Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual file named .62030.jpg.3bqiFX


  • This topic is locked This topic is locked
6 replies to this topic

#1 total21

total21

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 30 June 2017 - 01:22 PM

I was making a backup of my website files to Windows 7 with Cygwin (from a LAMP server, regular PHP script) and in the process something has created a file like this: 

 

.62030.jpg.3bqiFX

 

In the folder where it appeared, there is a nother original file named 62030.jpg, which is an image file. So something has added that dot at the beginning and the ".3bqiFX" at the end. The file is 0 bytes and it belongs to the following Group or user: 

 

S-1-5-21-3658720670-2097995755-1032747883-1001

 

When I try to paste it to disk C (from disk D), make a copy of it, I get the following results: 

 

File Access Denied - You'll need to provide administrator permission to copy this file. 

I am now on Windows 10 Pro (I upgraded today) and when I click Continue with that shield icon (this looks like I am pressing it as an administrator of the system or something like that, I get that: 

 

You need permission form S-1-5-21-3658720670-2097995755-1032747883-1001 to make changes to this file. 

 

I've been using Windows for like 15 years and I've never seen anything like that. Is there any way to figure out what this is and where it may be coming from? I will add that this is an important situation as this is a backup and I can lose a year and a half of all day / all week work. For this reason I am asking, and I would like to know what this is that I am dealing with (normally I would just delete it in some way, I guess). 

 

Thanks. 



BC AdBot (Login to Remove)

 


#2 Chris Cosgrove

Chris Cosgrove

  • Moderator
  • 6,875 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:04:44 AM

Posted 30 June 2017 - 06:00 PM

The possibility exists that this could be ransomware. Is this the only file modified with this extension  ?

 

I am not a malware specialist and have no particular training in this field but a colleague who has suggests that if you have a doubt on this score you could upload the file to -

 

https://id-ransomware.malwarehunterteam.com/

 

If it is the only file with this extension I would suggest you take it up with your hoster.

 

Chris Cosgrove



#3 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 01 July 2017 - 03:08 PM

Cross-posted here...

 

https://answers.microsoft.com/en-us/windows/forum/windows_7-files/unusual-file-named-line-this-62030jpg3bqifx/679239bd-1099-43d7-9bad-8e4fb2a3fad1



#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 PM

Posted 02 July 2017 - 12:54 PM

You can also upload it to VirusTotal and have them scan it as well.

https://www.virustotal.com/

 

I don't know who that SID belongs to, but it clearly isn't you, or you wouldn't have received that error message.

Open up a command prompt and type in  wmic useraccount get name,sid

That will return a list of all user accounts on your computer, and their SIDs. That should tell you who that SID belongs to, and may help determine what process created that file.



#5 jcgriff2

jcgriff2

  • BSOD Kernel Dump Expert
  • 1,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey Shore
  • Local time:11:44 PM

Posted 02 July 2017 - 09:33 PM

Usually, a user with SID -1001 is the first Admin account created, but apparently not in this case.


Microsoft MVP 2009-2015
Microsoft Windows Insider MVP 2018 - Present

#6 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 PM

Posted 02 July 2017 - 10:37 PM

This issue is now cross-posted in several different forums...

 

Most sites have a policy against cross posting...it wastes time for helpers who don't know what has been tried.

 

Please advise the other forums where you have posted, and advise this forum as well.



#7 Al1000

Al1000

  • Global Moderator
  • 7,875 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:04:44 AM

Posted 03 July 2017 - 03:09 AM

A link has been posted to where the tropic is apparently being answered here:

http://www.techsupportforum.com/forums/f217/unusual-file-named-62030-jpg-3bqifx-1200169.html

Please do not post the same question on multiple forums for the reason stated above.

Topic closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users