Results 1 to 11 of 11
  1. #1
    5 Star Lounger
    Join Date
    Jan 2004
    Location
    Praha
    Posts
    990
    Thanks
    56
    Thanked 105 Times in 90 Posts

    Odd system files

    Dell laptop with XP SP3

    Everything is running fine and scans (virus, malware, rootkit) are all clean.

    I don't defrag very often but when running Defraggler recently there were a couple of files it didn't defrag. Looking for them in C:\WINDOWS\system32 I found 4 instances of the same filename □□□6 with no extension (that is three empty squares - the symbol Windows uses when it cannot interpret a character - followed by a 6.

    Should I just leave them, or investigate further ? I can take a full image backup so despite my wariness in messing with system files I could safely try renaming, relocating or deleting them.

    Any ideas ?

    Thanks,

    Martin

  2. #2
    5 Star Lounger
    Join Date
    Jan 2004
    Location
    Praha
    Posts
    990
    Thanks
    56
    Thanked 105 Times in 90 Posts
    I tried deleting the oldest of these odd files - no discernable effect.

    When I experimented with deleting the newest, I got the message "file in use, cannot delete" or words to that effect.

    I might be able to solve this mystery if I could find out what process is using the file - how would I do that ?.

  3. #3
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,407
    Thanks
    447
    Thanked 405 Times in 377 Posts
    You may be able to delete them if you reboot into Safe Mode. As you said, do a backup first.

    To get to Safe Mode, restart the computer; then, as soon as the Dell splash screen goes away, start tapping on the F8 key. A menu will appear; choose Safe Mode.

    When you have finished, restart the computer, and you'll be back into normal mode.

  4. #4
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Upload them individually to virustotal.com, if they're flagged at all, post the VT URL(s) and we'll try to weigh up the options.

  5. #5
    5 Star Lounger
    Join Date
    Jan 2004
    Location
    Praha
    Posts
    990
    Thanks
    56
    Thanked 105 Times in 90 Posts
    After a reboot they have all vanished.
    However if they reappear I will upload them at virustotal.
    Many thanks

  6. #6
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    It's possible they were temporary drivers from one of your antimalware programs, check whether they reappear during/after your next round of malware checks.

  7. #7
    5 Star Lounger
    Join Date
    Jan 2004
    Location
    Praha
    Posts
    990
    Thanks
    56
    Thanked 105 Times in 90 Posts
    Thanks. Its back, date and time of the file is when my wife woke up, logged on to Amazon, look at a book price then shut down the PC.

    Anyway, I downloaded Process Explorer to try and get more information but as the filename does not consist of recognisable characters I cannot find it from process Explorer

    I tried to upload it to Virustotal but at 99MB it is too big (64MB limit)!

    Any other ideas ?
    Last edited by MartinM; 2013-10-29 at 07:21.

  8. #8
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Which browser and security software?

  9. #9
    5 Star Lounger
    Join Date
    Jan 2004
    Location
    Praha
    Posts
    990
    Thanks
    56
    Thanked 105 Times in 90 Posts
    Thanks for your persistence

    Google Chrome Version 30.0.1599.101 m
    Avira Free Edition version 13.0.0.4052
    Malwarebytes Antimalware
    SuperAntispyware
    Spyware Blaster
    Kaspersky Anti-rootkit

    All of the above are up to date.

    It came back today at 12:55 - for no discernible reason. I had not run any scans since last night and the browser had been open since
    about 09:10.

    One other tiny clue - when I pasted it to try and upload to Virustotal, the filename showed up in the browser as 3 Kanji (Japanese or Chinese) characters followed by a 6. I have friends in both countries and have sent it off for translation in the hope of getting some insight. I'll report back on that one. I didn't realise it was possible to have Kanji in filenames !

    It disappears without any intervention from me with a normal re-boot, suggesting that it may be a temporary file for some process or other. A quick look (using WinPatrol and Process Explorer) doesn't throw up anything obvious but I will have a more thorough look.

    I have been unsuccessful in uploading it (it is too big for all the sites I have found) and I cannot mail it - Outlook simply refuses (must think its an executable file) and my webmail cannot recognise the filename and just sits there doing nothing.

    One comfort - there seems to be no web traffic when the browser is idle so I suppose the PC hasn't been turned into a bot !
    Last edited by MartinM; 2013-10-29 at 13:50.

  10. #10
    5 Star Lounger
    Join Date
    Jan 2004
    Location
    Praha
    Posts
    990
    Thanks
    56
    Thanked 105 Times in 90 Posts
    SOLVED

    The file is owned by AVGUARD.exe, itself part of the Avira virus protection system.

    I discovered this by starting to rename the file (F2) then copying the name thus highlighted (albeit unrenderable by Windows) and pasting it into Process Explorer.

  11. #11
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Good work, Martin!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •