Of late, many users are complaining that the System32 folder is consuming colossal disk space (e.g., 150 GB – 300 GB) all of a sudden. On a user’s computer, more than 200,000 .exe files were generated. Those files were almost generated every minute, consuming over 200 GB on the C drive.
Here’s a screenshot from another computer showing more than 150,000 files in System32, which is very unusual. And the total size of the files was 148 GB.
Cause
The MSI NBFoundation Service executable causes the above issue. The MSI software executable OmApSvcBroker.exe was compromised recently. The offending file path is below:
C:\Program Files (x86)\MSI\MSI NBFoundation Service\OmApSvcBroker.exe
It creates those 1074 KB gibberish executable files in the System32 folder or the OS partition’s root directory.
The incident happened only on May 18th, 2023. However, some users noted that the above executable stopped generating the junk .exe files with random characters in the file name.
The 1074 KB junk executables can be deleted. They’re created by an MSI executable (OmApSvcBroker.exe) which was compromised recently. For more information, check out the following links:
- (Urgent!!) system 32 folder suddenly shows many gibberish .exe files – Microsoft Community
- VirusTotal – File – 6725494dce5cd19e3e690cf9066d0a4b3463d92ee2bd2430c3c56fdad34f26da
- Random .exe files taking up space – MSI Center (For those who are affected) : MSI_Gaming
In the above VirusTotal.com link, a poster commented:
“A malware, which generates additional files under random names in .exe file format. Came from MSI’s Center, probably got breached in that day. It would run up to two processes from created files to create even more files – in the end, fills up hard-drive and Windows\System32 folder with 1,074 kb files. The signature is valid, belongs to “micro-star international co., ltd.”, which is used to bypass detections.”
Resolution
To prevent the junk files from filling up the hard drive, stop and disable the MSI NBFoundation file OmApSvcBroker.exe.
Open an admin Command Prompt and run this command:
schtasks /delete /tn "\OmApSvcBroker" /f
You should see the output “SUCCESS: The scheduled task “\OmApSvcBroker” was successfully deleted.”
Restart Windows and delete the following file:
C:\Program Files (x86)\MSI\MSI NBFoundation Service\OmApSvcBroker.exe
Download Malwarebytes Antimalware and run a full scan.