asked on File Name Renaming
Is this an indication that I have a virus or something? Has my server been hacked, I'm running windows server 2012 R2.
![file name renaming]()
PCWindows 7Windows Server 2012
Last Comment
Dan
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
but I never tried to create a folder called Program, it just comes up by itself.
somewhere, somehow, malware, installed program, task schedule the probable cause is missing quotation marks around c:\program files\blah which then creates the folder c:\program and then errors out.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
the same message appeared now on a 2nd server, this is strange. I'll run for malware, but I doubt it's that.
Per your original image, does this happen at startup, e.g. after you logon?
ASKER
When I log into the server.
Check for suspects. your Startup folder, and Task Scheduler, and registry keys:
C:\Users\username\AppData\
C:\ProgramData\Microsoft\W
HKCU\Software\Microsoft\Wi
HKCU\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
C:\Users\username\AppData\
C:\ProgramData\Microsoft\W
HKCU\Software\Microsoft\Wi
HKCU\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
ASKER
C:\Users\username\AppData\
(Nothing here, empty) But it could be in other profiles, as there's a lot of other account profiles on this server
C:\ProgramData\Microsoft\W
(Nothing here, empty) But it could be in other profiles, as there's a lot of other account profiles on this server
I've attached what's in msconfig.
![startup]()
HKCU\Software\Microsoft\Wi
(The only thing here is my symantec backup exec exe file)
HKCU\Software\Microsoft\Wi
(nothing here)
HKLM\Software\Microsoft\Wi
(everything.exe is here, which is I know what it is, but then I don't know what this is,
it's MtxHotPlugService.exe v) It's in the system32 directory, so I'm assuming it's part of the OS.
HKLM\Software\Microsoft\Wi
(Nothing here)
HKLM\Software\Microsoft\Wi
(That folder does not exist)
HKLM\Software\Microsoft\Wi
(That folder does not exist)
(Nothing here, empty) But it could be in other profiles, as there's a lot of other account profiles on this server
C:\ProgramData\Microsoft\W
(Nothing here, empty) But it could be in other profiles, as there's a lot of other account profiles on this server
I've attached what's in msconfig.
HKCU\Software\Microsoft\Wi
(The only thing here is my symantec backup exec exe file)
HKCU\Software\Microsoft\Wi
(nothing here)
HKLM\Software\Microsoft\Wi
(everything.exe is here, which is I know what it is, but then I don't know what this is,
it's MtxHotPlugService.exe v) It's in the system32 directory, so I'm assuming it's part of the OS.
HKLM\Software\Microsoft\Wi
(Nothing here)
HKLM\Software\Microsoft\Wi
(That folder does not exist)
HKLM\Software\Microsoft\Wi
(That folder does not exist)
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Its my sql server so I can't restart it during production hours.
did you check -as i asked - if the program folder exists??
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks guys, I should have remembered about autoruns, I used to use it frequently.
I found that my AV program, Webroot was trying to create a folder called program in the rot of C.
I escalated the issue with webroot.
I found that my AV program, Webroot was trying to create a folder called program in the rot of C.
I escalated the issue with webroot.