Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Random Files Created in System Root Drive

25 May 2013   #1
Injust

Windows 7 64-bit
 
 
Random Files Created in System Root Drive

Hiya,
For a while now, I don't know exactly how long, there has been always one file on my C: (system root) drive that I never made. It is a hidden system file, 479,249 bytes in size. If I delete it, on system restart, it regenerates, but with a different name. I'll proceed to delete it and see if the hash is the same after restart. Right now, the name is NDSGQ, and the SHA-256 hash is 21200fcfb2194e02058d0eb976238c66f4ad516677eea98d73a2e83a583a5d6f. The name is always 5-all caps letters. I have NTFS compression enabled, and yes, the file compresses itself. I have no idea what it is. I've uploaded it to VirusTotal, and it has come back negative, but McAfee-GW-Edition says that "Heuristic.BehavesLike.Exploit.CodeExec.O". I will post back to see if the hash is the same.
The VirusTotal scan details are here: https://www.virustotal.com/en/file/2...is/1369501005/

EDIT: Strange...the file hasn't re-generated this time...


My System SpecsSystem Spec
.
25 May 2013   #2
gregrocker

 

Never compress the System drive as it may become unbootable if the boot files compress.

If you have MucAfee then you have much worse worries. It's the worst possible thing you can install on Win7, cause of endless problems we see here. Almost all issues are traced to it when its present, probably this one too.

To uninstall MucAfee you must use a special tool like is used with any other really bad infection: How to uninstall or reinstall supported McAfee products using the Consumer Products Removal tool (MCPR)

I'd replace it with Microsoft Security Essentials or Avast which are recommended by almost everyone here where we know Win7 best.

In addition if you're still running the HP preinstalled Win7, that is the worst possible install of Win7 one can have with the worst load of bloatware in the industry. That's why most tech enthusiasts choose to Clean Reinstall - Factory OEM Windows 7 to get a perfect install based on the tools and methods which work best. Read the Note to HP Owners at end for special considerations.

At the minimum I'd Clean Up Factory Bloatware.
My System SpecsSystem Spec
25 May 2013   #3
Injust

Windows 7 64-bit
 
 

First of all, no, this is not my system listed in my system specs. This is a Dell Inspiron 530, completely re-installed with Windows 7 Home Premium. I have never used McAfee either.
My System SpecsSystem Spec
.

25 May 2013   #4
gregrocker

 

Does the PC have Acronis or an imaging or backup suite?

Have you run a full Malwarebytes scan?

I'd also run SUPERAntiSpyware.com - Downloads which roots spyware out of the registry even if it has already been uninstalled.

Then check for and install all Important and Optional Windows Updates to see if it comes back.
My System SpecsSystem Spec
25 May 2013   #5
Injust

Windows 7 64-bit
 
 

Will do now.
My System SpecsSystem Spec
26 May 2013   #6
Injust

Windows 7 64-bit
 
 

Ok, so I just did a complete scan with SUPERAntiSpyware. Log is included.
Code:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/26/2013 at 01:21 PM

Application Version : 5.6.1020

Core Rules Database Version : 10445
Trace Rules Database Version: 8257

Scan type       : Complete Scan
Total Scan Time : 03:32:31

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned      : 533
Memory threats detected   : 0
Registry items scanned    : 71786
Registry threats detected : 0
File items scanned        : 146171
File threats detected     : 7

Trojan.Agent/Gen-Krycon
	C:\USERS\L0L\DESKTOP\DON'T SLEEP.EXE

Adware.Tencent
	C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PS72R2M\SETUP[1].EXE
	C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PS72R2M\SETUP[2].EXE
	C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PS72R2M\TBUPDATE[1].EXE
	C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\62AXOPQ5\SETUP[1].EXE
	C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\LIXMVQOA\SETUP[1].EXE
	C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\LIXMVQOA\SETUP[2].EXE
The Adware.Tencent is not harmful nor is it malicious. It's just a software I use Nothing bad about it for sure.
As for the "Don't Sleep.exe", IDK. Sent it off to VirusTotal.
https://www.virustotal.com/en/file/b...cc3f/analysis/ Check it out for yourself.
Will do a Malwarebytes scan now.
My System SpecsSystem Spec
27 May 2013   #7
Injust

Windows 7 64-bit
 
 

Still hasn't come back.
I ran a Malwarebytes complete scan, and it picked up 4 registry entries.
Code:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.26.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
L0L :: L0L-PC [administrator]

5/26/2013 8:05:07 PM
mbam-log-2013-05-26 (20-05-07).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 316459
Time elapsed: 51 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A57E074F-56D8-4A33-8112-AAC9693AA909} (Trojan.Agent) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{A57E074F-56D8-4A33-8112-AAC9693AA909} (Trojan.Agent) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
I did remove them.
My System SpecsSystem Spec
Reply

 Random Files Created in System Root Drive




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Cannot save files directly to root C:\ drive anymore
I'm configured as Administrator and, up until a few days ago, I was able to save files directly to the root C:\ drive. I now get the error: ''The required privilege is not held by the client". I can still create/rename/delete folders on the drive, though, without that error message. This is only...
System Security
C root folder no system files (but everything works)
hi just a curious question... on my Dell work laptop, i don't have any system files on the root of C, like io.sys, etc, and this is on a Win 7 Pro 64bit installed from a "system repair Dell DVD". On my home pc instead where i have win 7 Ultimate 64bit, i do have some files on C's root. ...
Installation & Setup
Random Files being created in C Drive.
I just recently built this computer and today I noticed that there was files being created in my C Drive, outside of the folders. The first one was created on the 12/1/2014 and the latest 26/1/2014 and they are all around the same size of 3kb with the same format in their File Names, an example...
General Discussion
Access denied editing text files to root C drive
I thought i had all my permissions and sharing done correctly until i tried to edit a text file across my network on another windows 7 machine. When i go to save the file it ask me "save as" which it never did while trying to do the same thing on a windows xp machine. Well after the save as i try...
General Discussion
BSOD Random 0x00000007A - No Dump files created
Guys, I have an Acer laptop brand new and have been having random crashes since day 1. Came with Windows 7 Home Basic. Specs are: Core i3 2350M 2GB DD3 Ram 500GB HDD nVidia 630M 1GB I have used the SF Diagnostic tool and attached the files, but there are not memory dump files as i have...
BSOD Help and Support
what is aecache.dll doing in the root of my system drive?
What is aecache.dll doing in the root of my system drive? The details tab says it is from microsoft. But the location is very unusual. My searches have produced a long list of hits but no concrete info. Does anyone truly know what this program is and why it is where it is?
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 16:01.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App