Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Strange files in AppData/Roaming.


  • Please log in to reply
24 replies to this topic

#1 Guest_Bodomi_*

Guest_Bodomi_*

  • Guests
  • OFFLINE
  •  

Posted 30 May 2017 - 05:02 AM

Hello.

 

I'm currently cleaning up my main SSD that has Windows+my main programs and while scavenging through my AppData/Roaming folder I found 4 strange files with odd names, and they have no file extension.

 

They are:

Flange Saw

Flanger

Flowers

Gems

 

All 4 of them are 1KB each and all of them were last modified at the same time except for Flanger which was last modified 1 minute later than the other 3.

 

Here's a screenshot of them.

 

HVC9hsw.png

 

My question is what are these files and can I delete them?

 

My initial guess is that they are files from a game I've uninstalled and for whatever reason they've been left in the open in the Roaming folder.


Edited by hamluis, 31 May 2017 - 08:28 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Havachat

Havachat

  • Members
  • 1,167 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.

Posted 30 May 2017 - 05:54 AM

Seems they may be attributed to some Audio Software Program from googling.

Create a System Restore Point / Or Image Backup first , and then delete those reminants.

 

I think a System Restore Point will suffice , i have only folders within the same location and no single files.

 

You could open them with Notepad - to what text is within , to see anything pertaining to the app.

 

Otherwise someone else may have a more positive approach or answer.


Edited by Havachat, 30 May 2017 - 05:56 AM.


#3 Guest_Bodomi_*

Guest_Bodomi_*

  • Guests
  • OFFLINE
  •  

Posted 30 May 2017 - 06:27 AM

I opened them with Notepad, they all contained a bunch of what I assume to be Chinese letters.

 

I created a restore point and deleted them.

 

Thanks for the help. If some sort of issue occurs due to this I'll reply to this thread.



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,810 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:08:49 AM

Posted 30 May 2017 - 11:15 AM

https://www.google.com.au/?-b#q=%22Flange+Saw%22+piano


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 Guest_Bodomi_*

Guest_Bodomi_*

  • Guests
  • OFFLINE
  •  

Posted 30 May 2017 - 12:57 PM

I've never downloaded an electronic piano program.



#6 Guest_Aaron_Warrior_*

Guest_Aaron_Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 30 May 2017 - 01:04 PM

I've never downloaded an electronic piano program.

 

This is 2nd thread I've seen here on BC in a week where the User has files, accounts, text, etc... on the computer that is obviously not related to themselves (User) or the computer (Operating System, Installed Software, etc...).  My theory in the 1st case is that somehow malware is using the User's computer as a data repository for the creation and distribution of spam.  While the details of my little theory may be wrong, in general, broad strokes it looks like infection to me.


Edited by Aaron_Warrior, 30 May 2017 - 01:04 PM.


#7 Guest_Bodomi_*

Guest_Bodomi_*

  • Guests
  • OFFLINE
  •  

Posted 31 May 2017 - 01:02 AM

 

I've never downloaded an electronic piano program.

 

This is 2nd thread I've seen here on BC in a week where the User has files, accounts, text, etc... on the computer that is obviously not related to themselves (User) or the computer (Operating System, Installed Software, etc...).  My theory in the 1st case is that somehow malware is using the User's computer as a data repository for the creation and distribution of spam.  While the details of my little theory may be wrong, in general, broad strokes it looks like infection to me.

 

 

 

It might be an infection from something, but I'm positive I do not currently have a virus or anything.

 

While looking through more places last night I found some more stuff, and I'm also going to post something I didn't bother to include as I thought they were normal until Havachat said "i have only folders within the same location and no single files."

 

Here are 2 more files I decided to ignore, they are located in AppData/Roaming, and 2 folders I'm curious as to what is, located the same place.

 

ZkhRA9t.png

MsGvTGf.png

These files are located in AppData/Local.

NZGgryz.png

 

The following files are located in Users/Default.

avT9quK.png

And these files are located in C:/ProgramData

NVTYowK.png

Folder Action Handlers, Font Book, Fonts and Graphics were all created at the same time as the files I made in the original post.

They all contain the same, identical what looks to be Chinese letters.

 

All of this is on the C: drive by the way.

 

I'm a little... worried now though as I never really thought to bat an eye towards these files until I realized you're probably not supposed to have a bunch of single files and such in these places.

 

Any help with any of these files as to what they might be or if I can safely delete them would be greatly appreciated.

 

Thank you all for the help/interest so far.


Edited by Bodomi, 31 May 2017 - 01:04 AM.


#8 Guest_Aaron_Warrior_*

Guest_Aaron_Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 31 May 2017 - 01:10 AM

Install and run malwarebytes and adware cleaner and report results.  Run chkdsk.  Post voltages and temps as reported in BIOS. Install Speccy and see if the volts and temps match what BIOS is reporting.  Post full Speccy results in thread.



