Malware? Root Folder randomly accumulating {} files and boot mgr failure

[BJZeak]

XP Pro SP3 machine with Norton 360 has died twice in 3 months due to MISSING BOOT MANAGER failure ... the first time I restored this by cloning to a new drive and running FIXMBR ... the second time I wasn't that lucky ... had to do a RECOVER INSTALL from a SP2 OS CD ... after doing SP3 followed by 150+ updates I was able to get back into the machine.

In both cases the root folder was clogged with over 20 thousand {***...***} files of various lengths (the file names resemble Registry Keys but are all random and don't match any thing in the registry) ... these started randomly populating again over a 24hr period so whatever was causing this original issue appears to be still active ... the machine has run no errors with DELL's Diags for over 24 hrs ... I scanned the machine with Microsofts safety Scan, Malwarebytes and Norton 360 but can't find anything ... sfc /scannow also revealed nothing.

I wanted to use filemon from Windows System Internals but this appears to have been discontinued by Microsoft ... they said to use ProcMon however this crashes ... as the hardware checks out, I suspect this crash may be related to whatever this machine is infected with?

Any other ideas would be welcome ... this machine has been running 24/7 for several years with plenty of customizations ... it would be a real chore to attempt to recover it's current state after a Clean install.

 

[strongm]

One of the more recent versions of Filemon is available here:

http://www.softpedia.com/progDownload/Filemon-Download-3365.html

 

[BJZeak]

Yes Thank-you, I actually found this a few hours ago, version 7.04, and it has captured the culprit ... now searching my system for this ... file ccsvchst is writing these files to my root folder ... a search on this file indicates it is a Mcaffee scanner ... I don't recall ever using Mcaffee on this machine so this must be some malware.

 

[strongm]

>a Mcaffee scanner

Er ... Symantec/Norton, I think.

 

[BJZeak]

Yes I found this in the Norton Program Folder too ... norton.com has nothing relating to this issue ... so still looking for a solution

 

[goombawaho]

Strange, would like to see a screen shot of the file names in question. But, I don't recommend the Norton 360 product at all. Norton Internet Security seems to be a better-behaving beast if you must go with Norton.
What about trying the following malware scanners:
TDSSKiller
Rogue Killer

If those find anything suspicious, might want to remove Norton completely, reboot, run the Norton removal tool and reboot again.
Then run combofix.

If clean, I'd then hesitate to put Norton back on just on general principles. If you "behave yourself" on the internet, you can probably get away with Microsoft Security Essentials.

 

[strongm]

Sounds like GUIDS. There are a number of applications that sometimes legitimately create these sorts of files/folders. But not 20000, and not normally in the root folder

 

[BJZeak]

