Strange files contained in C:\~ERAFSWD.TMP

H

homgren

New Member
I ran an automated eraserl bat file overnight, and this morning the Eraser results screen said that Eraser had failed to remove a temporary directory from C:, which is the first time I've had that message from Eraser. Also I had a "Critical" Prevx warning screen saying that Prevx had jailed a file named mqad.dll that it found in the C:\~ERAFSWD.TMP folder, saying that C:\~ERAFSWD.TMP\mqad.dll was "the subject of the following behavior:
- Created as a process on disk"

C:\~ERAFSWD.TMP also contained these other files:
autodisc.dll
diantz.exe
findstr.exe
localui.dll
mqad.dll
share.exe

It was definitely a cause for concern to find that Prevx jailed a file in a directory that I've never seen before, and that the directory also contains serveral other ominously named .exe's and .dll's.

Are these files supposed to be in this directory? What could make Prevx think that something attempted to create mqad.dll as a process? What might Eraserl do that would cause Prevx to react to a file in that dir as malware?

Thanks.
 
Hi homgren :)

C:\~ERAFSWD.TMP is a file created by Eraser in order to completely fill the free space on a hard drive.

The reason Eraser was unable to remove the TMP file was because your anti malware program locked it.

The reason you have DLL’s and EXE’s etcetera is because Eraser (since 5.84) copies random DLL’s to your hard drive after a random wipe in order to aid plausible deniability. There might actually be bad DLL’s in your system32 and Eraser has copied them. The exe’s I would have thought would be just a random fluke that look like actual exe’s.

All in my humble opinion of course.

I think the best thing you could do would be to delete the C:\~ERAFSWD.TMP manually and update all your antivirus and anti malware software and do a full system scan with each removing anything they find. Then disable all your antivirus and anti malware software and run Eraser again.

Let me know how you get on !
:wink:
 
Thanks for the reply. I just have a couple of questions.

You said Eraser creates a "file" called C:\~ERAFSWD.TMP , but on my PC it is a folder (in fact, it is the folder that contains the strange .dll's and .exe's). Just wanted to clarify if you meant "file" or "folder".

Also, what do you mean by "The exe’s I would have thought would be just a random fluke that look like actual exe’s."?

Also, would Eraser being trying to active the file mqad.dll? Just wondering why Prevx would all of the sudden think it was dangerous. Especially if it has always been on the computer and Prevx never thought it was dangerous before.

Thanks again.
 
Just wanted to clarify if you meant "file" or "folder".
Click to expand...

Oops, sorry I meant folder. :oops:

Also, what do you mean by "The exe’s I would have thought would be just a random fluke that look like actual exe’s."?
Click to expand...

Eraser writes random data to the hard drive before copying DLL’s to it. What I was getting at was the old saying “Give an infinite amount of monkeys a typewriter and they will write Shakespear” sort of thing ! At some point Eraser is going to randomly write something that looks like something else. Sometimes you can get .doc files but they are not real word docs.
 
Oops, sorry I meant folder. :oops:
Click to expand...
Good deal. Thanks.


Eraser writes random data to the hard drive before copying DLL’s to it. What I was getting at was the old saying “Give an infinite amount of monkeys a typewriter and they will write Shakespear” sort of thing ! At some point Eraser is going to randomly write something that looks like something else. Sometimes you can get .doc files but they are not real word docs.
Click to expand...
But would you say this explains the list of filenames in the folder? They don't look like random data at all judging by the names.
 
But would you say this explains the list of filenames in the folder? They don't look like random data at all judging by the names.
Click to expand...

I see what you are saying, they do look strange and too genuine. I am just wondering if Eraser 5.84 copies random exe’s as well as DLL’s ? Any version of Eraser prior to 5.84 didn’t have this feature so I wonder if it is going to start to cause problems.

I am starting to think that Eraser 5.84 must copy exe’s too. The reason why your anti malware software is picking it up now is because the file has been copied and moved and usually all anti virus / malware programs check what is being written to the disk.

Have you performed a full scan of your system yet ? If you don’t have much time just update your definitions file and scan system32.
 
I haven't done the scans yet. I'll start them this evening and finish them tomorrow. I'll do an AV scan, a Prevx scan, and maybe find an online scan too. I feel I can never be too careful about malware. If I'm not 100% sure my machine is clean I will reload it from a Ghost image. And it probably goes without saying that if I find anything on my PC it gets reloaded.
Thanks. I'll get back to you.
 
Sorry it has taken me so long to get back here.
All scans were clean and also I found that all the files in the folder were 412,800 KB. So it looks like it was a conflict between Prevx and Eraser. I have written to Prevx and told them what happened also. Thanks for your help.
 
Hi homgren :D

Firstly thank you for taking the time to post back and let me know how you got on.

Sorry it has taken me so long to get back here.
Click to expand...

No problem. :wink:

All scans were clean and also I found that all the files in the folder were 412,800 KB. So it looks like it was a conflict between Prevx and Eraser. I have written to Prevx and told them what happened also.
Click to expand...

I agree with your conclusion and thank you for notifying Prevx.

Thanks for your help.
Click to expand...

You’re welcome and I hope this isn’t the last post you make here. Hang around a bit and perhaps make an Eraser feature request !


:)
 
Uhoh, I sense work. :lol:

Joel
 
You must log in or register to reply here.
Back
Top