Warning regarding suspicious file on C:\

1

I have a strange warning message that happens on startup of Windows 7.

It has started only recently and says there is a problem with a file on my computer called C:\Program. It also says renaming it C:\Program 1 would fix this problem. To be precise,

File Name Warning

There is a file or folder on your computer called "C:\Program" which could cause certain applications to not function correctly.  Renaming it to "C:\Program 1" would solve this problem.  Would you like to rename it now?
                        (Rename) (Ignore)

I took a screenshot of this dialog:

warning dialog

So far I have said not to rename it, before I know what it is.

This is what the file looks like in Notepad:

4 ›˜ýÒc?¾Bº3Ldgk/Œ$Oð½      ñ½  ½ÛéÕŽÄl(   ò½  ê¢ñ6£b(   ó½  ;¿¤¸îX (   ô½  ÞÞµkæ (

These are the General properties of the file:

properties of file

I cannot find anyone on the Internet with the same problem as me and would like advice on whether to leave, rename or delete this file. I also want to know what it is.

carefulnow1

Posted 2015-08-15T12:09:27.877

Reputation: 141

Question was closed 2015-08-15T13:15:01.853

Also note I have no antivirus software of any kinds, so this may be a virus, but I am not sure. – carefulnow1 – 2015-08-15T12:11:15.930

Also, I am aware there is another solution for this on super user but it does not work for me so I would appreciate it if this question didn't get flagged for repetition. (http://superuser.com/questions/747830/file-name-warning-for-c-program)

– carefulnow1 – 2015-08-15T12:13:41.687

What happened when you went into Safe Mode and attempted to delete the said file? – Darius – 2015-08-15T12:25:40.077

I could delete the file now however I want to know what it is. – carefulnow1 – 2015-08-15T12:31:06.723

Wouldn't have a clue. I doubt anyone here knows. If it was a virus, the only one who can confirm it would be the virus maker as they know what they did to make it. – Darius – 2015-08-15T12:32:22.583

What happens if you try to copy a file to C:\ (or create a new one there)?  Do you get an error message or a UAC dialog?  Or does it just work?  If the latter (you can modify C:\ freely), then (1) you should fix that (harden your system), and (2) you might have created the file yourself (probably by accident).  I suggest that you do a Windows Explorer search for size:96 datemodified:10/‎6/‎2009 and see whether the mystery file is a copy of a legitimate file.  It seems to me that a non-hidden file in the root directory is not the most likely manifestation for malware. – Scott – 2015-08-15T18:09:42.790

+Scott When I rename it manually I get asked for administrator permission . I have renamed it now but did not use initial warning. This could be of where it is (top level C:) however, top level C:\ edits have never needed administrator permission before. – carefulnow1 – 2015-08-16T13:02:09.110

3

I don't agree about the duplicate, but if reopened then I would vote to close as a duplicate of Why can a program named “C:\Program” influence other programs? (As an aside, I get many hits when searching.)

– Arjan – 2015-08-16T15:51:13.313

+Arjan well if you don't agree with the duplicate why would you vote for it to be closed? – carefulnow1 – 2015-08-16T23:21:22.780

3

I meant: even if it were not closed as a duplicate of How can I remove malicious spyware, malware, viruses or rootkits from my PC? then I would vote to close in favour of Why can a program named “C:\Program” influence other programs. Thinking about it, I guess the first will give you ways to get rid of the cause, while the latter will explain how it might be created and why it's dangerous. Together they should solve your issue.

– Arjan – 2015-08-18T21:22:48.697

Answers

1

Upload the file to a site that scans files with multiple antivirus programs. Sites that provide that type of service for free include the following:

  1. VirusTotal - now owned by Google. Currently scans uploaded files with 56 antivirus programs.
  2. Jotti's Malware Scan
  3. VirSCAN

If it is malware, there is a good chance one of the antivirus programs used on those sites will identify the malware. Once you have the name given to the malware by an antivirus vendor, you may be able to search online on that name to get further information on what it does.

If it is malware, simply deleting the file or renaming it may not be sufficient to rid your system of the malware. There could be other files and Windows Registry settings associated with the malware that you may need to remove. Even if that file was one critical to the operation of the malware, some malware contains "resuscitator" code that will simply recreate or download any file it needs that you delete, if you haven't gotten rid of the rest of the malware.

So you need to scan your system with antivirus/antispyware software. I've listed some free antivirus/antispyware programs I use to scan infected systems below. Since you don't have antivirus software on your system now, there won't be any conflict with existing antivirus software.

  1. Ad-Aware Free Antivirus+
  2. Malwarebytes Anti-Malware
  3. Sophos Virus Removal Tool
  4. SUPERAntispyware
  5. Spybot - Search & Destroy

Note: the free versions of antivirus/antispyware programs often don't perform real-time scanning. I.e., they only scan a system when you manually start a scan. That is preferable when you have existing antivirus software as it lessens the chances for conflict between multiple antivirus programs on a system, which can significantly slow a system if each file being accessed is scanned by multiple antivirus programs, which I've even seen make a system unusable. But you should put an antivirus program that does perform real-time scanning on the system after you've eradicated any malware now on it. You should have some software constantly monitoring the system for malware to prevent infections.

