Random Files Created in System Root Drive

[Injust]

Hiya,
For a while now, I don't know exactly how long, there has been always one file on my C: (system root) drive that I never made. It is a hidden system file, 479,249 bytes in size. If I delete it, on system restart, it regenerates, but with a different name. I'll proceed to delete it and see if the hash is the same after restart. Right now, the name is NDSGQ, and the SHA-256 hash is 21200fcfb2194e02058d0eb976238c66f4ad516677eea98d73a2e83a583a5d6f. The name is always 5-all caps letters. I have NTFS compression enabled, and yes, the file compresses itself. I have no idea what it is. I've uploaded it to VirusTotal, and it has come back negative, but McAfee-GW-Edition says that "Heuristic.BehavesLike.Exploit.CodeExec.O". I will post back to see if the hash is the same.
The VirusTotal scan details are here: https://www.virustotal.com/en/file/...77eea98d73a2e83a583a5d6f/analysis/1369501005/

EDIT: Strange...the file hasn't re-generated this time...

 

[gregrocker]

Never compress the System drive as it may become unbootable if the boot files compress.

If you have MucAfee then you have much worse worries. It's the worst possible thing you can install on Win7, cause of endless problems we see here. Almost all issues are traced to it when its present, probably this one too.

To uninstall MucAfee you must use a special tool like is used with any other really bad infection: How to uninstall or reinstall supported McAfee products using the Consumer Products Removal tool (MCPR)

I'd replace it with Microsoft Security Essentials or Avast which are recommended by almost everyone here where we know Win7 best.

In addition if you're still running the HP preinstalled Win7, that is the worst possible install of Win7 one can have with the worst load of bloatware in the industry. That's why most tech enthusiasts choose to Clean Reinstall - Factory OEM Windows 7 to get a perfect install based on the tools and methods which work best. Read the Note to HP Owners at end for special considerations.

At the minimum I'd Clean Up Factory Bloatware.

 

[Injust]

First of all, no, this is not my system listed in my system specs. This is a Dell Inspiron 530, completely re-installed with Windows 7 Home Premium. I have never used McAfee either.

 

[gregrocker]

Does the PC have Acronis or an imaging or backup suite?

Have you run a full Malwarebytes scan?

I'd also run SUPERAntiSpyware.com - Downloads which roots spyware out of the registry even if it has already been uninstalled.

Then check for and install all Important and Optional Windows Updates to see if it comes back.

 

[Injust]

Will do now.

 

[Injust]

Ok, so I just did a complete scan with SUPERAntiSpyware. Log is included.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/26/2013 at 01:21 PM

Application Version : 5.6.1020

Core Rules Database Version : 10445
Trace Rules Database Version: 8257

Scan type : Complete Scan
Total Scan Time : 03:32:31

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 533
Memory threats detected : 0
Registry items scanned : 71786
Registry threats detected : 0
File items scanned : 146171
File threats detected : 7

Trojan.Agent/Gen-Krycon
C:\USERS\L0L\DESKTOP\DON'T SLEEP.EXE

Adware.Tencent
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PS72R2M\SETUP[1].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PS72R2M\SETUP[2].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PS72R2M\TBUPDATE[1].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\62AXOPQ5\SETUP[1].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\LIXMVQOA\SETUP[1].EXE
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\LIXMVQOA\SETUP[2].EXE

The Adware.Tencent is not harmful nor is it malicious. It's just a software I use Nothing bad about it for sure.
As for the "Don't Sleep.exe", IDK. Sent it off to VirusTotal.
https://www.virustotal.com/en/file/...72a6a2509c25a24c7cfa407e44ec85acc3f/analysis/ Check it out for yourself.
Will do a Malwarebytes scan now.

 

[Injust]

Still hasn't come back.
I ran a Malwarebytes complete scan, and it picked up 4 registry entries.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.26.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
L0L :: L0L-PC [administrator]

5/26/2013 8:05:07 PM
mbam-log-2013-05-26 (20-05-07).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 316459
Time elapsed: 51 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A57E074F-56D8-4A33-8112-AAC9693AA909} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{A57E074F-56D8-4A33-8112-AAC9693AA909} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I did remove them.