it looks like an Arabic site (which I never visited).

For what it’s worth, my folder had one text file with a different set of numbers - 36fc7a5f02d1e9e9d52b7759d038d15b

If anyone has any info, I would appreciate the feedback!

-Cheers

"There’s 2 files inside of it “2491ed2347c513da277245650ba73a6b” and “d7f3fad84ed21f80e3f7ce90ec7ba697”

look at this i think maybe because of microsoft update, microsoft update usually search for free space for temporary to install update, and sometimes it forgot to delete this temporaty folder…

read this http://ask-leo.com/can_i_delete_these_randomly_named_folders.html

to delete this folder you must take ownership.

and for the folder with name “.hAWabAzAr”, maybe you can take ownership for this folder and delete safely

If you package up a copy and upload it to mediafire/rapidshare/megaupload/etc. I’d be willing to take a look at it for you. I’m an incredibly skilled computer expert (and yes, I’ve got a bit of an ego, lol) and can analyze it by hand for you, see if I can find anything to be scared of that AV might not detect due to it being new.

Let’s see what those skills can find out, shall we? 8)

Here is the link:

http://www.filesonic.com/file/2557877184/.hAWabAzAr.7z

Thanks for looking into this!

Hi R1Nick,

Analyzing the link you gave for suspicious malscript detected the following to be suspicious:

And thsi, the suspicious part of that link is found to reside here:
-partner.googleadservices.com/gampad/service.js suspicious
[suspicious:2] (ipaddr:64.233.169.167) (script) -partner.googleadservices.com/gampad/service.js
status: (referer=-www.filesonic.com/file/2557877184/.hAWabAzAr.7z)saved 5175 bytes 6dd283cf6a29dba6a5ad64c6aad86ebe35dfed3b
info: [javascript variable] URL=
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
info: file: -saved partner.googleadservices.com/gampad/service.js to (6dd283cf6a29dba6a5ad64c6aad86ebe35dfed3b)
Hope this will help,

polonus

The link is not what is to be analyzed, it is the file that I have uploaded.

-Cheers