FYI in case no malware is found after the scans...Randomly named alpha/numeric folders
are commonly created and used temporarily when updating Windows components. They are also used by some software programs (i.e. Microsoft Office, Microsoft Visual Studio, etc) during update or installation to hold setup files (.inf, .cat, .gpd, .ppd and .dlls) and other information. These files and folders are usually automatically removed as part of the update process. However, its not uncommon
for them not to be cleaned up and left behind after the update has been applied. When that occurs they usually can be manually deleted at any time.
Installation and updates to many programs will create randomly named folders within %AppData\Local\Temp% to store logs and setup information. Installation of service packs, security updates from Microsoft for MSMXL packages and hotfixes also create temporary randomly alpha/numeric named folders. Sometimes these folders create sub-folders as described here
or contain sub-folders like amd64
. The creation date should match the installation date of the updates or show in the ReportingEvents.log
located in the C:\Windows\SoftwareDistribution folder. spmsg.dll
is a Microsoft Service Pack file commonly found in randomly named alpha/numeric folders as shown here
. SP1QFE, SP2QFE, SP3QFE and SP2GDR are also Service Pack files from Microsoft which you may encounter.
When you run the Malicious Software Removal Tool
(MSRT), a temporary folder with random alpha/numeric characters (i.e. C\79f142e5e9e574d23954
) will be created on your C:\ drive that contains mrt.exe, mrtstub.exe and a file named $shtdwn$.req. Since external drives can be a hiding place for malicious files, MSRT will scan them too and you may find a left over folder in that location. Usually after performing a scan and you click finish or cancel, the folder will automatically be removed right away or after the next restart of the computer. If not, Microsoft says the folder and its contents can be manually deleted without an adverse effect on the computer.
The following is an excerpt from Microsoft Windows Malicious Software Removal Tool Summary (KB890830)
explaining the folders used by MSRT:
The Malicious Software Removal Tool does not use an installer. Typically, when you run the Malicious Software Removal Tool, it creates a randomly named temporary directory on the root drive of the computer. This directory contains several files, and it includes the Mrtstub.exe file. Most of the time, this folder is automatically deleted after the tool finishes running or after the next time that you start the computer. However, this folder may not always be automatically deleted. In these cases, you can manually delete this folder, and this has no adverse effect on the computer.
Again, finding these leftover temporary files are not uncommon after installing programs or applying an update. Other legitimate programs can also create randomly named folders in various areas of your hard drive. Sometimes identifying the source is as simple as opening the folder and looking inside for sub-folders and file names which may provide a clue as to what program created them.