Strange new folder names in Windows 7 Ultimate

[Dennis]

I noticed these new file folders on my C: drive. Google searches
give no results. Anyone know what they are?

Apf=ZQGUP2UVIOsHF, created 12/21/2012 contains two files
![sL}36YSNON'3J1xF and wD6'g8{Gsksj(c1ob+

YIXadB_KiafTv~]5{{ created 12/22/2012 contains a file df}WMo1Ncj9yvjx-tk

a43m'2c,i!fXg748Wz created 12/22/2012 contains a file Q0e8_IQi1fhb3-)VR!

 

[VanguardLH]

I noticed these new file folders on my C: drive. Google searches
give no results. Anyone know what they are?

Apf=ZQGUP2UVIOsHF, created 12/21/2012 contains two files
![sL}36YSNON'3J1xF and wD6'g8{Gsksj(c1ob+

YIXadB_KiafTv~]5{{ created 12/22/2012 contains a file df}WMo1Ncj9yvjx-tk

a43m'2c,i!fXg748Wz created 12/22/2012 contains a file Q0e8_IQi1fhb3-)VR!

While installations often create temporary folders in which they put
their setup files, usually they use just alphanumeric characters
although I have seen a dash, underscore, and leading tilde used in the
folder/file names. When the installation completes the installer should
delete those folders but sometimes leaves them behind. Could be the
installer expects (but didn't prompt for) a reboot to run a cleanup on
Windows startup (often by using a PendingRename key in the registry to
delete those files) or the programmer in charge of configuring the
installer program (who is often separate of the programmers that write
the program) forgot to do the after-install cleanup.

That the folder has non-alphanumeric characters in its name and the
files within it suggests you are infected with malware (or once were if
it got eradicated but cleanup was incomplete). Anti-malware programs
often don't catch every change that malware did on your computer. For
example, it may not know what randomly-named folder was used to deposit
its crap. It won't know about any randomly generated folders or files
that the malware created after its install unless the files (not
folders) match on a hash in their signature database.

So when was the last time you updated your anti-virus or anti-malware
software and then used it to run a full scan? How many anti-
virus/malware programs did you use to provide overlap on coverage?

You could use a hex editor or even Notepad or Wordpad to peek inside the
files to see if you can find any strings that indicate who created those
files or what they are for.

 

[Dennis]

I noticed these new file folders on my C: drive. Google searches
give no results. Anyone know what they are?

Apf=ZQGUP2UVIOsHF, created 12/21/2012 contains two files
![sL}36YSNON'3J1xF and wD6'g8{Gsksj(c1ob+

YIXadB_KiafTv~]5{{ created 12/22/2012 contains a file df}WMo1Ncj9yvjx-tk

a43m'2c,i!fXg748Wz created 12/22/2012 contains a file Q0e8_IQi1fhb3-)VR!

While installations often create temporary folders in which they put
their setup files, usually they use just alphanumeric characters
although I have seen a dash, underscore, and leading tilde used in the
folder/file names. When the installation completes the installer should
delete those folders but sometimes leaves them behind. Could be the
installer expects (but didn't prompt for) a reboot to run a cleanup on
Windows startup (often by using a PendingRename key in the registry to
delete those files) or the programmer in charge of configuring the
installer program (who is often separate of the programmers that write
the program) forgot to do the after-install cleanup.

That the folder has non-alphanumeric characters in its name and the
files within it suggests you are infected with malware (or once were if
it got eradicated but cleanup was incomplete). Anti-malware programs
often don't catch every change that malware did on your computer. For
example, it may not know what randomly-named folder was used to deposit
its crap. It won't know about any randomly generated folders or files
that the malware created after its install unless the files (not
folders) match on a hash in their signature database.

So when was the last time you updated your anti-virus or anti-malware
software and then used it to run a full scan? How many anti-
virus/malware programs did you use to provide overlap on coverage?

You could use a hex editor or even Notepad or Wordpad to peek inside the
files to see if you can find any strings that indicate who created those
files or what they are for.

I have AVG up to date and ran daily. I have Superantispyware up to date
and ran daily. Neither has found anything...

 

[Jason]

I noticed these new file folders on my C: drive. Google searches
give no results. Anyone know what they are?

Apf=ZQGUP2UVIOsHF, created 12/21/2012 contains two files
![sL}36YSNON'3J1xF and wD6'g8{Gsksj(c1ob+

YIXadB_KiafTv~]5{{ created 12/22/2012 contains a file df}WMo1Ncj9yvjx-tk

a43m'2c,i!fXg748Wz created 12/22/2012 contains a file Q0e8_IQi1fhb3-)VR!

