Could this be malware?

[devnulllore]

Hello, I have a second SSD that I have my games installed on and that's it. After some monitoring I noticed sometimes Windows accesses the drive for no reason that I can see. After some inspection I found that there is a hidden folder on the drive called "boot". Can this be malware? I have indexing turned off so there is no reason for the drive to be accessed without playing games is there? Malware scans turn up nothing but I do not know if the can scan hidden files and folders. Any ideas? 

[Brandon H Supervisor]

are you sure the SSD isn't legitely set as the boot drive? easiest way to rule that out would be to pull the SSD and try to boot up.

 

my other thought is maybe Windows set a page file on the drive for some VRAM

 

if in doubt I'd boot into a Anti-Virus recovery disc/usb to scan; I've used Kaspersky Rescue Disc in the past with good results

[devnulllore]

I read an article just now that said Windows can alot a folder on a secondary drive if a reinstall or restore is done. I just reinstalled Windows yesterday. Maybe that's it?

[Brandon H Supervisor]

Just now, devnulllore said:

I read an article just now that said Windows can alot a folder on a secondary drive if a reinstall or restore is done. I just reinstalled Windows yesterday. Maybe that's it?

yes that's most likely exactly what happened. that is the reason a lot of techies will recommend removing all but the drive you're installing on when installing Windows as it doesn't always put the boot sector on the drive you're installing on for some reason; never understood why myself but it's a thing

[devnulllore]

So am I playing with fire if I delete that folder?

[Mindovermaster Moderator]

If it doesn't bother you, leave it...

[devnulllore]

Well the whole reason I started monitoring HD access is it seems whenever the system accesses the drive I get some hitching or pausing like a bottleneck from an old mechanical drive.. Very annoying.

[Brandon H Supervisor]

9 minutes ago, devnulllore said:

So am I playing with fire if I delete that folder?

if you delete the folder you may not be able to boot into windows. 

 

you could either re-install windows again making sure the SSD is removed during the process or you could attempt to move the boot files though that's a little trickier.

 

Here's a guide to move the boot files/partition to another drive using EasyBCD

https://neosmart.net/wiki/easybcd/basics/changing-the-boot-partition/

[Steven P. Administrators]

Right click on the start menu flag and click on Disk Management, there you should be able to see where Windows has put the Boot drive, because it will say it on one of the disks.

 

This will tell you if Windows boots from C:\ D:\ or anyplace else  

 

Mine is C:\ 

 

[devnulllore]

2 hours ago, Steven P. said:

Right click on the start menu flag and click on Disk Management, there you should be able to see where Windows has put the Boot drive, because it will say it on one of the disks.

 

This will tell you if Windows boots from C:\ D:\ or anyplace else  

 

Mine is C:\ 

 

yeah that's what it says on my C drive my G (game drive) just says healthy primary

[Brandon H Supervisor]

Just now, devnulllore said:

yeah that's what it says on my C drive my G (game drive) just says healthy primary

hmm yeah then it could be something malicious. I'd scan it with the Kasperskiy bootable recovery disc I mentioned above to verify and then you shouldn't have an issue deleting the folder from that bootable media either.

 

If for whatever reason your computer won't boot up after you delete that folder you can pop you installation disc/usb back in and run the boot repair

[goretsky Supervisor]

Hello,

 

What are the contents of the \boot folder on the secondary SSD?  Is there anything noteworthy about the date(s) on the content(s) that might be associated with a specific activity, such as reinstalling the operating system, installing new software and so forth?

 

Regards,

 

Aryeh Goretsky

[devnulllore]

A couple of files called bootstrap.exe, emm386 and another sub-folder called booter that I cannot access. I can't see anyway to delete them.

[DPyro]

What software did you use to scan it? Malwarebytes is usually pretty good.

[devnulllore]

Malware bytes and Eset

[Brandon H Supervisor]

2 hours ago, devnulllore said:

A couple of files called bootstrap.exe, emm386 and another sub-folder called booter that I cannot access. I can't see anyway to delete them.

that's why I said scan it with the Kaspersky rescue boot disk. you should be able to delete the folder from within that boot environment as well

 

edit: it's always good to scan a suspected directory outside of your installed environment just to be sure it's not hiding itself from the installed scanner in some way

[Ve7878]

Could you post a screenshot showing disk management?

 

Windows Key + X > Disk Management

[Brandon H Supervisor]

6 minutes ago, Vince800 said:

Could you post a screenshot showing disk management?

 

Windows Key + X > Disk Management

he confirmed his matches steve's screenshot above already

[devnulllore]

I ran the rescue disk and deleted the boot folder but still accesses the drive and causes hitching (system pauses) when it does.

[Ve7878]

2 hours ago, Brandon H said:

he confirmed his matches steve's screenshot above already

Yes but in my opinion it's worth checking just to make sure everything else looks okay.

 

2 hours ago, devnulllore said:

I ran the rescue disk and deleted the boot folder but still accesses the drive and causes hitching (system pauses) when it does.

Do you get a system pause every time you access the drive, even if you close it and go straight back into it. Although it's an SSD I wonder if it's some power saving option at play causing this issue.

[devnulllore]

I will check my power settings

[xrobwx71]

Do you have a backup image of your c:\ boot drive and a plan for recovery if you experience failure? 

 

 

[devnulllore]

1 hour ago, xrobwx said:

Do you have a backup image of your c:\ boot drive and a plan for recovery if you experience failure? 

 

 

Yes always

[xrobwx71]

1 hour ago, devnulllore said:

Yes always

Have you followed Brandon's advice and scanned the file outside the OS in the boot environment and deleted it? If you have a backup and it won't boot you can simply recover.  

[devnulllore]

Just now, xrobwx said:

Have you followed Brandon's advice and scanned the file outside the OS in the boot environment and deleted it? If you have a backup and it won't boot you can simply recover.  

Yes I did that with the Kaspersky rescue boot disk. Still happening