Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus creating randomly named folders. (Not windows update)


  • Please log in to reply
30 replies to this topic

#1 CaveStoryKing64

CaveStoryKing64

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 PM

Posted 16 January 2017 - 06:39 PM

So yesterday I was downloading Cave Story from cavestory.org and so I had to go to my downloads folder to get it and move it to a DVD that I was going to give to a friend so he could play the game. I know that the game and website are virus free. Anyway, as I was heading to my downloads folder, I found strange files on my computer that said they were created from either the 12th or 13th to the 15th, the day I found out about the virus. All of the folders were hidden (good thing that I have it set to where I can see hidden folders!) They were not windows update folders, as they all were 5 character, seemingly random, alphabetical characters. (uppercase and lowercase) Inside of the folders were files that seemed randomly named gibberish, but some of them seemed like two dictionary words. (There were files named strange things like 'bomber breeds', 'unfortunately', and other things about a report or something.) Whenever I tried to open these files, it said they were corrupted or something. A few .txt files could be opened, but they looked corrupted, like they wee written in some computer language or something. These folders were under C:/ and also under C:/Users/ I went to run a scan with MBAM, and when I went to the custom scan option I saw that there was another drive, (A:) that I do not have on the computer. The icon of it was like a normal hard drive, but with a red X over it. It had one of these random folders in it, and I selected scan. (I only scanned that drive, as I had plans to restore my hard drive to factory default.)  20 minutes later, MBAM said that it found one PUM called 'PUM.Optional.NoDrives' I then checked WinDirStat, which I know can view partitions and has lots of information about them. WinDirStat said that it had zero folders, zero files, and was created on 1/1/1601 at 12:00:00, which was obviously bogus. I then went into file explorer, and it said that it was a Disconnected Network Drive. One of these folders had spread to my recovery partition. I had backups of my documents and app data and everything taken a few weeks ago, which was fine except for the app data, which I needed recent versions of because I had been playing Cave Story+ on steam for about 48 hours since that backup, and I didn't want to lose that data. (I ended up losing it anyway, apparently Steam doesn't save game save data to the AppData folder.) Another one of these gibberish folders appeared, I deleted it, then unplugged the drive immediately. While I was backing up things, I was very careful to only backup files for games and programs I knew about. I then reset to factory default, and afterwards I ran a scan with HitmanPro, (will run a scan with even more av soon.) and it said it found some suspicious things. They turned out to be bloatware that came with the PC, (a false positive) but I removed them anyway. I have checked my 2 drives several times a day now, and have found no signs of the virus. My question is, though, what virus did I have? It seemed very mysterious and creepy and I am very worried that it still may be on my PC somehow. I have searched up on it and have found nothing about it.

 

Also, I do not go to weird websites or open spam or anything like that. The only things I can think of is that I wanted to return a controller from a chinese company called 8BITDO. I emailed them about it and they gave me an attachment with a return label. I opened it, and it printed just fine and everything, and it didn't seem to come with anything else. I even deleted it afterwards.

 

The other possibility is that a found a file in my downloads called 'unconfirmed291971.crdownload' on my computer that seemed to be created at around the same time as the virus.

 

Thanks for any help, I am scared, as I said. Earlier I was shaking, now I have calmed down a bit but I am still worried. Computer viruses and hackers terrify me.



BC AdBot (Login to Remove)

 


#2 Helios_09

Helios_09

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 17 January 2017 - 10:41 AM

I have the exact same problem.  Started the other day.  I have the full version of MBAM, as well as an AV and have good practice when navigating on the internet and dealing potentially compromised content like phishing emails and such.  I'm at a loss for how this may have happened.

 

Exactly the same situation as CaveStoryKing64 - usually two folders per drive root with alphanumeric titles containing a bunch of random dictionary named files, usually excel, word, sql, rtf, txt, and pem file types.  Deep scans on MBAM and on the antivirus don't show anything.  CaveStoryKing64's post was literally the first and only instance I've seen of this on the internet, and I did some pretty deep Googling and came up with nothing.