This is just in the last 12 hrs

08/01/2013 07:28 AM 2,424 {00A32CE2-A5B0-46AC-98C9-7EE893613423}
08/01/2013 12:48 AM 2,304 {0250ECC6-DDBB-41D6-AA60-756DAE5AA5AE}
08/01/2013 06:08 AM 2,424 {0BB8CED2-F389-426E-9312-3C7B46CF1C2D}
08/01/2013 03:10 AM 2,424 {0BFC9722-EBAC-4B05-B165-E8EB26FF759F}
08/01/2013 12:58 AM 2,608 {0CF459DC-1A03-4F79-96D0-5787728652A8}
08/01/2013 06:49 AM 2,424 {16D44A52-E716-4D90-AD71-B63FBB181D41}
08/01/2013 12:59 AM 2,304 {18032AC3-088A-438A-9997-2A2499D9094C}
08/01/2013 03:03 AM 2,424 {18CD4E66-1B58-4F04-8A21-EAF82E8FC868}
08/01/2013 01:04 AM 2,608 {2BB9B67B-CE16-4FA9-AC55-AF92C19CD1DE}
08/01/2013 06:25 AM 2,424 {3449D5A7-8562-4680-8547-A9FD2315F444}
08/01/2013 07:35 AM 2,424 {3685FBDA-A2EE-4555-B59A-4D093869C1E3}
08/01/2013 08:40 AM 2,424 {374A9832-82A1-4817-9544-33A42CD9A4BD}
08/01/2013 05:28 AM 2,424 {3A1823A4-4852-4825-96D1-395E4AE1957D}
08/01/2013 02:17 AM 2,424 {3A2EBBE0-CA40-4B3A-A820-DC0B3B8A83D5}
08/01/2013 06:31 AM 2,424 {3EBB0AFB-7E56-40E4-9810-8E3A3C7DBBE1}
08/01/2013 04:00 AM 2,424 {41C08C6C-13E6-4BA5-A1DD-B71F242C1C38}
08/01/2013 05:40 AM 2,424 {431BC34F-6C46-4ADA-9D79-2FCD25A41522}
08/01/2013 05:16 AM 2,424 {4738818E-BD0B-422E-AD0B-75B97DB379E4}
08/01/2013 01:02 AM 2,424 {48D10978-086A-470A-A93D-0593B77B2D4D}
08/01/2013 12:03 AM 2,424 {48E3FA63-5C16-4998-A732-32A7830E6A6D}
08/01/2013 08:01 AM 2,424 {4A39FCB4-3D00-4B84-98D6-DE68FCADFC53}
08/01/2013 06:38 AM 2,424 {4C1A574B-E5C2-4D58-AA31-E998959F898E}
08/01/2013 04:33 AM 2,424 {4CE4159B-1624-47AD-8444-8036F9E77360}
08/01/2013 07:56 AM 2,424 {562287C5-3036-4B54-9D0F-5146EFCBEF75}
08/01/2013 12:31 AM 2,424 {5739A5E2-6905-4430-B7DB-92E7DE39B95F}
08/01/2013 07:46 AM 2,424 {5774A227-61FD-45E0-8C83-FB65EB2861A9}
08/01/2013 12:55 AM 2,432 {57E25513-C78D-4817-BE9E-CCFA9F3B0D2B}
08/01/2013 03:38 AM 2,424 {5DF0ACCD-0E56-415A-96DA-FC9690FA444C}
08/01/2013 05:53 AM 2,424 {60CD540D-48B5-458C-9AC2-627C61619410}
08/01/2013 05:34 AM 2,424 {6189840E-D784-4488-A948-F864A546AE5F}
08/01/2013 04:13 AM 2,304 {6943C57A-BECB-42FA-8A5E-53227545184D}
08/01/2013 04:51 AM 2,424 {6ABAC24C-56BE-4E5A-985E-D5962DC350E7}
08/01/2013 08:51 AM 2,424 {6B820340-9610-44FF-BF75-2400ED8DAA1D}
08/01/2013 08:34 AM 2,424 {7CBE3BB0-9F32-4FD1-82B1-DA02151119D4}
08/01/2013 01:00 AM 2,320 {84224374-1B82-405D-8020-8003B64E0170}
08/01/2013 06:04 AM 2,432 {8815F81E-1D75-4056-B095-D7E042CFC935}
08/01/2013 07:22 AM 2,424 {8910838B-46A1-4C2E-A60E-FF078C48C084}
08/01/2013 02:57 AM 2,424 {8B60CDF0-CFAE-4E5F-A7CB-C719C9235B7B}
08/01/2013 08:18 AM 2,424 {95169783-81FD-43B8-95AE-1272EEBEFA1B}
08/01/2013 08:24 AM 2,424 {A3A4B957-B47E-4BE1-974C-2F5D518414EA}
08/01/2013 05:46 AM 2,424 {A4862BDF-F47A-43DB-912F-B30F11D1836E}
08/01/2013 02:51 AM 2,424 {A4DA2AB8-60D5-48A8-AF56-6A63C6FBCA4B}
08/01/2013 02:28 AM 2,424 {A5B929AE-0D07-4636-ABD2-8CD40A3B0471}
08/01/2013 03:54 AM 2,424 {A710112F-D381-4170-8D18-F286EF4A37A1}
08/01/2013 05:22 AM 2,424 {A7635B2A-F640-404D-A3E8-E1F2B679D6DB}
08/01/2013 06:02 AM 2,304 {A79D929D-8CD8-4796-92B6-50CAB0EE37F6}
08/01/2013 04:06 AM 2,424 {A8968BD8-15C9-430D-9844-B7EE5E758A34}
08/01/2013 08:14 AM 2,424 {A9CF4FC5-6963-4B13-8EAA-1E53BC04C5FB}
08/01/2013 08:56 AM 2,424 {B4EA99F7-7DB2-4DFF-B10C-47EA2E2CE735}
08/01/2013 04:45 AM 2,424 {BBB58C68-56D2-4D9E-903E-FFF13DCB1A81}
08/01/2013 06:09 AM 2,304 {C03868C7-8D10-46B5-87FB-A3C75022485F}
08/01/2013 02:45 AM 2,424 {C25A1414-B906-455A-BE80-B040F19FBF80}
08/01/2013 03:15 AM 2,424 {C9186775-DD70-4673-847E-CAAAC8B84051}
08/01/2013 08:29 AM 2,424 {CD996357-3B45-45FA-9D45-1D902C185175}
08/01/2013 02:22 AM 2,424 {D48BBA64-95F9-4BE4-BC11-799225D7B4CF}
08/01/2013 01:03 AM 2,432 {D6EBBF82-77C1-46CF-AA35-F0F055235455}
08/01/2013 02:40 AM 2,424 {D8FE454C-187A-49C5-83FA-25BBD005B0CA}
08/01/2013 06:58 AM 2,424 {DF1A3266-3557-47D2-8143-5E3DC23E8D46}
08/01/2013 03:22 AM 2,424 {E308E2DA-01B9-49AF-8F00-B05E82721778}
08/01/2013 05:03 AM 2,424 {E90B7B6C-4777-47FC-843C-898DD51FFD78}
08/01/2013 04:39 AM 2,424 {EA3268EB-A5D9-4B2F-B159-3E8BEF65E8E9}
08/01/2013 07:16 AM 2,424 {EB1B3CA4-E083-4850-B0F8-EE3A2F1CAC0F}
08/01/2013 12:56 AM 2,320 {EEF0AE18-A9E0-4D00-A55D-A1C44060FFA1}
08/01/2013 04:57 AM 2,424 {F39008F9-8945-4DFD-9D02-5C09B8543741}
08/01/2013 03:48 AM 2,424 {F3DF99FB-C393-40DF-8263-F3445BFE6280}
08/01/2013 03:27 AM 2,424 {F4703834-E17E-420B-9C1F-942B470B6E0E}
08/01/2013 02:34 AM 2,424 {F4AD638D-6663-4C8E-8816-DB5885E7153B}
08/01/2013 06:19 AM 2,424 {F96678F5-7878-44A8-B050-5FBAAF914F77}
08/01/2013 07:10 AM 2,424 {FD44800F-2838-42FD-A256-E0EF142C45FD}
08/01/2013 04:23 AM 2,424 {FFA6655D-539B-4E78-8DDC-F9CBC9281EEF}

