No problem.
On Fri, Jan 22, 2016 at 1:48 PM, Richard Stovall <[email protected]> wrote:
> Doh! I neglected to register the zero length part of your original post.
> Sorry about that.
>
> On Fri, Jan 22, 2016 at 4:27 PM, Kurt Buff <[email protected]> wrote:
>>
>> A zero-length file always returns the same hash...
>>
>> Kurt
>>
>> On Fri, Jan 22, 2016 at 1:18 PM, Richard Stovall <[email protected]>
>> wrote:
>> > Did you get hashes of the files and run them through your favorite
>> > Google
>> > search engine?
>> >
>> > On Fri, Jan 22, 2016 at 3:49 PM, Kurt Buff <[email protected]> wrote:
>> >>
>> >> All,
>> >>
>> >> I logged into our file server to do some work on it, and noticed a new
>> >> directory - C:\780A76EB-C496-4C3D-B653-F2AF085FA643\
>> >>
>> >> It contained the following files zero-length, marked as Read-only,
>> >> Hidden, System:
>> >> 0湶甭敳獲琮穧
>> >> 1㍄ᄢ
>> >> 2㍄ᄢ
>> >> 3虯戱❮耀
>> >>
>> >> The dates on the files and directory is 2016-01-04 18:28. Perms on the
>> >> files/directory are innocuous. One thing that's very weird is that the
>> >> filenames are in two different character sets - they show as Chinese
>> >> and Korean in Google Translate's autodetection.
>> >>
>> >> I did a lot of searching, and finally found reference to the
>> >> directory/files in the PFRO.log:
>> >> 1/10/2016 17:59:27 - PFRO Error:
>> >>
>> >>
>> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\0湶甭敳獲琮穧,
>> >> !\??\湶甭敳獲琮穧, 0xc0000034
>> >> 1/10/2016 17:59:27 - PFRO Error:
>> >>
>> >>
>> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\1㍄ᄢ,
>> >> !\??\㍄ᄢ, 0xc0000034
>> >> 1/10/2016 17:59:27 - PFRO Error:
>> >>
>> >>
>> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\2㍄ᄢ,
>> >> !\??\㍄ᄢ, 0xc0000034
>> >> 1/10/2016 17:59:27 - PFRO Error:
>> >>
>> >>
>> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\3虯戱❮耀,
>> >> !\??\虯戱❮耀, 0xc0000034
>> >> 1/10/2016 17:59:27 - PFRO Error:
>> >>
>> >>
>> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643,
>> >> |delete operation|, 0xc0000101
>> >> 1/10/2016 17:59:27 - 0 Successful PFRO operations
>> >>
>> >>
>> >> The GUID that begins '3ec25' refers to the C: drive. I have no idea
>> >> what is referenced by the GUID that begins '780A' - it doesn't show in
>> >> the registry, and I can't find reference to it anywhere else on the
>> >> machine.
>> >>
>> >> I checked the eventlogs, and see that the machine rebooted at the time
>> >> noted in PFRO.log. However, the PFRO log shows that whatever it was
>> >> failed to install.
>> >>
>> >> The reboot was initiated by one of our team members as we were
>> >> completing moving some VMs around and reconfiguring VMDKs, etc.
>> >>
>> >> There were no patches pending, and no software installs recently.
>> >>
>> >> I've run a scan with ESET against the C: drive, and haven't found
>> >> anything untoward, and used ProcessExplorer's VirusTotal capability to
>> >> check memory, and it came back clean also.
>> >>
>> >> I'm really baffled - if anyone has thoughts on this, I'd surely like
>> >> to hear them.
>> >>
>> >> Kurt
>> >>
>> >>
>> >
>>
>>
>
