Posted 13 September 2014 - 02:12 PM
I found the .tmp folder in appdata/local/temp, and inside was the 7z file setup_patch.packed.7z
Also, in windows/temp there was another .7z file by the same name. The .tmp folder and file had been created at the same time of a google chrome update (same minute). The other .7z file in windows temp was made about10 days go, and I think there was a new update then aswell.
I uploaded the files to virus total. The detection for both was 0/55 however one of them had a negative downvote.
Are these legimate files? The one in windows temp was about 4kb, and the one in the .tmp folder was 2kb.
Using Event Viewer for the first .7Z file, I could find the gupdate service (google updater) was active within 10s of seconds of when these files were modifiedand ceqted. For the second one that was in windows/temp/(another cr_xxxx) I couldnt find a gupdate log in event viewer, howver I found a log for service control manager stating the google update service entering a running state, 20 seconds before the file was created.
It seems to me its googles bidding but I would like a second opinion, thank you.