Not sure what I've got: .ghost-ntfs-3g-00000000000000000009

[REDACTED]

I found this file in my user directory: .ghost-ntfs-3g-00000000000000000009   A check on the internet says it is a product of a virus.  First off is it a product of a virus, and does Avast look for it.

Thanks in advance
Charles Worley

[Eddy]

Scan the file online.
http://www.ache.nl/index.php?location=scan-01

[REDACTED]

Thank you for the link.  I had it checked on some of the sites and it was found NOT to be a threat.

[Pondus]

do you have norton ghost installed?

upload and test file at  www.virustotal.com  if scanned before, click rescan for a fresh result
post link to scan result here

[REDACTED]

I do not have Norton Ghost installed.  In fact I do not have any Norton products installed on my computer.  All I have installed is Avast and Malwarebytes.  Below is the results of the scan:

SHA256:    7fe08a72839c75f72ff9387848ca57cff2e5df61bbb189fa98ac7a7ac096f7a4
File name:    .ghost-ntfs-3g-00000000000000000009
Detection ratio:    0 / 55
Analysis date:    2015-02-10 14:43:33 UTC ( 0 minutes ago )

 File identification
MD5 354e0f7596c0882394d5da14aa0cb6d1
SHA1 d0b3d565cbd73e557270f49410ced2d43d8ac032
SHA256 7fe08a72839c75f72ff9387848ca57cff2e5df61bbb189fa98ac7a7ac096f7a4
ssdeep
12288:PlbPEqrv08+O6p4NnMNRQw9bNyn94uiXSUMerhltDajcH7ULLv5yvZUTlhmKeuTF:dkyDG/dmcRckMui2eyvszAS

File size 3.5 MB ( 3670016 bytes )
File type unknown
Magic literal
MS Windows registry file, NT/2000 or above

TrID    Windows NT Registry Hive (100.0%)
VirusTotal metadata
First submission 2015-02-10 03:08:17 UTC ( 11 hours, 36 minutes ago )
Last submission 2015-02-10 14:43:33 UTC ( 1 minute ago )
File names    .ghost-ntfs-3g-00000000000000000009
ExifTool file metadata
FileAccessDate
2015:02:10 15:43:45+01:00

FileCreateDate
2015:02:10 15:43:45+01:00

[Eddy]

It doesn't look like a malicious file to me.
Do you (or did) you have anything from Symantec installed?
If not, I suggest to create a backup of the file on usb or something and delete the original one.
Till now I don't see any reason that it would cause problems.

[REDACTED]

Thank You.  I'll back it up on a USB, delete it, and see what happens.  No I haven't installed anything from Symantec on this machine.

[Eddy]

Ok, keep us informed please.

[REDACTED]

Hello, I just found the same exact file under my user directory - .ghost-ntfs-3g-00000000000000000009. It says it was created 3/15/2015 6:35pm and last accessed on 5/4/2015 6:54pm and it's shared with everyone (not sure if "everyone" just means all user accounts on my computer, or everyone on the network).

The Windows Event Viewer is a little too complicated for me personally to tell exactly what could have happened on those days, so I used the "PC Checkup" program that came with my computer - it records system changes, events, application errors, etc, in a calendar format for newbs like me, haha...

I don't know if it's definitely 100% connected or not, but for 3/15/2015 it lists "avast! antivirus system restore point" and "device driver package install:avast network service" under the Programs Added section for that specific day (same day the weird ghost file showed up). But then there was also a ton of Windows Updates on that same day too.

Then for 5/4/2015, the date the ghost file was last accessed, PC Checkup says avast did two system restore points, one at 6:29pm and another at 6:32pm with the descriptions listed as "device driver package install:avast network service" and "avast antivirus system restore point." Those times are extremely close to the 6:35pm that my computer says the ghost file was last accessed and those were the only two things listed for that day (in PC Checkup, at least).

I don't know enough to "prove" avast made the file but it sure seems like it uses it or was responsible for it showing up? The ghost file is 6.5MB. I tried to open it but Windows asks me to choose a program to open it and I have no idea what it is so I decided not to try and open it.

Anybody know if there's a way to check the name of that ghost file against some kind of avast database to see if it's created by avast and is necessary for it to function or whatnot?

Worleybird, did you end up deleting the file and there was no harm to your computer?

I also scanned it at virustotal.com as well as with my PC's avast and malwarebytes and all came back clean, but the name "ghost" is unsettling and it's especially weird that the file just showed up a few months ago. Really want to know what it is. (Like worleybird, I don't have anything from Symantec on my computer, never have.)

Thanks everyone in advance! (Sorry for adding to someone else's thread, but I thought it was closely related enough that it might be okay to add to this thread instead of starting another.)

Oh, and probably totally unnecessary, but I took a screen shot of the file and attached it.

[REDACTED]

HI,

      I never did find out what program initiated the file: .ghost-ntfs-3g-00000000000000000009.  However it is a file I couldn’t get off of my computer fast enough.  It had everything in that file.  The computer was a fairly new one.  I purchased the HP desktop in March 2014, on sale at Walmart.  A couple of days after that my wife had to have surgery (top half of her right lung removed) and during the surgery they found she needed a heart valve replacement which was done in May.  I had completely forgotten about the computer until the first part of Feb. 2015, and at that point I set it up.

