Solved Strange system file on C:\

[Migelo]

Hi!

When I checked the "Show system files" box a file I've never seen before appeared in my C:\ directory and no other computer I checked has it.

File name: DCPJQ
File size: 450 KB (461.625 bytes)
SHA256: ae549d170c8c7bfd786368bfaefaac517f1dc5a3fd6f3faa639d65b6bcff8e5c
More info on virustotal link: https://www.virustotal.com/en-gb/fi...c517f1dc5a3fd6f3faa639d65b6bcff8e5c/analysis/

Can somebody please explain this file's purpose? Is it really a system file?

Best Regards
Migelo

 

[Kaktussoft]

It's a file so not a folder? It's located in root folder of C?

 

[Kaktussoft]

Please post the file as attachment

 

[Migelo]

It's a file.

I had to append .docx so it would let me upload it. Originally it comes without an extention.

 

[Kaktussoft]

I renamed it to DCPJQ.txt and analysed it.

Strings inside file:

MandrakeSoft and GRUB and many more.

Did you have linux? Still using linux?

It seems to be part of grub bootloader.
Or maybe it is a temp file created by grub loader.

 

[Migelo]

Interesting idea how to analyze a binary file xD

No, I've never had any linux on this machine but I've booted a live USB with gparted, ubuntu...etc. many times, so that might be it.

 

[Kaktussoft]

Interesting idea how to analyze a binary file xD

No, I've never had any linux on this machine but I've booted a live USB with gparted, ubuntu...etc. many times, so that might be it.

Just rename the file and reboot.

You can rename back using win7 recovery environment if it doesn't boot.
If all is fine.... delete the file

 

[Migelo]

I'll try that and report back once I get home from school.

 

[gregrocker]

I would also run a full scan with Malwarebytes and SUPERAntiSpyware and replace that unknown AV with Microsoft Security Essentials.

Turn off SAS at boot in Preferences, and uncheck all of its updater boxes. Update manually before you run it.

 

[Migelo]

I already have MSE installed and it says it's ok.

I'll do that scans as per your suggestion.

 

[gregrocker]

Do a full scan with each scanner, and not just of the one file.

 

[Migelo]

Yes, yes, ofc.

 

[Digital Life]

Did you buy this computer with windows 7 installed from a reputable seller kinda sounds like a pirated copy of win 7

 

[Migelo]

No, I bought it parts by parts.
Why would this file imply a pirated windows copy?

 

[Digital Life]

Im not an expert at it but that was the way people got around registering windows without a key the way it was done was run a loader that was Linux like that would load into your memory a fake BIOS then start windows and it would think it was a dell or whatever computer that was already registered to run windows .. Im sorry for making you think that somehow I thought you were running a illegal version of windows

did you ever run any type of linux or something that installed linux like commands that you could run

 

[Migelo]

Np.

As I mentioned, I've run numerous of live DVD/USBs with some-kind of linux loaded on them for experimentation and testing.

I also opened that file with Notepad++ and I found this:

Press space bar 
Press   to start GRUB, any other key to boot previous MBR ...  to boot previous MBR, any other key to start GRUB ... 
Timeout:      
Invalid previous MBR. Press any key to start GRUB ...  to hold the screen, any other key to boot previous MBR ... 
Error while reading MBR of   in partition table of drive (hd0 )  
Error 
Cannot find   in all drives. Press Ctrl+Alt+Del to restart. 
Try (hd0,0 ) :  EXT2:  NTFS5:  FAT32:  FAT16:  FAT12:  non-MS: skip  Extended:  invalid or null                                                                                                                                                                                                                                                                                                                                                           ¶  GRUŞęp‚   ˙˙˙ ő…    0.97 /boot/grub/menu.lst                                                                  <ˆ éÝ      `3
    ˙˙˙˙                                                                    ˙˙˙˙               
     €           ŕ    
    „Ň      Ô0 5Ő0         €[5     ˙˙˙˙                                    ˙˙˙˙    ˙˙˙˙    úü1ŔŽŘŽŔŽĐfĽ p  űf>´!FBBFufˇ®! *!fŁ¸‚ ˘ŠŽ u˘‹ŽfˇT fŁŚŽfˇL fŁśŽfŁ“Źf=   Ŕƒ f=   Z‚† f%˙˙? f= 
  uxˇÁŕ;N ulŽŘf>
$INTu[f>
13SFuPf>
GRUBuEf>
4DOSu:fˇ f=   Zr.fˇ f=   Zr"ą?
ľ
 żŽó¤ľ * ŕH.˘ůĄą` ľ ŽżśŤó.Ą1ŔŽŘ¸ đŽŔż ˙ľý…ą" ó§”B†1ŔŽŔR1ŔŽŘŽŔűfˇüf‰Á¨tf=LUCEu€á‚»
 ö‚uOfˇlfƒŔfPS´
Í[tS´ Í[= Ru·
 <cuĺö‚uŢł ëÚfXfPf‹lf9Ásfƒčf9ÁsĂfƒůr˝fXˆ>ů…„Űu    fÇí…    Zf¶ÂfŁ€‚1ŔŽŘŽŔö‚u´
Ít´ Íëôą˙ ş

účŔ#űt]h…č77éŐ 
grub4dos: A20 failure. Please report with error code(if any in the above line).

Especially the last line grub4dos suggests to me that this file's been made by the DOS utility I used to flash my IBM ServerRaid 1015m card with IT firmware for my ZFS server.

The antivirus checks are still running, MSE and SUPERantiSpyware didn't find anything beside a couple of cookies so I'm just waiting for Malwarebytes' scan to finish and I'm done. =)

Thx!

 

[gregrocker]

Do you have any question about what your PC builder might have used to install and Activate Win7?

If so run MGADiag.exe and post back the report so we can analyze it for you.

 

[Digital Life]

As I mentioned, I've run numerous of live DVD/USBs with some-kind of linux loaded on them for experimentation and testing.

Missed that part I went backwards and looked at one of your post where you did say that

what I would do is copy the file to a new folder then reboot and if everything works fine that means your good. If it goes all bad boot up into your favorite live CD and move it back where it was . I would not be a big fan of any live version of Linux that decides it can mount your drives without your permission

 

[Migelo]

Yes, once the scans are done, I'll do that.

No, I bought it parts by parts.

By that I meant that I've built the PC myself and installed the Win7 X64 Ultimate (because of the language packs) which I bought separately.

 

[Migelo]

Ok, I removed the file and everything's still working

Thanks for all your support!