While installations often create temporary folders in which they put
their setup files, usually they use just alphanumeric characters
although I have seen a dash, underscore, and leading tilde used in the
folder/file names. When the installation completes the installer should
delete those folders but sometimes leaves them behind. Could be the
installer expects (but didn't prompt for) a reboot to run a cleanup on
Windows startup (often by using a PendingRename key in the registry to
delete those files) or the programmer in charge of configuring the
installer program (who is often separate of the programmers that write
the program) forgot to do the after-install cleanup.

That the folder has non-alphanumeric characters in its name and the
files within it suggests you are infected with malware (or once were if
it got eradicated but cleanup was incomplete). Anti-malware programs
often don't catch every change that malware did on your computer. For
example, it may not know what randomly-named folder was used to deposit
its crap. It won't know about any randomly generated folders or files
that the malware created after its install unless the files (not
folders) match on a hash in their signature database.

So when was the last time you updated your anti-virus or anti-malware
software and then used it to run a full scan? How many anti-
virus/malware programs did you use to provide overlap on coverage?

You could use a hex editor or even Notepad or Wordpad to peek inside the
files to see if you can find any strings that indicate who created those
files or what they are for.

I have AVG up to date and ran daily. I have Superantispyware up to date
and ran daily. Neither has found anything.

MalwareBytes has a free tool (in beta) for detecting rootkit infections.
Might be worth a try. On one of the computers here (there are 4) it found
something that none of my other scanning programs uncovered. That said,
the tool blew up trying to repair the damage, but it gave enough info
about it that I was able to clean it up manually myself. (The most
valuable info was the name of the infecting code, and I was able to
Google a lot of info on how to remove it. What it found wasn't regarded
as terribly dangerous, but it did find it when nothing else did. And it
wasn't a "false positive."

 

[VanguardLH]

I noticed these new file folders on my C: drive. Google searches
give no results. Anyone know what they are?

Apf=ZQGUP2UVIOsHF, created 12/21/2012 contains two files
![sL}36YSNON'3J1xF and wD6'g8{Gsksj(c1ob+

YIXadB_KiafTv~]5{{ created 12/22/2012 contains a file df}WMo1Ncj9yvjx-tk

a43m'2c,i!fXg748Wz created 12/22/2012 contains a file Q0e8_IQi1fhb3-)VR!

While installations often create temporary folders in which they put
their setup files, usually they use just alphanumeric characters
although I have seen a dash, underscore, and leading tilde used in the
folder/file names. When the installation completes the installer should
delete those folders but sometimes leaves them behind. Could be the
installer expects (but didn't prompt for) a reboot to run a cleanup on
Windows startup (often by using a PendingRename key in the registry to
delete those files) or the programmer in charge of configuring the
installer program (who is often separate of the programmers that write
the program) forgot to do the after-install cleanup.

That the folder has non-alphanumeric characters in its name and the
files within it suggests you are infected with malware (or once were if
it got eradicated but cleanup was incomplete). Anti-malware programs
often don't catch every change that malware did on your computer. For
example, it may not know what randomly-named folder was used to deposit
its crap. It won't know about any randomly generated folders or files
that the malware created after its install unless the files (not
folders) match on a hash in their signature database.

So when was the last time you updated your anti-virus or anti-malware
software and then used it to run a full scan? How many anti-
virus/malware programs did you use to provide overlap on coverage?

You could use a hex editor or even Notepad or Wordpad to peek inside the
files to see if you can find any strings that indicate who created those
files or what they are for.

I have AVG up to date and ran daily. I have Superantispyware up to date
and ran daily. Neither has found anything...

Create a holding folder, like C:\HOLD, and move that odd-named folder
under there. Use something like SysInternals' ProcMon to monitor for
any process that tries to access or create a folder with that odd name.
If the odd-named folder reappears then ProcMon will identify which
process created it. If no app bitches after a couple weeks and you
never see anything trying to access or create that folder, delete it.

It's also possible while monitoring for that odd-named folder to get
accessed or created (after having moved it elsewhere) that whatever uses
it creates a new folder with a different odd name. If it's truly random
then you cannot define what ProcMon should monitor for access. However,
it may continue using those non-alphanumeric characters in which case
you could define a wildcarded mask on which ProcMon monitors to catch
whomever created or accessed that new odd-named folder.

You could also upload the files in that folder to VirusTotal to see if
any other anti-virus programs detect them as infected.

 

[VanguardLH]

:

I noticed these new file folders on my C: drive. Google searches
give no results. Anyone know what they are?

