Did you get hashes of the files and run them through your favorite Google search engine?
On Fri, Jan 22, 2016 at 3:49 PM, Kurt Buff <[email protected]> wrote: > All, > > I logged into our file server to do some work on it, and noticed a new > directory - C:\780A76EB-C496-4C3D-B653-F2AF085FA643\ > > It contained the following files zero-length, marked as Read-only, > Hidden, System: > 0湶甭敳獲琮穧 > 1㍄ᄢ > 2㍄ᄢ > 3虯戱❮耀 > > The dates on the files and directory is 2016-01-04 18:28. Perms on the > files/directory are innocuous. One thing that's very weird is that the > filenames are in two different character sets - they show as Chinese > and Korean in Google Translate's autodetection. > > I did a lot of searching, and finally found reference to the > directory/files in the PFRO.log: > 1/10/2016 17:59:27 - PFRO Error: > > \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\0湶甭敳獲琮穧, > !\??\湶甭敳獲琮穧, 0xc0000034 > 1/10/2016 17:59:27 - PFRO Error: > > \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\1㍄ᄢ, > !\??\㍄ᄢ, 0xc0000034 > 1/10/2016 17:59:27 - PFRO Error: > > \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\2㍄ᄢ, > !\??\㍄ᄢ, 0xc0000034 > 1/10/2016 17:59:27 - PFRO Error: > > \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\3虯戱❮耀, > !\??\虯戱❮耀, 0xc0000034 > 1/10/2016 17:59:27 - PFRO Error: > > \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643, > |delete operation|, 0xc0000101 > 1/10/2016 17:59:27 - 0 Successful PFRO operations > > > The GUID that begins '3ec25' refers to the C: drive. I have no idea > what is referenced by the GUID that begins '780A' - it doesn't show in > the registry, and I can't find reference to it anywhere else on the > machine. > > I checked the eventlogs, and see that the machine rebooted at the time > noted in PFRO.log. However, the PFRO log shows that whatever it was > failed to install. > > The reboot was initiated by one of our team members as we were > completing moving some VMs around and reconfiguring VMDKs, etc. > > There were no patches pending, and no software installs recently. > > I've run a scan with ESET against the C: drive, and haven't found > anything untoward, and used ProcessExplorer's VirusTotal capability to > check memory, and it came back clean also. > > I'm really baffled - if anyone has thoughts on this, I'd surely like > to hear them. > > Kurt > > >
