# Random folders appearing to my new hard drive



## nemo_fin (Feb 22, 2017)

So this kind of files appear daily onto my hard drive.  







Inside the files there are file of random words, for example: 
	

	
	
		
		

		
		
	


	




I have tried removing them, which didnt work because they kept appearing. Anyone has a solution how to stop these files from appearing onto my hard drive?


----------



## eidairaman1 (Feb 22, 2017)

nemo_fin said:


> So this kind of files appear daily onto my hard drive.
> 
> 
> 
> ...



You need to find out what is creating them exactly, right click the folders and see what they are tied to.


----------



## P4-630 (Feb 22, 2017)

eidairaman1 said:


> You need to find out what is creating them exactly, right click the folders and see what they are tied to.



Not sure if you can see that with a right-click.


----------



## eidairaman1 (Feb 22, 2017)

P4-630 said:


> Not sure if you can see that with a right-click.



Not in 10?

I know Windows updates sometimes creates stuff...


----------



## P4-630 (Feb 22, 2017)

eidairaman1 said:


> Not in 10?
> 
> I know Windows updates sometimes creates stuff...



Ok sorry, maybe that will work in W10 then, not sure,  on windows 8.1 I'm on , it doesn't show that info.


----------



## eidairaman1 (Feb 22, 2017)

P4-630 said:


> Ok sorry, maybe that will work in W10 then, not sure,  on windows 8.1 I'm on , it doesn't show that info.



Charms menus, ugh, w8 i always would hit ctrl D lol


----------



## nemo_fin (Feb 22, 2017)

Not really sure how to see i by right clicking..


----------



## P4-630 (Feb 22, 2017)

eidairaman1 said:


> Charms menus, ugh, w8 i always would hit ctrl D lol



Ok I guess I misunderstood what you were trying to say.


----------



## Solaris17 (Feb 22, 2017)

right click > properties > security tab > list of owners


----------



## nemo_fin (Feb 22, 2017)

Well this is what I see.
..


----------



## kruk (Feb 22, 2017)

Download ProcessExplorer, https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx and run it.
Press Ctrl+F and enter your drive letter D:\. It will show you which processes are accessing the drive. Try to find the one that is accessing these strange folders.


----------



## Jetster (Feb 22, 2017)

Back up software. Is it a Seagate drive and your using the backup software that comes with it ?

But if not any continuous back up software will create folders daily


----------



## FordGT90Concept (Feb 22, 2017)

kruk said:


> Download ProcessExplorer, https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx and run it.
> Press Ctrl+F and enter your drive letter D:\. It will show you which processes are accessing the drive. Try to find the one that is accessing these strange folders.


This, I don't think what is happening here is good.  Process Explorer Process Monitor will lead you straight to the culprit.


----------



## nemo_fin (Feb 23, 2017)

I downloaded ProcessExplorer and I was unable to find those files/processes on my D: drive. There was all other things from my hard drive, but not those files.


----------



## FordGT90Concept (Feb 23, 2017)

You're looking for file system reads/writes to D:

I would get Process Monitor monitoring the file system then delete the folders.  Whatever is making them will then be forced to remake them and Process Monitor will catch that.  Whatever process is creating the folders is the culprit.

Edit: You need Process Monitor, not Process Explorer:
https://technet.microsoft.com/en-US/sysinternals/processmonitor.aspx


----------



## P4-630 (Feb 23, 2017)




----------



## BiggieShady (Feb 23, 2017)

nemo_fin said:


> I downloaded ProcessExplorer and I was unable to find those files/processes on my D: drive. There was all other things from my hard drive, but not those files.


In process explorer right click on columns > select columns > process disk tab > enable disk delta write bytes
Order the process list by disk delta write bytes columns and monitor which process springs on top when files and folders are being created.
If it's one of the svchost.exe instances then look at it's modules and threads in the lower pane to detect the culprit.


----------



## FordGT90Concept (Feb 23, 2017)

1. Start Process Monitor
2. A window should pop up asking what to filter.  Change the following:
Architecture -> Path
is -> begins with
[blank] -> D:​3. Click Add, you should now have a green rule that says "Path begins with D: Include"
4. Click Apply.
5. Click OK.

You'll now see processes that are accessing the D: drive.  Take note of them and post them here.

You can click the magnify lens to stop capturing.

That rule on my computer has a lot of Discord.exe and Origin.exe accesses.  I think Discord is interfacing with Steam which is installed on that drive and Origin is also installed on that drive.