So I would recommend using the free versions of the above programs initially. After you've eradicated any malware, then you could purchase the real-time scanning version of one of the above or another antivirus program.

You might need to scan the system with more than one of the above, since sometimes antivirus vendors A, B, C, and D have not yet encountered malware X, but antivirus vendor E's software knows about malware X and can eradicate it. But for malware Y, antivirus software E may be unaware of it, but B and D may have encountered it and so have a virus signature for it and know how to eradicate it.

You could also scan the system with Rootkit detector software that looks for malware that is adept at hiding itself. I've listed some free rootkit detector programs below.

  1. GMER
  2. Kaspersky TDSSKiller
  3. Malwarebytes Anti-Rootkit

I like to be able to boot an infected system from a Live CD, so that the operating system normally used to boot the system is not running at the time of the scan. Many antivirus vendors provide a free Live CD you can use for such purposes. Some that I've used include the following:

  1. Avira Rescue System
  2. AVG Rescue CD
  3. BitDefender Rescue CD
  4. F-Secure Rescue CD
  5. Kaspersky Rescue Disk

I believe I have seen what you describe on someone's system in the past that was infected with malware, but I can't recall the name of the malware responsible in that case.

If you uploaded it to VirusTotal and none of the antivirus programs it uses flagged the file as potentially unsafe, then it may be innocuos. You could do a search on a checksum for the file as Scott suggested in his comment. A checksum is determined through a mathematical calculation that should yield a unique number for a file. It is possible that two nonidentical files might have the same MD5 checksum, but that is unlikely. There are other types of checksums as well, such as those determined through a Secure Hash Algorithm.

If you upload the file to VirusTotal, click on the File Details tab after the file has been scanned. Look for the MD5 value and then search online for that value. You may find further information that way. E.g., if you inadvertently moved/renamed some operating system file or a file associated with some program on your system to this file, the MD5 checksum may reveal that, if you search online for the checksum and find it is associated with some program abcd.exe, for instance, then you may have inadvertently renamed abcd.exe. Or at least you could get some idea of the file's original purpose. The File Details tab may also provide you with additional information about the contents of the file you uploaded, e.g., if any publisher or copyright information was found in the file.

If you upload the file to Jotti's Malware Scan, it will show you both MD5 and SHA-1 checksums for the file as well as the type of the file. E.g., it might show "PE32 executable (console) Intel 80386, for MS Windows" as the type, if the file was an executable program. VirSCAN will also show the MD5 and SHA1 checksums as well as the file type. You could also search on the SHA-1 hash, if you didn't find a match for the MD5 hash.

You could also use the Online hash encryption site. You could select other hash options, such as SHA-256 or SHA-512 and upload the file and have the site tell you the checksum value for those by clicking on the convert file button. You can then perform an online search on the hex value it provides.

The reason that Scott suggested such an approach is that, if the file you found also exists on others' systems, there is a good likelihood that someone else calculated a checksum for the file and has posted the checksum somewhere online with further details about the file. If the file on your system is unique, you won't find anything, but if it isn't, you may be able to find further information on it by that method.

For binary files, you can also look for "strings", i.e., human-readable text, in a file using Microsoft's Sysinternals program strings. It is a tool that you run from a command prompt. E.g., you might use the command below:

C:>strings "C:\Program" > examine.txt

That will result in the strings program searching the file "C:\Program" for human-readable text and storing what it finds in the file examine.txt. Open the file examine.txt with Notepad. You may find some text in there that provides a clue as to the origin of the file. E.g., you might see a company name or even copyright information, such as "Copyright (c) 1997 Microsoft Corp.1" You could even see a URL. Or you might not see anything that helps you guess as to the origin of the file. But it is another check you can perform.

If you don't find anything that seems suspicous regarding the file, then it may be safe to simply rename it or delete it, but look to see if it reappears, e.g., for instance if it comes back later in the day or after a reboot.

moonpoint

Posted 2015-08-15T12:09:27.877

Reputation: 4 432

1If the malware identification tools/sites do not identify the file, try just doing a web search for its checksums (e.g., MD5 or SHA — virustotal.com, for example, will tell you a SHA checksum for any file you upload).  It might turn out to be a known, benign file that just got copied (or moved) to the wrong place (the root directory). – Scott – 2015-08-15T18:19:34.353

None of the anti-virus websites have flagged this up. – carefulnow1 – 2015-08-16T13:03:15.057

@odixon, I added additional information on checksums and strings that may be in the file based on your comment and Scott's comment. – moonpoint – 2015-08-16T15:33:46.657

Asked: 2015-08-15T12:09:27.877

Viewed: 380 times

Active: 2015-08-16T15:38:30.633