Unknown file with long filename filling up hard drive

I opened my computer this morning and, when I logged on, load time was very slow. I needed to go online, so I clicked FF, which also seemed to be taking a long time to load, so I stepped away for a moment. When I returned, I found that my system had spontaneously rebooted. After entering my password, I again noticed a loading lag, and was going to run CCleaner to sweep up a bit when I discovered that my hard drive capacity indicator was in the red. I have a 500GB system with more than 450 gigs free, and am very fastidious about keeping it clean and junk-free, so there is definitely something amiss. I found a huge unknown file named “3590F75ABA9E485486C100C1A9D4FF06YNUQIWTVYIAQORDZ” on my C drive, with today’s date. Usually, avast! catches everything, so this has me dumbfounded and worried. How do I get rid of this beast?

Follow the guide and attach the logs requested
http://forum.avast.com/index.php?topic=53253.0

Monitoring - looks like something new

Sorry to be long in getting back here. Followed the instructions provided in the link. Interestingly, MBAM found no threats/issues. Same result when I manually ran Avast this morning prior to posting here. But there is most certainly something fishy going on. I have not tried to open, manipulate or delete the file in question, for fear of making the virus/whatever harder to eradicate.

Here is the MBAM log:

Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org

Database version: v2012.03.04.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Mamba :: MAMBA-PC [administrator]

3/4/2012 11:30:30 AM
mbam-log-2012-03-04 (11-30-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194430
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached are the OTL logs.

The aswMBR report:

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software Run date: 2012-03-04 12:20:24 ----------------------------- 12:20:24.113 OS Version: Windows x64 6.1.7601 Service Pack 1 12:20:24.113 Number of processors: 2 586 0x2505 12:20:24.114 ComputerName: MAMBA-PC UserName: Mamba 12:20:25.366 Initialize success 12:20:25.971 AVAST engine defs: 12030400 12:21:30.029 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 12:21:30.029 Disk 0 Vendor: ST950056 SD22 Size: 476940MB BusType: 3 12:21:30.029 Disk 0 MBR read successfully 12:21:30.044 Disk 0 MBR scan 12:21:30.044 Disk 0 Windows 7 default MBR code 12:21:30.044 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 25600 MB offset 2048 12:21:30.060 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 204800 MB offset 52430848 12:21:30.060 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 246539 MB offset 471861248 12:21:30.076 Disk 0 scanning C:\Windows\system32\drivers 12:21:34.366 Service scanning 12:21:41.464 Modules scanning 12:21:41.464 Disk 0 trace - called modules: 12:21:41.479 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll 12:21:41.495 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80032ca760] 12:21:41.495 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8002d51a00] 12:21:41.510 5 ACPI.sys[fffff88000ed07a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8002d5a050] 12:21:42.088 AVAST engine scan C:\Windows 12:21:43.336 AVAST engine scan C:\Windows\system32 12:22:40.385 AVAST engine scan C:\Windows\system32\drivers 12:22:44.004 AVAST engine scan C:\Users\Mamba 12:29:33.397 AVAST engine scan C:\ProgramData 12:34:49.129 Scan finished successfully 12:35:30.484 Disk 0 MBR has been saved successfully to "C:\Users\Mamba\Desktop\MBR.dat" 12:35:30.484 The log file has been saved successfully to "C:\Users\Mamba\Desktop\aswMBR.txt"

Thanks in advance for your assistance!

Not sure if the OTL Extras attached properly in the previous post. Attaching again.

For what they’re worth, I have screencaps of the suspect filename and size, as well as the current capacity of my hard drive.

Didn’t use the fixMBR option after the aswMBR scan. Should I have? Trying to follow the instructions to the letter. At present, there doesn’t seem to be any notable detrimental effects from this thing, but I am afraid to let it go too long. Next step?

Although I am able to go online and my laptop seems to behave normally, if sluggishly, for the moment, I’m afraid to turn it off, reboot it, or let it hibernate until I know what I’m dealing with. Obviously, it can’t be harmless. I’d like to wipe it away and reclaim my hard disc. Any other tests I should run or tools I should use?

I don’t think so. Did you already run a full scan of avast?

The file doesn’t seem harmless though… Seems signal of infection.

My guess would be it’s not any infection.
Personally, I’d try to rename the file and see if it gets created again. If yes, maybe deploy Process Monitor and try to find out the name of the process that created it.

Whatever it is, I agree it is not harmless. It is eating up my hard disc space. It isn’t currently preventing me from using my laptop, but if I have to reboot for some reason, it may have nasty results - that is when the file showed up this morning, before I even got online, so it must have been waiting for a certain action or event to install or attach itself. I will run avast! again and will also post a HijackThis log. One moment.

???

and will also post a HijackThis log.
It is not very good....... that is why we had you post the OTL log ;)

The MBR is OK so there is no need to use any of the fix options there

That is a massive file - have you done any updates ?

I will put it into quarantine and leave it there for a day or so to ensure that it is not something you need

Once it has been moved could you reboot the computer to see if it respawns

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2012/03/04 09:16:13 | 2096,627,674 | ---- | M] () -- C:\3590F75ABA9E485486C100C1A9D4FF06YNUQIWTVYIAQORDZ

:Commands
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

It is indeed a massive file. Not sure what you mean by updates. Windows and System? I run those manually, picking and choosing what I want instead of accepting everything automatically. Hasn’t been a problem in the past. Maybe I should look them over again. Will do as you requested as far as rebooting, but not sure how to disable MalwareBytes. It isn’t currently running (I’ll check my processes to make doubly sure), but it is installed. Did I overlook an option or setting somewhere?

but not sure how to disable MalwareBytes.
malwarebytes PRO have a protection module

I use a free version of MBAM, there’s no realtime protection. But I did uncheck the auto-update boxes. So I should be good to go?

It should be OK then

@Pondus,

And not only that. The scanner file will be restored next scan around. MBAM has various protection schemes.
That is why loads of users here combine avast with free SAS and free MBAM to close the so-called vulnerability window a bit further.
The file mentioned is massive indeed and equals the size of a primairy linux swap file.

@euthenia,

You are in the best of hands here with essexboy. Yes you are good to go. The avast support forum is tops…

polonus

+10 :wink: