Warning regarding suspicious file on C:\ [duplicate]
Upload the file to a site that scans files with multiple antivirus programs. Sites that provide that type of service for free include the following:
- VirusTotal - now owned by Google. Currently scans uploaded files with 56 antivirus programs.
- Jotti's Malware Scan
- VirSCAN
If it is malware, there is a good chance one of the antivirus programs used on those sites will identify the malware. Once you have the name given to the malware by an antivirus vendor, you may be able to search online on that name to get further information on what it does.
If it is malware, simply deleting the file or renaming it may not be sufficient to rid your system of the malware. There could be other files and Windows Registry settings associated with the malware that you may need to remove. Even if that file was one critical to the operation of the malware, some malware contains "resuscitator" code that will simply recreate or download any file it needs that you delete, if you haven't gotten rid of the rest of the malware.
So you need to scan your system with antivirus/antispyware software. I've listed some free antivirus/antispyware programs I use to scan infected systems below. Since you don't have antivirus software on your system now, there won't be any conflict with existing antivirus software.
- Ad-Aware Free Antivirus+
- Malwarebytes Anti-Malware
- Sophos Virus Removal Tool
- SUPERAntispyware
- Spybot - Search & Destroy
Note: the free versions of antivirus/antispyware programs often don't perform real-time scanning. I.e., they only scan a system when you manually start a scan. That is preferable when you have existing antivirus software as it lessens the chances for conflict between multiple antivirus programs on a system, which can significantly slow a system if each file being accessed is scanned by multiple antivirus programs, which I've even seen make a system unusable. But you should put an antivirus program that does perform real-time scanning on the system after you've eradicated any malware now on it. You should have some software constantly monitoring the system for malware to prevent infections.
So I would recommend using the free versions of the above programs initially. After you've eradicated any malware, then you could purchase the real-time scanning version of one of the above or another antivirus program.
You might need to scan the system with more than one of the above, since sometimes antivirus vendors A, B, C, and D have not yet encountered malware X, but antivirus vendor E's software knows about malware X and can eradicate it. But for malware Y, antivirus software E may be unaware of it, but B and D may have encountered it and so have a virus signature for it and know how to eradicate it.
You could also scan the system with Rootkit detector software that looks for malware that is adept at hiding itself. I've listed some free rootkit detector programs below.
- GMER
- Kaspersky TDSSKiller
- Malwarebytes Anti-Rootkit
I like to be able to boot an infected system from a Live CD, so that the operating system normally used to boot the system is not running at the time of the scan. Many antivirus vendors provide a free Live CD you can use for such purposes. Some that I've used include the following:
- Avira Rescue System
- AVG Rescue CD
- BitDefender Rescue CD
- F-Secure Rescue CD
- Kaspersky Rescue Disk
I believe I have seen what you describe on someone's system in the past that was infected with malware, but I can't recall the name of the malware responsible in that case.
If you uploaded it to VirusTotal and none of the antivirus programs it uses flagged the file as potentially unsafe, then it may be innocuos. You could do a search on a checksum for the file as Scott suggested in his comment. A checksum is determined through a mathematical calculation that should yield a unique number for a file. It is possible that two nonidentical files might have the same MD5 checksum, but that is unlikely. There are other types of checksums as well, such as those determined through a Secure Hash Algorithm.
If you upload the file to VirusTotal, click on the File Details tab after the file has been scanned. Look for the MD5 value and then search online for that value. You may find further information that way. E.g., if you inadvertently moved/renamed some operating system file or a file associated with some program on your system to this file, the MD5 checksum may reveal that, if you search online for the checksum and find it is associated with some program abcd.exe, for instance, then you may have inadvertently renamed abcd.exe. Or at least you could get some idea of the file's original purpose. The File Details tab may also provide you with additional information about the contents of the file you uploaded, e.g., if any publisher or copyright information was found in the file.
If you upload the file to Jotti's Malware Scan, it will show you both MD5 and SHA-1 checksums for the file as well as the type of the file. E.g., it might show "PE32 executable (console) Intel 80386, for MS Windows" as the type, if the file was an executable program. VirSCAN will also show the MD5 and SHA1 checksums as well as the file type. You could also search on the SHA-1 hash, if you didn't find a match for the MD5 hash.
You could also use the Online hash encryption site. You could select other hash options, such as SHA-256 or SHA-512 and upload the file and have the site tell you the checksum value for those by clicking on the convert file button. You can then perform an online search on the hex value it provides.
The reason that Scott suggested such an approach is that, if the file you found also exists on others' systems, there is a good likelihood that someone else calculated a checksum for the file and has posted the checksum somewhere online with further details about the file. If the file on your system is unique, you won't find anything, but if it isn't, you may be able to find further information on it by that method.
For binary files, you can also look for "strings", i.e., human-readable text, in a file using Microsoft's Sysinternals program strings. It is a tool that you run from a command prompt. E.g., you might use the command below:
C:>strings "C:\Program" > examine.txt
That will result in the strings program searching the file "C:\Program" for human-readable text and storing what it finds in the file examine.txt. Open the file examine.txt with Notepad. You may find some text in there that provides a clue as to the origin of the file. E.g., you might see a company name or even copyright information, such as "Copyright (c) 1997 Microsoft Corp.1" You could even see a URL. Or you might not see anything that helps you guess as to the origin of the file. But it is another check you can perform.
If you don't find anything that seems suspicous regarding the file, then it may be safe to simply rename it or delete it, but look to see if it reappears, e.g., for instance if it comes back later in the day or after a reboot.