#9 Guest_Bodomi_*

Guest_Bodomi_*

  • Guests
  • OFFLINE
  •  

Posted 31 May 2017 - 01:26 AM

I checked my voltages and temps 3 days ago due to an unreleated issue that turned out to be an error with a program, and the devs were aware of it.

Everything is fine with my temps and voltages and hardware in general.

 

I'm a little busy at the moment doing something else, so I will post results later, although I doubt I will find anything as I run a full system scan everyday with Norton, and I'm generally hyper aware when it comes to viruses and such things.

I use Ghostery and HTTPS Everywhere in my Chrome and when I visit sites I'm unfamiliar with or sites that are otherwise dodgy I use ScriptSafe. I have AdBlocker and some filters to block certain things malicious sites may have.

 

I don't download anything malicious or things that look dodgy on this machine and I run CCleaner on a monthly basis.


Edited by Bodomi, 31 May 2017 - 01:59 AM.


#10 Guest_Bodomi_*

Guest_Bodomi_*

  • Guests
  • OFFLINE
  •  

Posted 31 May 2017 - 04:52 AM

Little side note: I did just run CCleaner and used the Registry cleaner. I deleted the things I know I can remove, things I'm familiar with, but it has found a crap ton of ActiveX/COM Issues releating to Java. They are all "...Java/jre1.8.0_121\bin\jp2iexp.dll" and a decent amount with of "Google\Update\version numbers...\psmachine.dll"

There's a crap ton of Installer Reference Issues releating to "Microsoft Silverlight\many different numbers like 5.1.50709" and AMD/ATI.ACE\different things like Brading, Help\en-US and other different languages etc...

 

Is it safe to just delete all of those? Obviously taking precautions like creating a Restore Point and creating backups via CCleaner.



#11 Guest_Bodomi_*

Guest_Bodomi_*

  • Guests
  • OFFLINE
  •  

Posted 31 May 2017 - 05:12 AM

Install and run malwarebytes and adware cleaner and report results.  Run chkdsk.  Post voltages and temps as reported in BIOS. Install Speccy and see if the volts and temps match what BIOS is reporting.  Post full Speccy results in thread.

AdwCleaner found a bunch of Registry Keys. I haven't removed them yet as I'm hesistant as to whether or not it is safe to remove some of those things, like the CurrentControlSet stuff.

There's some malware/adware/pup stuff it did find though, like InstallCore, Tarma Installer, aartemis. But non of these are on my computer, they seem to just be old registry keys.

And the folders it found are either empty or have a subfolder in it which is named "GoogleCRXs"

It is also detecting things that aren't malicious like Hola. And there's a bunch of Microsoft and Windows related stuff that I'm hesitant to remove.

 

AdwCleaner results:

 

# AdwCleaner v6.047 - Logfile created 31/05/2017 at 12:04:46
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-30.2 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : Spill Pølse - SEAGULL
# Running from : C:\Users\Spill Pølse\Downloads\adwcleaner_6.047.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\Spill Pølse\AppData\Local\apn
Folder Found:  C:\Users\Spill Pølse\AppData\Local\Conduit
Folder Found:  C:\Users\Spill Pølse\AppData\LocalLow\Conduit
 
 
***** [ Files ] *****
 
File Found:  C:\Users\Spill Pølse\AppData\Roaming\regsvr32.exe_log.txt
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\IePluginService
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\IePluginService
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\IePluginService
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Wpm
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Wpm
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\wpm
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\wpm
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\iepluginservice
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\iepluginservice
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\iepluginservice
Key Found:  HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
Key Found:  HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
Key Found:  [x64] HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
Value Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
Key Found:  HKU\.DEFAULT\Software\Hola
Key Found:  HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found:  HKU\S-1-5-21-1316437554-2751130748-157441662-1000\Software\InstallCore
Key Found:  HKU\S-1-5-21-1316437554-2751130748-157441662-1000\Software\Softonic
Key Found:  HKU\S-1-5-21-1316437554-2751130748-157441662-1000\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found:  HKU\S-1-5-18\Software\Hola
Key Found:  HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found:  HKCU\Software\InstallCore
Key Found:  HKCU\Software\Softonic
Key Found:  HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found:  HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found:  HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Found:  HKLM\SOFTWARE\aartemisSoftware
Key Found:  HKLM\SOFTWARE\Conduit
Key Found:  HKLM\SOFTWARE\SupTab
Key Found:  HKLM\SOFTWARE\supWPM
Key Found:  HKLM\SOFTWARE\SUPTAB
Key Found:  [x64] HKCU\Software\InstallCore
Key Found:  [x64] HKCU\Software\Softonic
Key Found:  [x64] HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found:  [x64] HKLM\SOFTWARE\Hola
Key Found:  [x64] HKLM\SOFTWARE\Tarma Installer
Data Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL] - hxxp://www.aartemis.com/web/?type=ds&ts=1397962803&from=smt&uid=CorsairXForceX3XSSD_12146503000013410363&q={searchTerms}
Data Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page] - hxxp://www.aartemis.com/web/?type=ds&ts=1397962803&from=smt&uid=CorsairXForceX3XSSD_12146503000013410363&q={searchTerms}
Key Found:  HKU\S-1-5-21-1316437554-2751130748-157441662-1000\Software\Microsoft\Internet Explorer\SearchScopes\{642DE032-D64E-4CDD-92BC-D853EAD2C2E7}
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{642DE032-D64E-4CDD-92BC-D853EAD2C2E7}
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{642DE032-D64E-4CDD-92BC-D853EAD2C2E7}
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Data Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\IePluginService
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [5469 Bytes] - [31/05/2017 12:04:46]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5542 Bytes] ##########

