Random folders appearing to my new hard drive

[FordGT90Concept]

Well...that's bizzare. I have no idea what is telling Explorer.exe to do that.

The process list is interesting though. That D:\7-zip\7-zip.dll is very suspicious. I'd look for ones similar to that that stand out. It seems legit for 7-zip if you do have 7-zip installed there.

 

[BiggieShady]

7-zip is probably harmless and installs with itself windows explorer extension so it's there, but since explorer.exe is the source the culprit is one of the extensions (extra right click menu items and such).
I'd run autoruns.exe also from sysinternals and see what windows explorer extensions are being loaded at startup, and check all file hashes with virus database (function of the program)

EDIT: @FordGT90Concept I see you probably mean install location is out of sorts

 

[nemo_fin]

My 7zip is installed on my d drive yes. Also what is this explorer.exe?

I downloaded autoruns.exe. Is this what u mean? Also idk how to check all file hases sry.

 

[BiggieShady]

Also idk how to check all file hases sry.

Options > Scan options

Then after that, enable options > hide virustotal.com clean entries ... only suspicious stuff will remain.
Check the complete list on the Everything tab, it may not be explorer extension listed on that tab.

It may be something stupidly simple like onedrive/skydrive being setup to sync folders that are being dumped remotely.

 

[DeathtoGnomes]

show us whats on the Everything tab

 

[nemo_fin]

Here you go

 

[Devon68]

So you say it's a new drive. What was the last thing you installed before noticing this?

 

[nemo_fin]

Tbh no idea, I installed a lot of programs. But what do u think about the possibility that I got this after I inserted my windows key?

 

[FordGT90Concept]

Do you know what that Solvusoft, toastify, 3rvx, and gyazo is?


In ProcessMon, did you actually see it creating/modifying the files inside the folders?

 

[jboydgolfer]

Gyazo is safe, it's for pictures or something my nephew has it

I'm assuming the others are also needless software that perform some function that can be done by the user very easily. I would associate these in the category same as download managers etc. delete them

@OP
Post a shot of your installed programs my guess is the solution to several of these issues will be found in there

 

[Solaris17]

why is your explorer.exe capitalized?

You should run a malware scan.

What is in your scheduled tasks?

Can you upload one of the files in those folders in a zip file here?

 

[FordGT90Concept]

I checked myself. C:\windows\explorer.exe is where it should be and Process Monitor always shows it as "Explorer.EXE"

I'm thinking Explorer.EXE handles all folder creation requests because it has to cross reference that with user permissions. The same goes for creating a file. Writing to a file though, Explorer.EXE checks permissions then lets the process proceed. If you're going to catch the culprit, it has to be the application that writes to the files. The files aren't zero length so it definitely happens...eventually.

In Process Monitor, you can add a "Process Name is Explorer.EXE then Exclude" rule to narrow it down. In fact, you can keep it running and keep adding filters to exclude programs you believe are safe and reapply the filter until you find the culprit.

 

[kn00tcn]

not sure why we didnt start out using resource monitor, which is built into windows, to view the process/disk activity

opening an explorer window is going to cause processmonitor to think those folders are being accessed, but that's useless noise information, we are trying to capture the moment when one of these is created.... it looks like each one has a different date & time, does that have any relation to anything? booting or starting something during those times?

you didnt open with text editor or hex edit the files?

forget about what you installed for now, turn off all startups & third party services, have a minimal windows running, avoid using programs & stick to a web browser, now see if a new folder is created during such a time period

you also havent described how & where you downloaded the third party software, if you always make sure to look at the installer to turn off bundled crap, if you turn off features you dont use (like skydrive)

what is that 'workfolders' in autoruns? what's 3rvx & toastify or why do they need to be on startup? what is or why use winthruster? why gyazo?

 

[opojare]

It is Spotify cache files/encrypted music.
Of course it will reappear if you play any song.

Just change cache folder in your desired folder (Edit - Preferences - Advanced settings - Cache).

 

[FordGT90Concept]

opening an explorer window is going to cause processmonitor to think those folders are being accessed, but that's useless noise information, we are trying to capture the moment when one of these is created.... it looks like each one has a different date & time, does that have any relation to anything? booting or starting something during those times?

Process Monitor ignores itself. He already captured the folders being created in one of the screenshots. The screenshot doesn't show one of the files being written to.

 

[BiggieShady]

It is Spotify cache files/encrypted music.

Bing-o

 

[Devon68]

I read a little about your problem on other forums and it's possible that windown update is creating them.
These folders are harmless. Windows Update will place the data required to install data on the largest drive it finds. This has been the default behavior since the dawn of time

 

[nemo_fin]

FordGT90Concept
I dont know whats solvusoft. But gyazo is screenshot app. Toastify, 3rvx were downloaded a way after this incident so they cant be the cause. Im not really sure how to see if its creating/modifying the files inside the folders.

jboydgolfer

Solaris17
I did malware scan with malwarebytes. Not really sure how to see scheduled tasks. I added the file into this post.

FordGT90Concept
Should I still keep the old rule which u told me before? Also how do i know if a program is safe?

kn00tcn
I cant really think of anything what Ive done... It seems to be pretty random. I was also unable to open the files if thats what u mean? Also what third party software are u talking about?
I dont know whats workfolders.. But 3rvx & toastify are sound programs which I downlaoded 2 days ago so they arent the problem. I think someone told me somewhere to download winthruster.. I think that was also just few days ago. Gyazo is screenshot program, very useful.

opojare
These files u have actually look the same as mine.. Is there .file -file inside those folders? Actually I did that thing u told me to. Now the files I had on my hard drive are seperate cache folder. Should I now delete the files from my hard drive?

Devon68
Yes I read this, but I readed also that they should remove themselves in few days which didnt happen in my case.

Edit: deleted thefile for privacy reasons

 

[Solaris17]

It is Spotify cache files/encrypted music.
Of course it will reappear if you play any song.

Just change cache folder in your desired folder (Edit - Preferences - Advanced settings - Cache).

We have a winner!

FordGT90Concept
I dont know whats solvusoft. But gyazo is screenshot app. Toastify, 3rvx were downloaded a way after this incident so they cant be the cause. Im not really sure how to see if its creating/modifying the files inside the folders.

jboydgolfer

Solaris17
I did malware scan with malwarebytes. Not really sure how to see scheduled tasks. I added the file into this post.

FordGT90Concept
Should I still keep the old rule which u told me before? Also how do i know if a program is safe?

kn00tcn
I cant really think of anything what Ive done... It seems to be pretty random. I was also unable to open the files if thats what u mean? Also what third party software are u talking about?
I dont know whats workfolders.. But 3rvx & toastify are sound programs which I downlaoded 2 days ago so they arent the problem. I think someone told me somewhere to download winthruster.. I think that was also just few days ago. Gyazo is screenshot program, very useful.

opojare
These files u have actually look the same as mine.. Is there .file -file inside those folders? Actually I did that thing u told me to. Now the files I had on my hard drive are seperate cache folder. Should I now delete the files from my hard drive?

Devon68
Yes I read this, but I readed also that they should remove themselves in few days which didnt happen in my case.

Its spotify.

 

[nemo_fin]

Yes that was it. I even reinstalled spotify and now it should be good. Thx from help everyone.

 

[DRDNA]

We have a winner!



Its spotify.

Thanks for weighing in on the validity of the New Poster
opojare POST And thank you to opojare New Member FOR THE POST OF THE CAUSE OF THE FOLDERS.