Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange files/folders in system - am I hacked?


  • Please log in to reply
45 replies to this topic

#1 chattarjee

chattarjee

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 24 August 2015 - 07:37 AM

First of all - I am hoping to find a OS expert to take a look at the screen-print of my drives below (suspected files in general), and tell me if this is normal for Windows 8.1 system drive - or it is hacked.
 
This laptop is running Win 8.1 with all updates. As I make 'hidden files/folders' visible in the file-explorer 'view' option box, I see a lot of files/folders which seem dubious. Most probably a MBR-level hacking has taken place, but cannot be sure. The machine is not showing any problem so far - only the wireless modem is not responding. I have submitted the modem to ZTE service-centre, and it'll be at least 7 days to hear from them if the modem is OK or not. Meanwhile, I am searching for an option to have someone take a look at the suspected files (screen-print) and tell me if this is normal for Windows 8.1 system drive - or the MBR is indeed hacked.
 
The reason to suspect hacking is - on 3 Aug 2015, while downloading some files with utorrent, I was away while the system developed some major problem as reported by the wife (who is a computer novice). Later, I found McAfee was turned off including the firewall, and the HP 'Support Assistant' was showing a long list of critical-update requirements including the BIOS. Later (after a few restarts perhaps) those warning vanished from the list. Everything was working fine so I wasn't too concerned, but I restricted use of the laptop. After 2 idle days, I happen to check the file-explorer for hidden files, and noticed the dubious files/folders. When I got the new laptop 8 months ago, I think I had checked and those hidden-files were not present at that time - however, I am not 100% sure about this. Now, I am seeing 2 folders - "Recycle.bin" and "System Volume Information" - appeared in all 3 partitions of this laptop (C - OS, D - recovery, F - data). And the RAM shows as 3.9 GB instead of 4 GB. There are many more files visible on C (root). 
 
THE STATUS OF THE C DRIVE IS ATTACHED ~ DOES IT LOOK HACKED? WHAT'RE ALL THESE FILES? ANYONE?

Attached Files


Edited by Queen-Evie, 07 September 2015 - 10:24 AM.
moved from Windows 8 to General Security since the discussion has turned toward security


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 24 August 2015 - 07:40 AM

Hi chattarjee :)

To sum it up, all of these files and folders are legitimate. If you do not want to see them, go back in the Folder Options and check Hide protected operating system files (recommended). You can Google each one of these hidden/system files and folders and you'll find a description for each. There's a reason as why they are marked as "system" files and hidden that way, because tempering or messing with them can make your system unbootable.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 chattarjee

chattarjee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 25 August 2015 - 01:10 PM

Many thanks for your reply. I am sighing relief a lot. Apart from those files/folders I find suspiciously appearing all of a sudden, the machine is not showing any sign of infection either. Do you have any theory as to what happened on 3 Aug in that machine? Why did I find the antivirus/firewall turned off on the first boot since the HP 'support assistant' alert showed up about critical BIOS update requirement (the details of which are unfortunately not available). And why did that 'critical updates' list vanish from the HP support-assistant after a few reboots? Some local hardware failure?

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 25 August 2015 - 01:16 PM

In the Computing world, there's many situations and events that cannot be explained, simply because there's so many possiblities, that it's impossible to find the one that actually occured. In your case, a bad restart could have caused that issue. So can the corrupt installation of a Windows Update, or a previous shutdown that didn't go as expected. The possibilities are infinite to be honest.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 rp88

rp88

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:37 AM

Posted 27 August 2015 - 02:18 PM

"Now, I am seeing 2 folders - "Recycle.bin" and "System Volume Information" - appeared in all 3 partitions of this laptop"
Utterly normal, I see these myself on the few occasions I have ever turned "hide protected operating system files" to be temporarily showing them. You should in general keep "hide protected operating system files" on the setting which hides them, this can be done from within "folder options".

As for HP support assistant, if you don't use it and it is giving you bother thre is a way to disbale it if you need to, I suggest that before you do that(if you want to disable HP support assistant, if you don't want to disable HP support assistant you can leave it exactly as it is but I still advise using it to make this recovery media sooner rather than later) you make sure to make use of it's key feature and make yourself some manufacturer's recovery media using it. You might need that recovery media some day in future. I also advise making youself a system image by going to "control panel" then "file history" then cliking on "system image backup" then doing this http://www.bleepingcomputer.com/tutorials/create-system-image-in-windows-7-8/#manual . You might find having such an image helpful in future if you ever do get infected by anything, or if you ever have a buggy update installed, or if you ever accidentally change a system setting and mess things up.

Edited by rp88, 27 August 2015 - 02:18 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 jcgriff2

jcgriff2

  • BSOD Kernel Dump Expert
  • 1,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey Shore
  • Local time:09:37 PM

Posted 28 August 2015 - 02:04 AM

I am on an HP Envy 17 Windows 8.1 laptop right now & see nothing strange in the folders & files on your c:\ root drive.

 

uTorrent will be the likely source of future (if not already) infection of your system.

 

HP Assistant is notoriously unreliable.  Check the HP  support site every few months on your own to see if BIOS, video, audio, wifi or Ethernet drivers have been updated.  Leave the rest to Microsoft.

 

Regards. . .

