Random Files Created in System Root Drive


  1. Injust
    Posts : 418
    N/A
       New #1

    Random Files Created in System Root Drive


    Hiya,
    For a while now, I don't know exactly how long, there has been always one file on my C: (system root) drive that I never made. It is a hidden system file, 479,249 bytes in size. If I delete it, on system restart, it regenerates, but with a different name. I'll proceed to delete it and see if the hash is the same after restart. Right now, the name is NDSGQ, and the SHA-256 hash is 21200fcfb2194e02058d0eb976238c66f4ad516677eea98d73a2e83a583a5d6f. The name is always 5-all caps letters. I have NTFS compression enabled, and yes, the file compresses itself. I have no idea what it is. I've uploaded it to VirusTotal, and it has come back negative, but McAfee-GW-Edition says that "Heuristic.BehavesLike.Exploit.CodeExec.O". I will post back to see if the hash is the same.
    The VirusTotal scan details are here: https://www.virustotal.com/en/file/2...is/1369501005/

    EDIT: Strange...the file hasn't re-generated this time...
    Last edited by Brink; 05 Jul 2017 at 21:40. Reason: restored
      My Computer
    Quote Quote

  3. gregrocker
    Posts : 50,642
       New #2

    Never compress the System drive as it may become unbootable if the boot files compress.

    If you have MucAfee then you have much worse worries. It's the worst possible thing you can install on Win7, cause of endless problems we see here. Almost all issues are traced to it when its present, probably this one too.

    To uninstall MucAfee you must use a special tool like is used with any other really bad infection: How to uninstall or reinstall supported McAfee products using the Consumer Products Removal tool (MCPR)

    I'd replace it with Microsoft Security Essentials or Avast which are recommended by almost everyone here where we know Win7 best.

    In addition if you're still running the HP preinstalled Win7, that is the worst possible install of Win7 one can have with the worst load of bloatware in the industry. That's why most tech enthusiasts choose to Clean Reinstall - Factory OEM Windows 7 to get a perfect install based on the tools and methods which work best. Read the Note to HP Owners at end for special considerations.

    At the minimum I'd Clean Up Factory Bloatware.
      My Computer
    Quote Quote

  4. Injust
    Posts : 418
    N/A
    Thread Starter
       New #3

    First of all, no, this is not my system listed in my system specs. This is a Dell Inspiron 530, completely re-installed with Windows 7 Home Premium. I have never used McAfee either.
    Last edited by Brink; 05 Jul 2017 at 21:41. Reason: restored
      My Computer
    Quote Quote

  6. gregrocker
    Posts : 50,642
       New #4

    Does the PC have Acronis or an imaging or backup suite?

    Have you run a full Malwarebytes scan?

    I'd also run SUPERAntiSpyware.com - Downloads which roots spyware out of the registry even if it has already been uninstalled.

    Then check for and install all Important and Optional Windows Updates to see if it comes back.
      My Computer
    Quote Quote

  7. Injust
    Posts : 418
    N/A
    Thread Starter
       New #5

    Will do now.
    Last edited by Brink; 05 Jul 2017 at 21:41. Reason: restored
      My Computer
    Quote Quote

  8. Injust
    Posts : 418
    N/A
    Thread Starter
       New #6

    Ok, so I just did a complete scan with SUPERAntiSpyware. Log is included.
    Code:
    SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/26/2013 at 01:21 PM

Application Version : 5.6.1020

Core Rules Database Version : 10445
Trace Rules Database Version: 8257

Scan type : Complete Scan
Total Scan Time : 03:32:31

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 533
Memory threats detected : 0
Registry items scanned : 71786
Registry threats detected : 0
File items scanned : 146171
File threats detected : 7

Trojan.Agent/Gen-Krycon
C:\USERS\L0L\DESKTOP\DON'T SLEEP.EXE

Adware.Tencent
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PS72R2M\SETUP[1].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PS72R2M\SETUP[2].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PS72R2M\TBUPDATE[1].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\62AXOPQ5\SETUP[1].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\LIXMVQOA\SETUP[1].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\LIXMVQOA\SETUP[2].EXE
    The Adware.Tencent is not harmful nor is it malicious. It's just a software I use :) Nothing bad about it for sure.
    As for the "Don't Sleep.exe", IDK. Sent it off to VirusTotal.
    https://www.virustotal.com/en/file/b...cc3f/analysis/ Check it out for yourself.
    Will do a Malwarebytes scan now.
    Last edited by Brink; 05 Jul 2017 at 21:42. Reason: restored
      My Computer
    Quote Quote

  10. Injust
    Posts : 418
    N/A
    Thread Starter
       New #7

    Still hasn't come back.
    I ran a Malwarebytes complete scan, and it picked up 4 registry entries.
    Code:
    Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.26.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
L0L :: L0L-PC [administrator]

5/26/2013 8:05:07 PM
mbam-log-2013-05-26 (20-05-07).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 316459
Time elapsed: 51 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A57E074F-56D8-4A33-8112-AAC9693AA909} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{A57E074F-56D8-4A33-8112-AAC9693AA909} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
    I did remove them.
    Last edited by Brink; 05 Jul 2017 at 21:42. Reason: restored
      My Computer
    Quote Quote

 

  Related Discussions
I'm configured as Administrator and, up until a few days ago, I was able to save files directly to the root C:\ drive. I now get the error: ''The required privilege is not held by the client". I can still create/rename/delete folders on the drive, though, without that error message. This is only...
hi just a curious question... on my Dell work laptop, i don't have any system files on the root of C, like io.sys, etc, and this is on a Win 7 Pro 64bit installed from a "system repair Dell DVD". On my home pc instead where i have win 7 Ultimate 64bit, i do have some files on C's root. ...
I just recently built this computer and today I noticed that there was files being created in my C Drive, outside of the folders. The first one was created on the 12/1/2014 and the latest 26/1/2014 and they are all around the same size of 3kb with the same format in their File Names, an example...
I thought i had all my permissions and sharing done correctly until i tried to edit a text file across my network on another windows 7 machine. When i go to save the file it ask me "save as" which it never did while trying to do the same thing on a windows xp machine. Well after the save as i try...
What is aecache.dll doing in the root of my system drive? The details tab says it is from microsoft. But the location is very unusual. My searches have produced a long list of hits but no concrete info. Does anyone truly know what this program is and why it is where it is?
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 18:57.
Find Us