Suspicious files

I don’t seem to have problems but I found some suspicious files. It began when I did a regular scan with MBAM which found a file called “nengine.dll”: trying to understand how I got that file I searched for other files created the same day, 16th of February 2014, and among them there are:

  • in “All Users\Dati applicazioni\AVAST Software\Avast” there is a text file called “clickstream”: is it normal?

  • in “Administrator\Impostazioni locali\Dati applicazioni\cache” (impostazioni locali = local settings) there is a folder called “data7” with 16 subfolders (called “0”, “1”… “a”, “b”…) with inside several files with “d” extension (for example “2agp4wlp.d”); I’ve read that they may be related to Java.

  • in “Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\bzwsme3g.Andrea” there is a folder called “nspdl” and inside a “fav-groups” file, a “favs##c1280528f64875c6873cab32319d72cb” file and a “fav_thumbs” folder with inside 10 files with long cryptic names.

Then I did a scan with AdwCleaner and it found “user.js” (created the same day of the previous ones) in “Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\bzwsme3g.Andrea” and it removed it. It also found “prefs.js” in the same folder but it didn’t remove it (but I can do it manually). I’ve noticed that AdwCleaner finds it even if I personally create a new prefs.js file and put it in that folder. Maybe it’s a false positive? I also noticed in the file’s properties that its creation date changes when using Firefox but maybe it’s normal.

Maybe I’ve nothing but I think that these files created the same day (and similar hour for some) are kinda suspicious.

I can see nothing untoward on the system and it looks relatively clean :slight_smile:

Is that “clickstream” file in the Avast folder normal?

Is the prefs.js file a false positive by AdwCleaner? And what about the user.js that was removed by AdwCleaner (and created at the same hour of the engine.dll)?

Clickstream is probably a transient within the Avast folder, if you wish you can attach the text file for me to look at. Generally the JS prefs will be cleaned by Adwcleaner as there is probably some adware in there

I’ve attached the clickstream file.

OK that looks like it is related to the software updater element :slight_smile:

Ok, thank you. :slight_smile: