Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random folders created in Temp Folder


  • Please log in to reply
7 replies to this topic

#1 debert76

debert76

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 27 November 2014 - 08:48 PM

I am working on a computer for a lady.  Something is creating random files in her Temp folder.  The O/S is Vista.  The file structure is as follows:

C:\users\%user%\appdata\local\temp

At this point a random folder is created.  Something like 4c0 or 8d8 or 14a0  etc.  The names are 3 or 4 characters long.

Underneath these random folders there is another appdata folder.

Under the second appdata folder is a local and a roaming folder.

Under those folders are Microsoft\Windows\

Under Windows are hidden folders such as PrivacIE. Cookies, History, Temporary Internet Files.  These files are not always the same, but they are legit Windows-named folders.

 

To summarize the entire path is:

C:\users\%user%\appdata\local\temp\RANDOM FOLDER\appdata\local\Microsoft\windows\privacie or cookies or history or temporary internet files

C:\users\%user%\appdata\local\temp\RANDOM FOLDER\appdata\roaming\Microsoft\windows\privacie or cookies or history or temporary internet files

 

I have pulled the drive and scanned it with Norton 360, McAfee 8.8, Malwarebytes, and Superantispyware.  Nothing has eliminated the problem.  When I got the computer there were 11,500 random folders.  It took several hours to delete them.  I keep deleting all the contents of the Temp folder.  When I reboot, the random folders are created again.  I'm having trouble searching for an answer since most of the folders are legit Windows folders.

 

If I boot to Safe Mode, the folders are not created.

 

The most suspicious software I found was ReferenceBoss.  I believe I have it removed and this problem doesn't fit its MO.

 

Anyone ever ran into this before?



BC AdBot (Login to Remove)

 


#2 masterthemachines

masterthemachines

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunnyvale, California
  • Local time:10:43 AM

Posted 01 December 2014 - 07:34 AM

Hello there,

 

Random folders are commonly created and used temporarily when updating Windows components. They are also used by some software programs (i.e. Microsoft Office, Microsoft Visual Studio, etc) during update or installation to hold setup files (.inf, .cat, .gpd, .ppd and .dlls) and other information. These files and folders are usually automatically removed as part of the update process. However, its not uncommon for them not to be cleaned up and left behind after the update has been applied. 

 

Other legitimate programs can also create randomly named folders in various areas of your hard drive. In many cases if you delete these folders, the program will recreate them after rebooting the computer.

 

Hope this helps! 



#3 debert76

debert76
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 01 December 2014 - 07:49 PM

Thanks for the feedback, but I believe this is malicious software.  There were 11,500 randomly named folders that were created in just a few days.  I started deleting them at 6:00 pm and there were 6,000 remaining when I went to bed at 10:00 pm.  What legit program would continually create RANDOM_NAME\AppData\Local\Microsoft\Windows, etc folders in the Temp folder?  I watched it create 200 of them in less than an hour.  If it is legit, the software has a horrible bug in it.

 

I will most likely end up wiping and reloading, but I was curious if anyone else had ran into the problem.



#4 classnet

classnet

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FLorida
  • Local time:12:43 PM

Posted 24 December 2014 - 06:59 AM

I have this same issue.  I have checked out several other Windows 7 computers and this random 3 and 4 character folder creation (by the hundreds) is not normal.

 

I have seen this 3 times beginning in mid Nov of 2014.  I was in a situation where I could simply wipe the drive the first time.  I now have 2 computers sitting here that need this addressed.  One is a Windows 7 machine while the other XP.



#5 jmeg13

jmeg13

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 29 December 2014 - 05:48 PM

We had two Windows 7 machines with this problem and both were infected with the Trojan Poweliks.

 

Malware Bytes Anti-Rootkit Beta was able to identify some of the infected registry keys - a regular Malware Bytes scan with "rootkit" option checked did not pick them up. Found the rest of the infected keys by using the instructions here - http://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99&tabid=3. I tried the automatic removal tool but kept getting "no infection found", so I just went the manual route and that worked.

 

Since the cleanup, neither of the machines has had the mystery temp folders reappear and system performance is much better.

 

I hope that helps!



#6 debert76

debert76
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 11 January 2015 - 09:30 AM

Thanks jmeg13.  It sounds like you have found the answer.  Unfortunately I have already wiped and reloaded the infected pc, so I have nothing to test it on.

 

Thanks everyone for your suggestions!



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 PM

Posted 12 January 2015 - 09:27 PM

Malware Bytes Anti-Rootkit Beta was able to identify some of the infected registry keys - a regular Malware Bytes scan with "rootkit" option checked did not pick them up.

That's unusual, since Anti-rootkit technology in Malwarebytes Anti-Malware 2.0 is identical to that of MBAM AntiRootkit (mbar).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Jonmil42

Jonmil42

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 23 September 2015 - 01:47 PM

Just wanted to confirm that we had these same symptoms and it was indeed Poweliks and this was the solution (Although I uses ESET's Poweliks removal tool, as that is the AV we use anyways).

 

Thank you!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users