Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Prefetch: Mysterious Files


  • Please log in to reply
11 replies to this topic

#1 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:13 PM

Posted 30 July 2006 - 09:18 AM

I was just looking in my windows prefetch folder and have found several files that I have no clue about. :thumbsup: I'm listing the most mysterious here. All of these say they open with an "unknown application" when I click on properties. In fact every file there says that - even the ones that I recognize and know what they are.

I use Windows XP Home Edition SP2
See http://www.bleepingcomputer.com/forums/ind...?showuser=76150 for more info. on my computer system.

EXAEBWTAGS.ITGSCIFXDDFO.RR

GLC7.EXE-0BB9EB6F.pf

JOKTHRRL.GDKIBNJKDGKT.ST

HTFREIGOUGJHSQ.WTESGAFHDXWO.GG

Orange Blossom
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

BC AdBot (Login to Remove)

 


#2 moomoo

moomoo

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 30 July 2006 - 09:59 AM

i have no clue those arent in my prefetch though...i suggest you scan them with your AV or Jotti scanner.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:13 PM

Posted 30 July 2006 - 10:10 AM

AV comes out clean. What is a Jotti scanner?

Orange Blossom
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 30 July 2006 - 10:12 AM

Jotti is an online malware scan, that you can upload files to, and it will scan them for any signs of malware.
Please upload all of those suspicious files at Jotti.
A link for you: http://virusscan.jotti.org/
Hope this helps, and let us know how Jotti finds them to be.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 moomoo

moomoo

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 30 July 2006 - 10:13 AM

its an online scanner which has 7 or 8 scanners that scan a certain file...ill give you the link "Jotti Online Scanner

NOTE: That might be the wrong link but if it is just tell me ill get another

#6 moomoo

moomoo

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 30 July 2006 - 10:18 AM

Theres another very affective one you might like to try but its a full system scan Norton Online Scanner

NOTE: installs a few active x controls but ntohing to worry about

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:13 PM

Posted 30 July 2006 - 03:01 PM

Thanks for the JottiScan info. I've used it to scan these four files. JottiScan found nothing, and the only thing I found out that I didn't know was that JOKTHRRL.GDKIBNJKDGKT.ST is or is related to some sort of server.

It is my understanding the prefetch files are simply mapping directions to the computer that tells it that when a certain program is requested that it open all the files contained in that file. How can I tell what the actual program a prefetch file is related to? The actual program might be a problem even if the prefetch file is not.

Orange Blossom
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 moomoo

moomoo

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 30 July 2006 - 05:07 PM

Try right clicking and using properties..or try to make out the file name and think of something it could relate to on your computer...if not just leave it..if it isnt infected leave it or something could end up wrong..

Good Luck,
Moomoo

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:13 PM

Posted 30 July 2006 - 07:06 PM

Well, I tried looking under properties: the only information I can get is creation date, modification date, and access date, which always has the present date on it since I access it to discover its properties. No info. on company, product, version - nothing. Using the various detail options available in the viewing screen of the prefetch folder doesn't result in any additional information either for any of the files.

There are several files in the prefetch folder that I know what program they are associated with such as: SGLIVEUPDATE.EXE-1CEFABAF.pf which is the prefetch file for Spyware Guard's update program.

But those which I posted initially? I've no clue.

EXAEBWTAGS.ITGSCIFXDDFO.RR
This one was modified in Jan. of this year.

GLC7.EXE-0BB9EB6F.pf
This one was modified today, so apparently it is used for something, but what? At least with this one, you can tell is related to an executable file, but what is the program?

JOKTHRRL.GDKIBNJKDGKT.ST
This one was last modified in October of last year and is the one apparently connected to a server judging by the JottiScan information.

HTFREIGOUGJHSQ.WTESGAFHDXWO.GG
And this one was last modified in Feb. of this year. It looks like someone had fun with a bowl of alphabet soup when this was named. :thumbsup: I'm clueless about what it could possibly be.

I also find it rather interesting that while most files in the prefetch folder have a pf extension, there are a few that do not: three of which are listed above, so what are they doing in the prefetch folder? The other one is the layout.ini file which does belong there.

Google searching yields nothing either. :flowers:

Orange Blossom :trumpet:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 moomoo

moomoo

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 31 July 2006 - 05:42 AM

Hahahahaha! first 1 IS spyguard second 1..i think its web tags or summit? last 1's i have no clue..there random..and when you open properties on exe's it updates em'

So just leave it if something happens we know where to look

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:13 PM

Posted 31 July 2006 - 07:56 AM

Here is some reading on Prefetch.

"Windows XP: Kernel Improvements" (scroll down to topic Prefetch)
"Kernel Enhancements for Windows XP" (scroll down to topic Logical Prefetcher for Faster Boot and Application Launch)

"Beware of Bogus XP Advice" (4/18/03).
"Debunking yet another bogus Windows tip" (4/12/05).
"One more time: do not clean out your Prefetch folder!" (6/01/05).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:13 PM

Posted 31 July 2006 - 05:05 PM

quietman7,

Thanks for all the links about Prefetch :thumbsup: . I'd read some of it before - in fact I contributed to one of them, but other stuff was new.

My suspicion was confirmed that the only stuff that belongs in prefetch is the layout.ini file and files ending in .pf; thus, I have gotten rid of the .gg, .st, and .rr files. What they were doing in there is anybody's guess, but it sure looked like a bunch of garbage; maybe something got garbled when the power went out suddenly when I was using the computer - who knows. I'd sure like to know what programs they were associated with though.

I also thought I'd see what would happen if I followed these directions since I have been installing and uninstalling quite a bit lately:
------------------
# knightcrawler Says:

July 20th, 2005 at 1:35 pm

You can delete it if you made big changes otherwise the layout.ini will have a lot of old data.

1. Delete all the files in the folder

2. Turn on the Task Schedule service to automatic and start it if it isnít already.

3. Open a cmd window and type or paste this:

Rundll32.exe advapi32.dll,ProcessIdleTasks

4. The folder will be rebuilt with the current apps and drivers.

Also:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Memory Management \ PrefetchParameters

dword value = EnablePrefetcher

0 = Disable,
1 = App launch prefetch
2 = Boot Prefetch
3 = Both (recommended)

My recommendation for the prefetcher is based on the amount of RAM that you have:

128MB - Disabled (reg value 0)
256MB - Boot only (reg value 1)
512MB or more - Both (reg value 3)

found on this page: http://www.edbott.com/weblog/archives/000743.html
---------------------
I also checked to see what the registry value was, and observed that it was at 3. I'm keeping it there even though my RAM is only 256. Considering that I use Adobe photoshop and other large programs, I wouldn't want to be without the prefetch.

I've also been keeping the prefetch folder open to see what pops up in it; that way I'll get a better idea of what programs the files relate to. Thus far, those mysterious files have not reappeared :inlove: .

It will also be interesting to discover whether it will take care of some error messages I've been receiving.

Theory: If windows goes to prefetch to find out what files to open in what order when booting or loading a program and if the prefetch file layout tells it to open x file, but x file is gone this might result in an error message such as "can't find the driver specified." :flowers:

Orange Blossom :trumpet:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users