 

[BJZeak]

Thanx for the input ... Norton Support has provided me with a Reinstall tool which I will attempt first ... 360 is certainly a different animal ... I used to use NS, I have also used Essentials amoung others ... 360 I think was developed more for people that want a hands off security product ... I find it isn't easy to make advanced setup changes in 360 ... but touch wood it has provided me adequate security for several years now on 3 local machines. Security products are always one or more steps behind so it is good to practice to be safe on the internet ... although having been to a few Cisco Conferences I not so sure that the Internet will ever be safe. Windows 8 claims to have a new way to stop unknown processes from running ... personally I am using VM's to do most of my Internet activities now ... I can replace a VM in no time plus network hardware is turned off on any machine not requiring internet.

 

[BJZeak]

Thank-you everyone for all the ideas ... I think this has been resolved with the Norton reinstall. The machine has been working for several hours now with no more random files.

NRnR.exe which I received via the Norton online CHAT Support Service, did both the uninstall and reinstall automatically ... this was a free service and took less then 15 minutes to arrive at a solution ... the tech went straight to the point without the typical scripted questions. A+ for Norton.

 

[goombawaho]

I'll tell you one thing about Norton 360. A few years ago, if a computer was slower than I thought it should, based on the specs, it usually had Norton 360 on it. I usually removed it and customers were very appreciative. Can't comment on the beast as of today because I haven't seen it in a while, but...........