     The file was generated on the 25th of Feb.  I say generated, maybe updated is a better term.  It had everything in it!  Since it was a “new” computer I installed a lot of software, and everything was in that file!  Example: PC Check & Tuning 2010 Download Version UK.inivk    °ÿÿÿvk1 H   D        {1NP14R77-XXXX-XXXX-XXXX-2RO1NR5198O7}\qsethv.rkr

     It kept track of EVERY activation code, I put the XXs in the above code.  It also kept track of everything that splwow64.exe had generated (c:\Windows\SysWOW64\) go there to find that Microsoft jewel.

     Also I found a group of entries like this: h a n a _ h a r u n a _ n a k e d _ b y _ j i m m y m a t h e w - d 8 j 9 9 v z.  Oh yes, my grandson and I had a talk!

     I removed the file (kept it on a flash drive) and it has never reappeared.  Someone suggested that HP might have been keeping track of new computers.

     I still know no more than when I initially found the file of its origins. 

Charles Worley

[REDACTED]

Oh, yikes, sounds like I really should get it off my computer too then! I wonder where it came from, it's so weird... I've had my computer for a little over 3 years now and it just showed up a few months ago (I didn't notice until last night though). But I hadn't been using my computer much at all in the past 4 months, I only turn it on for email about twice a month (I had a recent surgery too, on my leg, so am not supposed to sit at the computer much). It's probably a stretch, but since you said your computer was sitting for a while I wonder if some kind of malicious program can detect inactive computers and start monitoring them or something? (I have no idea what I'm talking about, just interesting we both were mostly inactive on our computers for a while and now we have this.)

I can't figure out how to open the ghost file properly so that I can see the file structure, how did you do it? The most I can get is a big garbled mess if I open it in Notepad. It's about 1/3 readable words and I can see a lot of website URLs scattered around, but the other 2/3 or so of the mass is pretty much hieroglyphics/unreadable text. Not sure if that's because I'm opening it in the wrong program or if that's literally what it is storing.

Thank you for your reply and since you were able to delete it, I think I will too. I'll put it on a flash drive first as well. I'm still going to look around and see if I can figure out what it is though. If I find or hear anything I'll reply again to this thread.

P.S. I hope your wife (and you too!) are doing well now... those were some pretty serious surgeries!

[Eddy]

worleybird,

first of all, I hope everything is well now with your wife for as far it can be in her situation ofcourse.

To me it seems the file has to do with this:
http://en.wikipedia.org/wiki/NTFS-3G
If my brains still are kinda working, it is placed there when HP installed the OS from a image.
I wouldn't worry about it.

If wanted we can have a thorough check of both your systems.
If so please follow the instructions:
https://forum.avast.com/index.php?topic=53253.0

[REDACTED]

Sorry, I don't mean to butt in again on worleybird's thread... but for my case, I haven't done any recent installing of the OS or anything on my computer, do you know of any other kind of instance that might make that file show up on my computer? One sort of odd thing was that it's under my user directory and the permissions are "shared with everyone" (Everyone/all users have access?), but everything else under my user directory is for me only. Maybe not important, just thought that was strange. I only sort of understand what the wikipedia page is saying NTFS-3G is, but don't know why my computer needed it or made it all of a sudden.

I've never contacted Microsoft's tech support over chat before, but I tried that today for this issue and what a joke. (No offense to any tech support people who actually do their job right though.) The guy asked for remote access and I granted it; having never done that before, I was curious and figured it couldn't hurt. The guy didn't even go look at the ghost folder or anything, he just ran HitManPro which showed 2 tracking cookies and then told me it was definitely adware and tried to sell me their $99 one year subscription for support and remedy of the issue. I told him "no thanks" and that I didn't think tracking cookies were the culprit and then he said all he could do for me was change my startup services so only necessary programs run, and he just did it without even asking me to give permission. I've not had any real big issues with my computer, none that I've noticed... it's just the mystery ghost folder that is sitting there. So I don't know why he thought turning off some startup services could help. Then he told me to restart my computer and once I logged back on the remote connection was lost and he wasn't there anymore. Didn't get rid of the ghost folder obviously and I highly doubt he even tried to figure out what it was... was too focused on trying to sell me their $99 package. I went back on chat and got a different person after that and asked them to check exactly what the other guy did so I could reverse it all (was pretty simple, just had to go back into "services" and select normal startup). But even that lady tried to push the $99 package on me without even asking me what the issue was to begin with. What a waste of time.

I'm ranting a lot, sorry to take up a lot of your time... my question is though: Eddy, if MBAM, Avast, and also now the HitManPro free scanner are all saying my system is clean (the 2 tracking cookies aren't being detected anymore, I guess I deleted them), do you think I should still try the more thorough check that you suggested? I don't know enough about this kind of stuff.

Thanks again in advance!

[Eddy]

A thorough check by one of the malware removers here only takes a bit of your time but can't hurt at all.
At least you will know if the system is clean or not.

[REDACTED]

Okay, I'll will definitely start that process then. It is really strange because I don't really do anything risky online and I always have Avast and MBAM running plus I do weekly scheduled scans on both. I definitely want some experienced eyes to check my system though...

Thanks again!