Apf=ZQGUP2UVIOsHF, created 12/21/2012 contains two files
![sL}36YSNON'3J1xF and wD6'g8{Gsksj(c1ob+

YIXadB_KiafTv~]5{{ created 12/22/2012 contains a file df}WMo1Ncj9yvjx-tk

a43m'2c,i!fXg748Wz created 12/22/2012 contains a file Q0e8_IQi1fhb3-)VR!

While installations often create temporary folders in which they put
their setup files, usually they use just alphanumeric characters
although I have seen a dash, underscore, and leading tilde used in the
folder/file names. When the installation completes the installer should
delete those folders but sometimes leaves them behind. Could be the
installer expects (but didn't prompt for) a reboot to run a cleanup on
Windows startup (often by using a PendingRename key in the registry to
delete those files) or the programmer in charge of configuring the
installer program (who is often separate of the programmers that write
the program) forgot to do the after-install cleanup.

That the folder has non-alphanumeric characters in its name and the
files within it suggests you are infected with malware (or once were if
it got eradicated but cleanup was incomplete). Anti-malware programs
often don't catch every change that malware did on your computer. For
example, it may not know what randomly-named folder was used to deposit
its crap. It won't know about any randomly generated folders or files
that the malware created after its install unless the files (not
folders) match on a hash in their signature database.

So when was the last time you updated your anti-virus or anti-malware
software and then used it to run a full scan? How many anti-
virus/malware programs did you use to provide overlap on coverage?

You could use a hex editor or even Notepad or Wordpad to peek inside the
files to see if you can find any strings that indicate who created those
files or what they are for.

I have AVG up to date and ran daily. I have Superantispyware up to date
and ran daily. Neither has found anything.

MalwareBytes has a free tool (in beta) for detecting rootkit infections.
Might be worth a try. On one of the computers here (there are 4) it found
something that none of my other scanning programs uncovered. That said,
the tool blew up trying to repair the damage, but it gave enough info
about it that I was able to clean it up manually myself. (The most
valuable info was the name of the infecting code, and I was able to
Google a lot of info on how to remove it. What it found wasn't regarded
as terribly dangerous, but it did find it when nothing else did. And it
wasn't a "false positive."

Another way of malware hiding is to modify the system file calls so they
can hide from anyone knowing they are there. That's why an AV program
that boots from its own media to scan the suspect drive or an AV program
that runs at boot-time can detect what is missed after the malware is
active when Windows is loaded. Avast (free) includes a boot-time scan.
I don't use AVG to know if it has one. If it does then update AVG and
have it reboot your system to perform a boot-time scan. From a quick
search, looks like AVG does not have a boot-time scan but I saw mention
of an AVG Rescue CD that you could use for boot and do a scan (but then
you'd have to create a new rescue CD each time you wanted to perform a
boot-time scan to ensure that CD had the latest signatures). If you
search around, you'll find how to put several AV products on a bootable
device (floppy, CD, USB flash drive) so you can boot from them and leave
the OS quiescent (unloaded) on the drive to be scanned.

 

[J. P. Gilliver (John)]

In message <[email protected]>, VanguardLH <[email protected]>
writes:
[]

Create a holding folder, like C:\HOLD, and move that odd-named folder

Though just in _case_ doing so prevents the system from booting, only do
so if you have an alternative boot mechanism (I'd say such as Bart_PE,
but I'm not sure if that works under 7 - I think not) that would allow
you to move it/them back.

under there. Use something like SysInternals' ProcMon to monitor for
any process that tries to access or create a folder with that odd name.
If the odd-named folder reappears then ProcMon will identify which
process created it. If no app bitches after a couple weeks and you
never see anything trying to access or create that folder, delete it.

It's also possible while monitoring for that odd-named folder to get
accessed or created (after having moved it elsewhere) that whatever uses
it creates a new folder with a different odd name. If it's truly random
then you cannot define what ProcMon should monitor for access. However,
it may continue using those non-alphanumeric characters in which case
you could define a wildcarded mask on which ProcMon monitors to catch
whomever created or accessed that new odd-named folder.

All sounds good.

You could also upload the files in that folder to VirusTotal to see if
any other anti-virus programs detect them as infected.

I think the recommendation that someone already made of looking into the
files with something that can see beyond an end-of-text marker if there
is one - but try with Notepad first - is a good one. They're almost
certainly harmless, and could well be unnecessary too (the moving them
to a hold folder, and then seeing if anything breaks, and if not
deleting them, should solve that).
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

The sun, with all those planets revolving around it and dependent upon it, can
still ripen a bunch of grapes as it if had nothing else in the universe to do.
-Galileo Galilei, physicist and astronomer (1564-1642)