Jump to content

[Question] These are not ransomware files right?

wolnavi

By wolnavi
in General Windows PC Help

 Share

Recommended Posts

wolnavi

wolnavi

Posted
Posted

So I wanted to screen record something and started OBS as usual but then I noticed in Task Manager that the usual "obs64.exe" had a weird trail of letters and numbers behind it, like "obs64.exe.C23865550406FF94A399795F13307571"

 

I panicked for a bit and went ahead to find out where was this file located in and it was located in this folder path  

C:\Windows\Temp\sentry_temp

and I was shocked to see so many different files with the same behavior of filenames ending with a weird trail of letters and numbers. My daily Malwarebytes Threat Scan turned out cleaned so I tried to restart my PC and OBS in Task Manager is now back to the normal "obs64.exe"

 

Question now is, what are these? They are not ransomware infected right? Thanks

 

image.thumb.png.89cdc371e37e3bbd165e182aef89ae07.png

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

@wolnavi

 Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

Link to post
Share on other sites
nukecad

nukecad

Posted
Posted (edited)

Are you using Avira or Bullguard antivirus? Or maybe you had it installed last year?

'Sentry_temp' is a folder created by Avira. Bullguard, and possibly others. (or at least it used to be which is why I asked about last year).

It appears that when a user with Avira installed runs (ran) an app then Avira moves (moved) the executable into the 'sentry_temp' folder and leaves (left) a redirect at the original location.
Which is what I think all those files with hexidecimals showing after the '.exe.' will be in your screenshot, the moved executables.

Although I don't know just why they do (did) that I do remember that it caused a problem for some users this time last year because of where that 'sentry_temp' folder is located in C:\Windows\Temp\
If/when such a user ran a cleaning utility like Bleachbit or CCleaner then C: \Windows\Temp would be cleaned as you would expect, including that 'Sentry_temp' folder and the copies of the users executables, leaving just a zero byte redirect to nothing so that the affected user then had to reinstall those apps from scratch.
Here's an example report from back in June 2022: https://github.com/bleachbit/bleachbit/issues/1378

We had a number of reports on the CCleaner forum too, until we worked out the cause and that simply making that sentry_temp folder an exclusion from cleaning was a viable workround.

I've not seen a report of it happening for a while so I asume that Avira changed something that fixed it, they may have even stopped using that sentry_temp folder or put it somewhere other than Windows\Temp?
But if you have a 'C:\Windows\Temp\sentry_temp' folder, and executables running from it, then I'd be wary of running any cleaning app without first making that folder an exclude in the cleaner.

Edited by nukecad
  • Thanks 1
Link to post
Share on other sites
wolnavi

wolnavi

Posted
  • Author
Posted (edited)
48 minutes ago, nukecad said:

Are you using Avira or Bullguard antivirus? Or maybe you had it installed last year?

'Sentry_temp' is a folder created by Avira. Bullguard, and possibly others. (or at least it used to be which is why I asked about last year).

It appears that when a user with Avira installed runs (ran) an app then Avira moves (moved) the executable into the 'sentry_temp' folder and leaves (left) a redirect at the original location.
Which is what I think all those files with hexidecimals showing after the '.exe.' will be in your screenshot, the moved executables.

Although I don't know just why they do (did) that I do remember that it caused a problem for some users this time last year because of where that 'sentry_temp' folder is located in C:\Windows\Temp\
If/when such a user ran a cleaning utility like Bleachbit or CCleaner then C: \Windows\Temp would be cleaned as you would expect, including that 'Sentry_temp' folder and the copies of the users executables, leaving just a zero byte redirect to nothing so that the affected user then had to reinstall those apps from scratch.
Here's an example report from back in June 2022: https://github.com/bleachbit/bleachbit/issues/1378

We had a number of reports on the CCleaner forum too, until we worked out the cause and that simply making that sentry_temp folder an exclusion from cleaning was a viable workround.

I've not seen a report of it happening for a while so I asume that Avira changed something that fixed it, they may have even stopped using that sentry_temp folder or put it somewhere other than Windows\Temp?
But if you have a 'C:\Windows\Temp\sentry_temp' folder, and executables running from it, then I'd be wary of running any cleaning app without first making that folder an exclude in the cleaner.

ooo yeah I used to had Avira Free Antivirus installed but I uninstalled it last year because one day, it was suddenly causing my whole PC to run extremely slowly for some unknown reason, took me a while to find out that Avira was the cause so I uninstalled it

 

Thanks now I know what is that folder and why is it there 

Edited by wolnavi
Link to post
Share on other sites
nukecad

nukecad

Posted
Posted (edited)
9 hours ago, wolnavi said:

... I used to had Avira Free Antivirus installed but I uninstalled it last year  .......

 I thought that it was probably something like that.

From what I can find 'SentryEye' was added to Avira in May/June 2022, it was formerly Bullguard technology.
And that's when we first started to see Avira users having issues with their executables being removed if they used a cleaner app, any cleaner app, to clean C:\Windows\temp.

I'm not sure what Avira did to fix the issue (if anything?) but as you had uninstalled Avira then it's probable that any solution that they did come up with was never applied on your machine.

There is very little to be found on the web about SentryEye, that sentry_temp folder, and the problems it caused for some users when introduced in Avira last year.

How you'd put things back to standard Windows now is another question.

Maybe a reinstall of Avira and see what it does with that folder, if anything, then uninstall it again?
Delete that folder, and then reinstall your apps if needed?
A repair reinstall of windows? or even a clean reinstall of Windows and then reinstall your apps?

Or just leave things as they are with the knowledge of what that folder is, and that it has been known to cause problems in the past.

Maybe @Porthos has some other suggestions?

Edited by nukecad
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.