The Administrators group owns them. Kurt
On Fri, Jan 22, 2016 at 1:49 PM, Richard Stovall <[email protected]> wrote: > Who owns them? > > On Fri, Jan 22, 2016 at 4:39 PM, Kurt Buff <[email protected]> wrote: >> >> But, you sparked a memory, and I marked down another possibility as >> negative. >> >> Alternate Data Streams. >> >> I used the Sysinternals streams utility - that came up negative >> against the directory and the files. >> >> Kurt >> >> On Fri, Jan 22, 2016 at 1:18 PM, Richard Stovall <[email protected]> >> wrote: >> > Did you get hashes of the files and run them through your favorite >> > Google >> > search engine? >> > >> > On Fri, Jan 22, 2016 at 3:49 PM, Kurt Buff <[email protected]> wrote: >> >> >> >> All, >> >> >> >> I logged into our file server to do some work on it, and noticed a new >> >> directory - C:\780A76EB-C496-4C3D-B653-F2AF085FA643\ >> >> >> >> It contained the following files zero-length, marked as Read-only, >> >> Hidden, System: >> >> 0湶甭敳獲琮穧 >> >> 1㍄ᄢ >> >> 2㍄ᄢ >> >> 3虯戱❮耀 >> >> >> >> The dates on the files and directory is 2016-01-04 18:28. Perms on the >> >> files/directory are innocuous. One thing that's very weird is that the >> >> filenames are in two different character sets - they show as Chinese >> >> and Korean in Google Translate's autodetection. >> >> >> >> I did a lot of searching, and finally found reference to the >> >> directory/files in the PFRO.log: >> >> 1/10/2016 17:59:27 - PFRO Error: >> >> >> >> >> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\0湶甭敳獲琮穧, >> >> !\??\湶甭敳獲琮穧, 0xc0000034 >> >> 1/10/2016 17:59:27 - PFRO Error: >> >> >> >> >> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\1㍄ᄢ, >> >> !\??\㍄ᄢ, 0xc0000034 >> >> 1/10/2016 17:59:27 - PFRO Error: >> >> >> >> >> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\2㍄ᄢ, >> >> !\??\㍄ᄢ, 0xc0000034 >> >> 1/10/2016 17:59:27 - PFRO Error: >> >> >> >> >> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643\3虯戱❮耀, >> >> !\??\虯戱❮耀, 0xc0000034 >> >> 1/10/2016 17:59:27 - PFRO Error: >> >> >> >> >> >> \??\Volume{3ec25e25-a333-11e3-80b4-806e6f6e6963}\780A76EB-C496-4C3D-B653-F2AF085FA643, >> >> |delete operation|, 0xc0000101 >> >> 1/10/2016 17:59:27 - 0 Successful PFRO operations >> >> >> >> >> >> The GUID that begins '3ec25' refers to the C: drive. I have no idea >> >> what is referenced by the GUID that begins '780A' - it doesn't show in >> >> the registry, and I can't find reference to it anywhere else on the >> >> machine. >> >> >> >> I checked the eventlogs, and see that the machine rebooted at the time >> >> noted in PFRO.log. However, the PFRO log shows that whatever it was >> >> failed to install. >> >> >> >> The reboot was initiated by one of our team members as we were >> >> completing moving some VMs around and reconfiguring VMDKs, etc. >> >> >> >> There were no patches pending, and no software installs recently. >> >> >> >> I've run a scan with ESET against the C: drive, and haven't found >> >> anything untoward, and used ProcessExplorer's VirusTotal capability to >> >> check memory, and it came back clean also. >> >> >> >> I'm really baffled - if anyone has thoughts on this, I'd surely like >> >> to hear them. >> >> >> >> Kurt >> >> >> >> >> > >> >> >
