What are these ~100M files in my windows\system32? Anyone else got them?

[J. P. Gilliver (John)]

I don't often look in my windows directories; I was looking for the wpa
files mentioned in the article linked in the "Activated Too Many Times"
thread. (God I hate "title case".) (FWIW, I have the wpa file but not
the .bak file either, like many of the respondents to the article; the
wpa file is dated just two days ago, which puzzles me - this is an OEM
system, so I've never activated Windows on it. But I'm digressing, as I
often do.)

In the c:\windows\system32 directory, I noticed four files of about 100
M, with strange names and no extensions. They're dated October (one) and
November (the other three) 2013; I've had the PC several years, so they
presumably didn't come with it. In Explorer, the names (all four of
them) appear as ??L?, where ? is a box; in a command window, ??L?. In
XTree Gold (cross-referencing the sizes from the command window as
they're too large for XTree):

L60B9~1 106,156,080 2013-11-26
L83C8~1 104,986,035 2013-11-18
L8A9A~1 103,054,676 2013-10-26
L27BF~1 102,844,835 2013-11-06
LC861~1 98689490 2013-10-02

(yes there's a fifth one - I didn't spot it at first as it wasn't big
enough for its size to appear as a row of #s in XTree). The /x parameter
to "dir" gives the same five names.

Anyone else have similar? Know what they are - are they malicious, or
just part of the OS? In explorer/properties, they have minimal tabs (no
owner or version, though I think that only shows anyway on certain
filetypes, such as .exe and .dll, so since these have no extension I'm
not surprised).

If they're harmless, are they just something that will reappear?
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

.... the pleasure of the mind is an amazing thing. My life has been driven by
the satisfaction of curiosity. - Jeremy Paxman (being interviewed by Anne
Widdecombe), Radio Times, 2-8 July 2011.

 

[Mayayana]

|
| L60B9~1 106,156,080 2013-11-26
| L83C8~1 104,986,035 2013-11-18
| L8A9A~1 103,054,676 2013-10-26
| L27BF~1 102,844,835 2013-11-06
| LC861~1 98689490 2013-10-02
|

It sounds like some kind of faulty production of
TEMP files. Have you looked in them? If not, here's
a hex editor that can handle large files:

http://mh-nexus.de/en/hxd/

 

[J. P. Gilliver (John)]

|
| L60B9~1 106,156,080 2013-11-26
| L83C8~1 104,986,035 2013-11-18
| L8A9A~1 103,054,676 2013-10-26
| L27BF~1 102,844,835 2013-11-06
| LC861~1 98689490 2013-10-02
|

It sounds like some kind of faulty production of
TEMP files. Have you looked in them? If not, here's
a hex editor that can handle large files:

http://mh-nexus.de/en/hxd/

Thanks for that; looks like a useful (and dangerous!) utility.Obviously, it isn't really practical to look through a ~100 M file.
Looking at one of them, it starts6C 2D C4 02 70 2D C4 02 7D 2D C4 02 8A 2D C4 02 93 2D C4 02 9C 2D C4 02
A9 2D C4 02 AF 2D C4 02 B8 2D C4 02 C5 2D C4 02 D2 2D C4 02 DC 2D C4 02
E6 2D C4 02 EF 2D C4 02 F8 2D C4 02 04 2E C4 02 09 2E C4 02 0E 2E C4 02
16 2E C4 02 1F 2E C4 02 2B 2E C4 02 35 2E C4 02 44 2E C4 02 53 2E C4 02
60 2E C4 02 6F 2E C4 02 76 2E C4 02 7D 2E C4 02 87 2E C4 02 8D 2E C4 02
93 2E C4 02 9A 2E C4 02 A4 2E C4 02 B5 2E C4 02 C0 2E C4 02 CA 2E C4 02
D4 2E C4 02 DA 2E C4 02 E0 2E C4 02 E6 2E C4 02 F1 2E C4 02 FE 2E C4 02
09 2F C4 02 10 2F C4 02 18 2F C4 02 20 2F C4 02 29 2F C4 02 32 2F C4 02
3E 2F C4 02 4A 2F C4 02 51 2F C4 02 58 2F C4 02 5F 2F C4 02 6A 2F C4 02
79 2F C4 02 88 2F C4 02 97 2F C4 02 9D 2F C4 02 A8 2F C4 02 B3 2F C4 02
BC 2F C4 02 C5 2F C4 02 CF 2F C4 02 D7 2F C4 02

and proceeds like that (four byte blocks, I can't figure out the
pattern) up to about half way through, then starts some text:

