Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mysterious files in System32 and SysWOW64


  • Please log in to reply
8 replies to this topic

#1 WinNerd

WinNerd

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 08 October 2015 - 08:28 PM

I am new here, I have posted the same issue on a couple of other forums before and they werent able to help:

Basically there were a bunch of large mysterious files in System32 and SysWOW64 I need to know what they are and how did they get here:

the previous post is here

https://forums.malwarebytes.org/index.php?/topic/170083-mysterious-files-in-system32-and-syswow64

 

They said it was from some Android A.V. but I don't have that.

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 AM

Posted 09 October 2015 - 04:12 PM

:welcome: to Bleeping Computer.

They said it was from some Android A.V. but I don't have that.

Actually they said the files had references to Android malware and could be related to a database for some anti malware application or something from an Android emulator but were not malicious.

Not sure what else we can do for you here. Both David H. Lipman and shadowwar are trusted experts who investigate reports of new malware threats reported at the Malwarebytes forum.

What dates are listed for the files? Did you install any software around the same time period?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 WinNerd

WinNerd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 09 October 2015 - 05:49 PM

:welcome: to Bleeping Computer.
 

They said it was from some Android A.V. but I don't have that.

Actually they said the files had references to Android malware and could be related to a database for some anti malware application or something from an Android emulator but were not malicious.

Not sure what else we can do for you here. Both David H. Lipman and shadowwar are trusted experts who investigate reports of new malware threats reported at the Malwarebytes forum.

What dates are listed for the files? Did you install any software around the same time period?

 

That is exactly the issue, I have no android software on this machine whatsoever, and no, I did not install anything related to android or any A.V. app. It may not be malicious, but I want to know what caused the files to appear there. I uploaded them here FYI.


Edited by WinNerd, 09 October 2015 - 05:55 PM.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 AM

Posted 12 October 2015 - 01:31 PM

The files appear to have Chinese names (at least according to Google translate).

 

Do you have a Chinese version of Windows, or do you use Chinese documents?

The metadata of the files in the RAR archive indicates dates for November 2013 and January 2014.

Could it be that the files date from back then, or did they appear just recently?

 

Can you check who is the owner of the files?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 AM

Posted 12 October 2015 - 01:51 PM

The files contain a lot of names for malware. They are probably signature files for an AV program.

 

Both files contain this string: Eicar-Test-Signature

According to VirusTotal, only 2 AV programs use this signature for the EICAR test file: Avira and ClamAV.

Have you used one of them recently?

Remark that ClamAV can be bundled with other security software.

 

Update: most likely it's Avira. There's another string in there (PDFanit.a) that is used by Avira.


Edited by Didier Stevens, 12 October 2015 - 01:57 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 WinNerd

WinNerd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 12 October 2015 - 11:45 PM

I do understand Chinese, and no, they are not proper Chinese names, (The OS language is still English and the locale is English (Australia)) I have an IME application, but that's it and yes, I have Avira,


Edited by WinNerd, 12 October 2015 - 11:48 PM.


#7 WinNerd

WinNerd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 12 October 2015 - 11:47 PM

Also, I discovered the files when I posted the first thread on the MS forum http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/files-with-weird-names-in-system32-and-syswow64/3f9c8275-5afe-4c88-a36f-8b2b0f34a073?tm=1435558838866&auth=1. So I don't know when they first appeared.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 AM

Posted 13 October 2015 - 01:44 AM

Since you have Avira, it confirms my analysis: these are Avira files, probably signature files.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 AM

Posted 13 October 2015 - 07:56 AM

... So I don't know when they first appeared.

That is why I asked you to check the dates.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users