Edit: You'll probably have to delete the folders to invoke whatever process is creating them to create them again.  The folder deletion will likely be carried out by explorer.exe and that is totally normal.  It's what happens after that which is of interest.


----------



## nemo_fin (Feb 23, 2017)

FordGT90Concept yes I did this. How do I take note of them?

BiggieShady I was unable to find the "colums"


----------



## FordGT90Concept (Feb 23, 2017)

Just scroll through the list and look at the Process Name column (there will be a lot of repeats).  Type the ones that stand out in your reply.  You can right click on it to copy it if you would rather do that.


----------



## JayCan73 (Feb 23, 2017)

I got infected with adware that did something similar once, malwarebytes didn't catch it or get rid of it completely, it took adaware and spybot search and destroy to get rid of it, both have free versions, I had to delete the leftover folders manualy. It couldn't hurt to run them and see what they find.


----------



## BiggieShady (Feb 23, 2017)

nemo_fin said:


> BiggieShady I was unable to find the "colums"


Ah, disregard, I was talking about different software from the same company



JayCan73 said:


> it took *adaware *and *spybot search and destroy* to get rid of it



also this ^^^  malwarebytes anti-malware + these two are the common cure


----------



## nemo_fin (Feb 23, 2017)

Not sure how to copy etc but here is screenshot:





Properties:


----------



## sneekypeet (Feb 23, 2017)

nemo_fin said:


> Not sure how to copy etc but here is screenshot:
> 
> 
> 
> ...



Images appear broken, can you host them here ( http://www.techpowerup.org/ ) and use the bottom link pasted into your post?


----------



## nemo_fin (Feb 23, 2017)

I updated photos.


----------



## FordGT90Concept (Feb 23, 2017)

Well...that's bizzare.  I have no idea what is telling Explorer.exe to do that.

The process list is interesting though.  That D:\7-zip\7-zip.dll is very suspicious.  I'd look for ones similar to that that stand out.  It seems legit for 7-zip if you do have 7-zip installed there.


----------



## BiggieShady (Feb 23, 2017)

7-zip is probably harmless and installs with itself windows explorer extension so it's there, but since explorer.exe is the source the culprit is one of the extensions (extra right click menu items and such).
I'd run autoruns.exe also from sysinternals and see what windows explorer extensions are being loaded at startup, and check all file hashes with virus database (function of the program)

EDIT: @FordGT90Concept  I see you probably mean install location is out of sorts


----------



## nemo_fin (Feb 23, 2017)

My 7zip is installed on my d drive yes. Also what is this explorer.exe?

I downloaded autoruns.exe. Is this  what u mean? Also idk how to check all file hases sry.


----------



## BiggieShady (Feb 23, 2017)

nemo_fin said:


> Also idk how to check all file hases sry.



Options > Scan options





Then after that, enable options > hide virustotal.com clean entries ... only suspicious stuff will remain.
Check the complete list on the Everything tab, it may not be explorer extension listed on that tab.

It may be something stupidly simple like onedrive/skydrive being setup to sync folders that are being dumped remotely.


----------



## DeathtoGnomes (Feb 23, 2017)

show us whats on the Everything tab


----------



## nemo_fin (Feb 23, 2017)

Here you go


----------



## Devon68 (Feb 23, 2017)

So you say it's a new drive. What was the last thing you installed before noticing this?


----------



## nemo_fin (Feb 23, 2017)

Tbh no idea, I installed a lot of programs. But what do u think about the possibility that I got this after I inserted my windows key?


----------



## FordGT90Concept (Feb 24, 2017)

Do you know what that Solvusoft, toastify, 3rvx, and gyazo is?


In ProcessMon, did you actually see it creating/modifying the files inside the folders?


----------



## jboydgolfer (Feb 24, 2017)

Gyazo is safe,  it's for pictures or something my nephew has it

 I'm assuming the others are also needless software that perform some function that can be done by the user very easily. I would associate these in the category same as download managers etc. delete them

@OP
Post a shot of your installed programs my guess is the solution to several of these issues will be found in there


----------



## Solaris17 (Feb 24, 2017)

why is your explorer.exe capitalized?

You should run a malware scan.

What is in your scheduled tasks?

Can you upload one of the files in those folders in a zip file here?


----------



## FordGT90Concept (Feb 24, 2017)

I checked myself.  C:\windows\explorer.exe is where it should be and Process Monitor always shows it as "Explorer.EXE"

I'm thinking Explorer.EXE handles all folder creation requests because it has to cross reference that with user permissions.  The same goes for creating a file.  Writing to a file though, Explorer.EXE checks permissions then lets the process proceed.  If you're going to catch the culprit, it has to be the application that writes to the files.  The files aren't zero length so it definitely happens...eventually.

