File Name Renaming
Is this an indication that I have a virus or something? Has my server been hacked, I'm running windows server 2012 R2.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
somewhere, somehow, malware, installed program, task schedule the probable cause is missing quotation marks around c:\program files\blah which then creates the folder c:\program and then errors out.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the same message appeared now on a 2nd server, this is strange. I'll run for malware, but I doubt it's that.
Per your original image, does this happen at startup, e.g. after you logon?
ASKER
When I log into the server.
Check for suspects. your Startup folder, and Task Scheduler, and registry keys:
C:\Users\username\AppData\
C:\ProgramData\Microsoft\W
HKCU\Software\Microsoft\Wi
HKCU\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
C:\Users\username\AppData\
C:\ProgramData\Microsoft\W
HKCU\Software\Microsoft\Wi
HKCU\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
HKLM\Software\Microsoft\Wi
ASKER
C:\Users\username\AppData\
(Nothing here, empty) But it could be in other profiles, as there's a lot of other account profiles on this server
C:\ProgramData\Microsoft\W
(Nothing here, empty) But it could be in other profiles, as there's a lot of other account profiles on this server
I've attached what's in msconfig.
HKCU\Software\Microsoft\Wi
(The only thing here is my symantec backup exec exe file)
HKCU\Software\Microsoft\Wi
(nothing here)
HKLM\Software\Microsoft\Wi
(everything.exe is here, which is I know what it is, but then I don't know what this is,
it's MtxHotPlugService.exe v) It's in the system32 directory, so I'm assuming it's part of the OS.
HKLM\Software\Microsoft\Wi
(Nothing here)
HKLM\Software\Microsoft\Wi
(That folder does not exist)
HKLM\Software\Microsoft\Wi
(That folder does not exist)
(Nothing here, empty) But it could be in other profiles, as there's a lot of other account profiles on this server
C:\ProgramData\Microsoft\W
(Nothing here, empty) But it could be in other profiles, as there's a lot of other account profiles on this server
I've attached what's in msconfig.
HKCU\Software\Microsoft\Wi
(The only thing here is my symantec backup exec exe file)
HKCU\Software\Microsoft\Wi
(nothing here)
HKLM\Software\Microsoft\Wi
(everything.exe is here, which is I know what it is, but then I don't know what this is,
it's MtxHotPlugService.exe v) It's in the system32 directory, so I'm assuming it's part of the OS.
HKLM\Software\Microsoft\Wi
(Nothing here)
HKLM\Software\Microsoft\Wi
(That folder does not exist)
HKLM\Software\Microsoft\Wi
(That folder does not exist)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Its my sql server so I can't restart it during production hours.
did you check -as i asked - if the program folder exists??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys, I should have remembered about autoruns, I used to use it frequently.
I found that my AV program, Webroot was trying to create a folder called program in the rot of C.
I escalated the issue with webroot.
I found that my AV program, Webroot was trying to create a folder called program in the rot of C.
I escalated the issue with webroot.
ASKER