Edited by Bodomi, 31 May 2017 - 05:17 AM.


#12 Guest_Bodomi_*

Guest_Bodomi_*

  • Guests
  • OFFLINE
  •  

Posted 31 May 2017 - 06:05 AM

I just removed all the things I'm 100% comfortable with removing.

 

Here's the logfile after those have been removed: 

 

# AdwCleaner v6.047 - Logfile created 31/05/2017 at 13:04:55
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-30.2 [Local]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : Spill Pølse - SEAGULL
# Running from : C:\Users\Spill Pølse\Downloads\adwcleaner_6.047.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\Spill Pølse\AppData\Local\apn
Folder Found:  C:\Users\Spill Pølse\AppData\Local\Conduit                  I have removed all these folders now.
Folder Found:  C:\Users\Spill Pølse\AppData\LocalLow\Conduit
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\IePluginService
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Wpm
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Wpm
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\wpm
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\wpm
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\iepluginservice
Key Found:  HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
Value Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
Data Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL] - hxxp://www.aartemis.com/web/?type=ds&ts=1397962803&from=smt&uid=CorsairXForceX3XSSD_12146503000013410363&q={searchTerms} - I have removed this one now.
Data Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page] - hxxp://www.aartemis.com/web/?type=ds&ts=1397962803&from=smt&uid=CorsairXForceX3XSSD_12146503000013410363&q={searchTerms} - I have removed this one now.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [5556 Bytes] - [31/05/2017 13:02:08]
C:\AdwCleaner\AdwCleaner[S0].txt - [5693 Bytes] - [31/05/2017 12:04:46]
C:\AdwCleaner\AdwCleaner[S1].txt - [5679 Bytes] - [31/05/2017 12:35:34]
C:\AdwCleaner\AdwCleaner[S2].txt - [5412 Bytes] - [31/05/2017 12:56:54]
C:\AdwCleaner\AdwCleaner[S3].txt - [2985 Bytes] - [31/05/2017 13:04:55]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [3058 Bytes] ##########

Edited by Bodomi, 31 May 2017 - 06:09 AM.


#13 Havachat

Havachat

  • Members
  • 1,167 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.

Posted 31 May 2017 - 06:38 AM

Aartemis.....is a Browser Hijacker/ Rootkit .

I think maybe you have 2 Choices

1/ Reinstall Operating System after backing up all Personal Files externally.{ I know that can be painful to some }.

 

2/ Or Request from a Moderator to move this Post to -  Am I infected? What do I do? 



#14 Guest_Bodomi_*

Guest_Bodomi_*

  • Guests
  • OFFLINE
  •  

Posted 31 May 2017 - 06:48 AM

Aartemis.....is a Browser Hijacker/ Rootkit .

I think maybe you have 2 Choices

1/ Reinstall Operating System after backing up all Personal Files externally.{ I know that can be painful to some }.

 

2/ Or Request from a Moderator to move this Post to -  Am I infected? What do I do? 

 

I had Aartemis in 2013 and removed it myself. Those where only registry keys that were left behind.

 

I'm not infected, my computer works just fine and I have no virus, adware, rootkit or otherwise anything else.

 

My question now is whether or not I should remove the other stuff AdwCleaner found.

Note that they are all registry keys or values, I don't have any actual programs or pups etc...

 

Everything has been registry stuff, and the stuff I removed earlier was old registries from stuff I have removed before.


Edited by Bodomi, 31 May 2017 - 06:53 AM.


#15 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,810 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:01:49 PM

Posted 31 May 2017 - 08:05 AM

Install and run malwarebytes and adware cleaner and report results.  Run chkdsk.  Post voltages and temps as reported in BIOS. Install Speccy and see if the volts and temps match what BIOS is reporting.  Post full Speccy results in thread.

You need to be aware that Malwarebytes and ADWCleaner are tools that are not to be used or suggested in the Windows Forum for security reasons.  If you wish to suggest this you should also suggest that the move the topic to the Am I Infected forum where these tools may be used.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users