In Process Monitor, you can add a "Process Name is Explorer.EXE then Exclude" rule to narrow it down.  In fact, you can keep it running and keep adding filters to exclude programs you believe are safe and reapply the filter until you find the culprit.


----------



## kn00tcn (Feb 24, 2017)

not sure why we didnt start out using resource monitor, which is built into windows, to view the process/disk activity

opening an explorer window is going to cause processmonitor to think those folders are being accessed, but that's useless noise information, we are trying to capture the moment when one of these is created.... it looks like each one  has a different date & time, does that have any relation to anything? booting or starting something during those times?

you didnt open with text editor or hex edit the files?

forget about what you installed for now, turn off all startups & third party services, have a minimal windows running, avoid using programs & stick to a web browser, now see if a new folder is created during such a time period

you also havent described how & where you downloaded the third party software, if you always make sure to look at the installer to turn off bundled crap, if you turn off features you dont use (like skydrive)

what is that 'workfolders' in autoruns? what's 3rvx & toastify or why do they need to be on startup? what is or why use winthruster? why gyazo?


----------



## opojare (Feb 24, 2017)

It is Spotify cache files/encrypted music.
Of course it will reappear if you play any song.

Just change cache folder in your desired folder (Edit - Preferences - Advanced settings - Cache).


----------



## FordGT90Concept (Feb 24, 2017)

kn00tcn said:


> opening an explorer window is going to cause processmonitor to think those folders are being accessed, but that's useless noise information, we are trying to capture the moment when one of these is created.... it looks like each one  has a different date & time, does that have any relation to anything? booting or starting something during those times?


Process Monitor ignores itself.  He already captured the folders being created in one of the screenshots.  The screenshot doesn't show one of the files being written to.


----------



## BiggieShady (Feb 24, 2017)

opojare said:


> It is Spotify cache files/encrypted music.





Bing-o


----------



## Devon68 (Feb 24, 2017)

I read a little about your problem on other forums and it's possible that windown update is creating them.
These folders are harmless. Windows Update will place the data required to install data on the largest drive it finds. This has been the default behavior since the dawn of time


----------



## nemo_fin (Feb 24, 2017)

FordGT90Concept
I dont know whats solvusoft. But gyazo is screenshot app. Toastify, 3rvx were downloaded a way after this incident so they cant be the cause. Im not really sure how to see if its creating/modifying the files inside the folders.

jboydgolfer










Solaris17
I did malware scan with malwarebytes. Not really sure how to see scheduled tasks. I added the file into this post.

FordGT90Concept
Should I still keep the old rule which u told me before? Also how do i know if a program is safe?

kn00tcn
I cant really think of anything what Ive done... It seems to be pretty random. I was also unable to open the files if thats what u mean? Also what third party software are u talking about?
I dont know whats workfolders.. But 3rvx & toastify are sound programs which I downlaoded 2 days ago so they arent the problem. I think someone told me somewhere to download winthruster.. I think that was also just few days ago. Gyazo is screenshot program, very useful.

opojare
These files u have actually look the same as mine.. Is there .file -file inside those folders? Actually I did that thing u told me to. Now the files I had on my hard drive are seperate cache folder. Should I now delete the files from my hard drive?

Devon68
Yes I read this, but I readed also that they should remove themselves in few days which didnt happen in my case.

Edit: deleted thefile for privacy reasons


----------



## Solaris17 (Feb 24, 2017)

opojare said:


> It is Spotify cache files/encrypted music.
> Of course it will reappear if you play any song.
> 
> Just change cache folder in your desired folder (Edit - Preferences - Advanced settings - Cache).



We have a winner!



nemo_fin said:


> FordGT90Concept
> I dont know whats solvusoft. But gyazo is screenshot app. Toastify, 3rvx were downloaded a way after this incident so they cant be the cause. Im not really sure how to see if its creating/modifying the files inside the folders.
> 
> jboydgolfer
> ...



Its spotify.


----------



## nemo_fin (Feb 24, 2017)

Yes that was it. I even reinstalled spotify and now it should be good. Thx from help everyone.


----------



## DRDNA (Feb 24, 2017)

Solaris17 said:


> We have a winner!
> 
> 
> 
> Its spotify.


Thanks for weighing in on the validity of the New Poster
opojare_  POST And thank you to opojare New Member FOR THE POST OF THE CAUSE OF THE FOLDERS. _


----------