ÃNILÌJerusalem #1ÌJerusalem #1ÈUSSR-492ÈSuriv #1ÌJerusalem
#2ÅCzechÈZero_BugÌJerusalem #4ÌJerusalem #4ÉSunday #1ÉSunday #1ÈSuriv
#2ÈSuriv
#2ËBurger-405aÄMuleÄMuleÇ8-TunesÈARCV.330ËBurger-1280ÉPerfume-AÎCascade.1
701.AÎCascade.1701.HÌVienna-648-AÎCascade.1704.AÆCookieÆCookieÉOropax
#1ÅMachoÅMachoÆNoBockÉSuriv-945ÐDarkAvenger-1800ÊPS!KO-1687ÉChristmasÉChr
istmasÅPixelÅBASIC

ending

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

05E1E0F0 4E 44 52 2E 50 6C 61 6E 6B 74 6F 6E 2E 49 2E 31
NDR.Plankton.I.1
05E1E100 36 30 DA 41 64 77 61 72 65 2F 41 4E 44 52 2E 50
60ÚAdware/ANDR.P
05E1E110 6C 61 6E 6B 74 6F 6E 2E 49 2E 31 30 33 DA 41 64
lankton.I.103ÚAd
05E1E120 77 61 72 65 2F 41 4E 44 52 2E 50 6C 61 6E 6B 74
ware/ANDR.Plankt
05E1E130 6F 6E 2E 49 2E 31 35 36 DA 41 64 77 61 72 65 2F
on.I.156ÚAdware/
05E1E140 41 4E 44 52 2E 50 6C 61 6E 6B 74 6F 6E 2E 49 2E
ANDR.Plankton.I.
05E1E150 31 30 35 D9 41 64 77 61 72 65 2F 41 4E 44 52 2E
105ÙAdware/ANDR.
05E1E160 50 6C 61 6E 6B 74 6F 6E 2E 49 2E 38 36 DA 41 64
Plankton.I.86ÚAd
05E1E170 77 61 72 65 2F 41 4E 44 52 2E 50 6C 61 6E 6B 74
ware/ANDR.Plankt
05E1E180 6F 6E 2E 49 2E 31 30 32 D9 41 64 77 61 72 65 2F
on.I.102ÙAdware/
05E1E190 41 4E 44 52 2E 50 6C 61 6E 6B 74 6F 6E 2E 49 2E
ANDR.Plankton.I.
05E1E1A0 37 36 D7 41 64 77 61 72 65 2F 41 4E 44 52 2E 4B
76×Adware/ANDR.K
05E1E1B0 75 67 75 6F 2E 42 2E 32 31 37 D7 41 64 77 61 72
uguo.B.217×Adwar
05E1E1C0 65 2F 41 4E 44 52 2E 4B 75 67 75 6F 2E 41 2E 36
e/ANDR.Kuguo.A.6
05E1E1D0 30 35 05

(and I've probably missed structures).

(By the way, HxD doesn't seem to have a "copy as plain text" - I got the
middle block above, but wasn't able to repeat whatever I did!).

So I'm not much the wiser ...

 

[Mayayana]

Just a wild guess, but the stuff at the end seems to be
a list of Android malware. I wonder if the files could be
some kind of AV or anti-malware definitions, accidentally
put into \Windows\ by a software bug.
If you have AV it might be worth looking through it
to see what the definition files look like.

 

[VanguardLH]

Thanks for that; looks like a useful (and dangerous!) utility.

Use its read-only mode from the right-click context menu.

You could use the SysInternal's 'strings' utility (runs in a console) if
you just want to view the strings in a file. Redirect stdout to a file
and then view that file, like:

strings.exe {file} > liststr.txt

 

[J. P. Gilliver (John)]

Just a wild guess, but the stuff at the end seems to be
a list of Android malware. I wonder if the files could be
some kind of AV or anti-malware definitions, accidentally
put into \Windows\ by a software bug.
If you have AV it might be worth looking through it
to see what the definition files look like.

Nothing in C:\Program Files\Avira\AntiVir Desktop is anything like that
size. The biggest file there is about 65M.--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

"I am entitled to my own opinion."
"Yes, but it's your constant assumption that everyone else is also that's so
annoying." - Vila & Avon

 

[Mayayana]

| Nothing in C:\Program Files\Avira\AntiVir Desktop is anything like that
| size. The biggest file there is about 65M.
| >

Avira? I just dealt with that yesterday, but I've
already uninstalled it. (It was using a 1/4 GB of
space and 3 of its EXEs wanted to go online
clandestinely, so I couldn't get rid of it fast enough.
It did seem, though, that they put everything in
the program folder. I didn't find anything in any
app data folders after uninstall.

The situation was that someone wrote to me to say
that the latest version of my MSI unpacker program
was a trojan. Avira was reporting it to be TR/Dropper.Gen.
After a number of recompiles, changing various compile
options, I got a compile that Avira didn't complain about.
Then out of curiosity I had it scan my software projects
folder. It found another 8 instances of TR/Dropper.Gen!
I've written to them to ask that they do something to
fix their faulty signatures, but their site doesn't actually
provide an email address for false-positive reports. In
short, I'm not impressed with Avira.

Sorry I don't have any better ideas. If it were me,
though, I'd try to find records of install and system
scans to see if anything matches up in terms of dates
with Avira activity. You should be able to delete the
files, in any case.

 

[J. P. Gilliver (John)]

In message <[email protected]>, Mayayana

Sorry I don't have any better ideas. If it were me,
though, I'd try to find records of install and system
scans to see if anything matches up in terms of dates

Too many places to look (-:.

with Avira activity. You should be able to delete the
files, in any case.

Not at all sure they're anything to do with Avira. But anyway, I've made
a subdirectory called !temp, and moved them to that; if nothing is
amiss, I'll delete it (and thus them) in a few days.