?
Solved

Spooky file in program files

Posted on 2014-09-18
10
Medium Priority
?
141 Views
Last Modified: 2014-09-18
I'm using Windows 8.1, I've got a file in c:\program files (yes its 32 bit but the path's been hard-coded into a legacy app) , I just can't understand it, i replace the file with a newer version, but the old version seems to persist???
0
Comment
Question by:Silas2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40330218
What do you see here?  You have not provided any information.
0
 

Author Comment

by:Silas2
ID: 40330307
its very strange, I have the file in program files, I delete it, replace it with a new version , but when I open the new version, it turns out to be the old one, I know I can't believe my own eyes, but its true (I've just done it again to check I wasn't going mad)

This file was executed by a Shell(appname) function from another app, but that calling app is closed, but its as If the spooky app file is being held somehow
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40330318
It would appear you have a virus.

Download Process Explorer from Microsoft, install it and run it. Look down the left hand side for Explorer and see if there are any alphanumeric processes running there. If so, kill them, and do NOT restart.

Get Malwarebytes and scan with it to remove viruses (malwarebytes.org).
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 

Author Comment

by:Silas2
ID: 40330440
No its definitely not a virus, I don't run anti-virus software, so I never get viruses!!

Its so spooky, if I rename the parent folder, i get the new version, but when I rename it back, i get the old version.

The start of this was the Shell(appname), the app then threw an exception , I think it could have possibly corrupted the folder structure though...somehow, the older version of the file just persists in that position no matter what i do to replace it.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40330456
If you don't run anti virus and click on a bogus link, you can easily get viruses. My guess is that over half of "strange" issues in here are caused by viruses. Root kits are especially bad.

Even if you think it is not a virus, please tell use what Process Explorer said (as I described above).

If you are certain it is not a virus, then you have installed legacy and incompatible software on your Windows 8.1 machine. Look in Program and Features and see if you can uninstall.

If not, you may need to run a Windows 8.1 Refresh (Action Center, Recovery Options). This will protect data but uninstall software you added after starting up Windows 8.1.
0
 

Author Comment

by:Silas2
ID: 40330467
You have to do more than click on a bogus link, you have to let windows install a piece of malicious code, that's why I've never bothered with anti-virus, the overhead is frightening + the worst offender is corporate spyware which they, out of courtesy don't detect, but don't get me started, its like the millennium bug...

I think it must be a damaged folder structure caused by the exception...its a new pc/install of windows 8.1, don't you?
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40330476
No, what you are posting is not entirely true. Drive by links are very very common. I never run without Anti Virus or let my clients run without Anti Virus.

One the other question, yes, it could be a damaged install of Windows 8.1. See if a Refresh clears this up and if not, then format the hard drive and install Windows 8.1 again.

If you do the reinstall, don't forget BIOS, Chipset and Video upgrades to get started and then update all your drivers.

I have been running Windows 8 / 8.1 for about a year and a half and what you describe has not happened to me.
0
 

Author Comment

by:Silas2
ID: 40330542
Its not Win8, its this funny event , shell command, exception, could have taken a tiny chunk from the file system so its confusing the FAT, or whatever it is now.

What I don't understand out 'Drive By links' threat, is that windows is still required to ask permission to install any executable, how can a drive-by link circumvent that?
0
 
LVL 97

Accepted Solution

by:
Experienced Member earned 2000 total points
ID: 40330567
You said "I'm using Windows 8.1,"  so if not Windows 8 / 8.1, what are you running?  Windows 8 / 8.1 uses NTFS not FAT.  Something has appeared to have damaged your operating system. You description has become very confusing by saying now it is FAT and not Windows 8.

"Drive by links" work by people clicking and OK'ing the result. It is called social engineering.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40330603
@Silas2  - Thank you, and good luck setting up Windows 8.1 again. I have it running quite smoothly.
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Determining the an SCCM package name from the Package ID
When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question