 

jcgriff2  


Edited by jcgriff2, 28 August 2015 - 02:05 AM.

Microsoft MVP 2009-2015
Microsoft Windows Insider MVP 2018 - Present

#7 chattarjee

chattarjee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 03 September 2015 - 02:13 AM

So many thanks for all these responses! Shall try the system-image back-up. And would certainly prefer to update online instead of the 'support assistant' in the future :)

 

My ZTE modem has apparently gone bad, and that may have something to do with the system issues (firewall off, etc), however unlikely. There was no problem in the machine otherwise - no bad shut-down, etc. In any case, I have one more query ~ is it true that a WIFI modem is safer than USB-modem? Virus/hacking/trojan infection possibilities are less on modems connected through WIFI?



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 03 September 2015 - 05:25 AM

What do you mean by that? What is the difference between a WiFi modem and a USB modem for you?

Edited by Aura, 03 September 2015 - 05:25 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 chattarjee

chattarjee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 03 September 2015 - 05:50 AM

Wireless EVDO USB modem (like ZTE AC2739)  connects to a PC directly on a USB port.  

 

WIFI 3G modem (like ZTE AC3633) is a USB WIFI device connected to a 220 V plug (through an adapter) and can connect up to 5 machines through WIFI (not physically connecting to any one of them).

 
 
On the LHS menu on this page, "Wi-Pod" is WIFI, while "Reliance 3" is plain USB modem.
 
Please bear with me, but In India - this is state of the art :D


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 03 September 2015 - 06:56 AM

Looks like USB dongles to me. At this point, I would ask in the Networking section since you're most likely to get better answers there.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 chattarjee

chattarjee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 03 September 2015 - 07:37 AM

Yes - both are USB dongles. One goes directly into the USB port, while the WIFI version is powered by an adapter and connects multiple PCs to internet.

 

The question is - does such a WIFI internet connection offer any higher security against virus/hacking? I vaguely remember an IT-worker friend suggesting me something like that in the past. I'll post this query in the networking section. Thanks :)



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 03 September 2015 - 08:04 AM

Personally, I don't think it does. The efficiency of a malware isn't determined by what kind of USB dongle you use. The malware will still find its way in your system the same way it will with any other system. Also, I guess the WiFi version could be more vulnerable to MiTM attacks, but so could be the USB version of it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 jcgriff2

jcgriff2

  • BSOD Kernel Dump Expert
  • 1,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey Shore
  • Local time:09:37 PM

Posted 06 September 2015 - 05:31 PM

I agree with Aura.

 

Unless you have someone specifically targeting you/your Internet (which is highly unlikely,  unless you live in the USA where the NSA already performs this task!), I don't believe there is a difference in security between wifi and USB (also - most USB are wifi connections - depending of course on the specific device).


Edited by jcgriff2, 06 September 2015 - 05:32 PM.

Microsoft MVP 2009-2015
Microsoft Windows Insider MVP 2018 - Present

#14 chattarjee

chattarjee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 07 September 2015 - 04:51 AM

Surfing the internet was never any easier anyway - and now these hackers! What's the best policy for the relatively non-techie surfer - install Norton, not use any P2P software, no downloading torrents, and have fingers crossed on both hands?

 

With UEFI, is there any warranty against MBR hack? Understood that the 'boot-sectors' on the HDD are locked and Windows cannot be corrupted, but can a so called 'boot virus' still penetrate the MBR of UEFI-MoBo BIOS, HDD (MBR), or glitch to the DDR3 RAM? If a 'boot virus' does find entry, would a simple Windows 'recovery' make any difference? In no discussion on the web do I see a single confirmatory comment about the so called 'boot virus' versus UEFI. Other malware aside, 'boot virus' is a rather less-discussed subject it seems. But questions pop-up endlessly...



#15 rp88

rp88

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:37 AM

Posted 07 September 2015 - 03:08 PM

Post #14:

I suggest that for your protection you should ensure to run a good antivirus (there are paid ones and free ones), run a second opinions scanner and crucially make sure to use an uo-to-date browser with plugins set so they will not play until you click to give them permission. Using firefox with the Noscript extension is an excellent way to make driveby attacks amost impossible, running malwarebytes anti-exploit as well makes you even mroe secure against these.

Making backups of all your files and a few system images to backup your system is also very valuable, that way if a virus gets past: noscript, your an up-to-date browser, malwarebytes antiexploit and your antivirus, then you have a means to restore the system to before the infection occured. And you have backup copies of all your files safe on external devices (USB sticks and cd/dvd discs).

Another crucial tip is to have UAC on a high setting, that way it pops up before any exe file can run, and you get a chance to refuse that exe file permission to run if it is one you do not recognise.

Also make sure to set up windows file explorer so that "full file extensions are shown even for known file types", this allows you to see any attempts by malwarewriters to disguise a virus (usually an exe or scr file) as a safe format like a jpg picture.

Don't rely on UEFi and secureboot to keep you secure, if a virus gets far enough that it comes up against these it is already in a position from which it can perform more-or-less any actions it likes, a virus can ransom your files, log your keystrokes, serve you pop-ups and all the other nast things they do, without ever needing to worry about UEFI. Stoop viruses before they can get this far.

Edited by rp88, 07 September 2015 - 03:09 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users