Remember that crazy accidental Windows update release that showed a load of Chinese characters? Could this be something similar or even related?
Sent from my slightly schizophrenic, but rather cool, BlackBerry Android From:[email protected] Sent:22 January 2016 8:50 pm To:[email protected] Reply to:[email protected] Subject:[NTSysADM] Very, very weird All, I logged into our file server to do some work on it, and noticed a new directory - C:\780A76EB-C496-4C3D-B653-F2AF085FA643\ It contained the following files zero-length, marked as Read-only, Hidden, System: 0湶甭敳獲琮穧 1㍄ᄢ 2㍄ᄢ 3虯戱❮耀 The dates on the files and directory is 2016-01-04 18:28. Perms on the files/directory are innocuous. One thing that's very weird is that the filenames are in two different character sets - they show as Chinese and Korean in Google Translate's autodetection. I did a lot of searching, and finally found reference to the directory/files in the PFRO.log: 1/10/2016 17:59:27 - PFRO Error: \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\0湶甭敳獲琮穧, !\??\湶甭敳獲琮穧, 0xc0000034 1/10/2016 17:59:27 - PFRO Error: \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\1㍄ᄢ, !\??\㍄ᄢ, 0xc0000034 1/10/2016 17:59:27 - PFRO Error: \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\2㍄ᄢ, !\??\㍄ᄢ, 0xc0000034 1/10/2016 17:59:27 - PFRO Error: \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\3虯戱❮耀, !\??\虯戱❮耀, 0xc0000034 1/10/2016 17:59:27 - PFRO Error: \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643, |delete operation|, 0xc0000101 1/10/2016 17:59:27 - 0 Successful PFRO operations The GUID that begins '3ec25' refers to the C: drive. I have no idea what is referenced by the GUID that begins '780A' - it doesn't show in the registry, and I can't find reference to it anywhere else on the machine. I checked the eventlogs, and see that the machine rebooted at the time noted in PFRO.log. However, the PFRO log shows that whatever it was failed to install. The reboot was initiated by one of our team members as we were completing moving some VMs around and reconfiguring VMDKs, etc. There were no patches pending, and no software installs recently. I've run a scan with ESET against the C: drive, and haven't found anything untoward, and used ProcessExplorer's VirusTotal capability to check memory, and it came back clean also. I'm really baffled - if anyone has thoughts on this, I'd surely like to hear them. Kurt