 

I've attached a couple screenshots that show what the files look like, and their contents.  Any help would be greatly appreciated.

 

sIItdsa.jpg

 

TDumuwC.jpg



#3 MikeRigsby

MikeRigsby

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 17 January 2017 - 01:06 PM

Same exact issue here as well and it just happened this morning. Myself and one coworker, so far, have odd hidden random named folders containing randomly generated named Office and SQL files. Also two randomly named folders in C:\Users containing more of the same.

 

ESET, Malwarebytes, and HitmanPro, so far, have all come back clean but it's very obvious there's something on my system. A System Restore also did not help.



#4 MikeRigsby

MikeRigsby

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 17 January 2017 - 01:15 PM

I just discovered what it is.

 

Helios_09, are you running RansomWare Free by CyberReason.com by any chance? That was the ONLY common thing with the, now 3 systems, I found with this 'virus'. They're the only ones in the company that have RansomWare Free on them. Uninstalled it and they disappear. They're a legit company so I'm wondering if these files are related to how their tool identifies ransomware.



#5 Helios_09

Helios_09

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 17 January 2017 - 01:42 PM

I just discovered what it is.

 

Helios_09, are you running RansomWare Free by CyberReason.com by any chance? That was the ONLY common thing with the, now 3 systems, I found with this 'virus'. They're the only ones in the company that have RansomWare Free on them. Uninstalled it and they disappear. They're a legit company so I'm wondering if these files are related to how their tool identifies ransomware.

 

That's it!  I was running RansomWare as well.  Removed it and it's gone.  Yikes.  They need to do a better job informing people about how their software works - earlier versions of the software didn't do that, or at least the files weren't visible - it was only after the most recent update that those files appeared.  Without any heads up it's easy to think there's some kind of virus.



#6 MikeRigsby

MikeRigsby

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 17 January 2017 - 01:46 PM

Yeah I emailed them and was basically like "What the hell are you thinking?!" At the bare minimum then can put information in the Properties for the files with their company name or something. Anything.

Their tool is likely only going to be used by tech savvy people, IT Pros, etc. and we're the type of people who notice this kind of thing. I was close to reformatting my entire PC until I just happened to install an app update to their tool and noticed that the Modified Date changed on those folders.



#7 Helios_09

Helios_09

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 17 January 2017 - 01:52 PM

Good call.  I'm going to take a break from their software for a bit, at least until they streamline that aspect of it.



#8 CaveStoryKing64

CaveStoryKing64
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 PM

Posted 17 January 2017 - 04:07 PM

Whew. That's good to hear. I have that anti-ransom program too - I installed it after reading this websites "How to protect and harden a computer against ransomware" article. I will not be reinstalling that program until they clean up their act. I know that this is also almost definitely a part of the program as well, but did it also create another drive for you guys? Thanks.

 

I am so sad now - I removed all of that data for nothing. I should have asked this website first before freaking out and reinstalling windows. I was this close to changing all of my passwords- which would have taken a long time. Thanks guys - this was a real relief. Now to get to reinstalling my programs!



#9 Helios_09

Helios_09

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 PM

Posted 17 January 2017 - 04:47 PM

Whew. That's good to hear. I have that anti-ransom program too - I installed it after reading this websites "How to protect and harden a computer against ransomware" article. I will not be reinstalling that program until they clean up their act. I know that this is also almost definitely a part of the program as well, but did it also create another drive for you guys? Thanks.

 

I am so sad now - I removed all of that data for nothing. I should have asked this website first before freaking out and reinstalling windows. I was this close to changing all of my passwords- which would have taken a long time. Thanks guys - this was a real relief. Now to get to reinstalling my programs!

 

The missing network drive was also a part of how their software worked - once I uninstalled it, that missing network drive was gone - it only appeared after the most recent update (along with those random folders and files).



#10 CaveStoryKing64

CaveStoryKing64
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 PM

Posted 17 January 2017 - 05:05 PM

 

Whew. That's good to hear. I have that anti-ransom program too - I installed it after reading this websites "How to protect and harden a computer against ransomware" article. I will not be reinstalling that program until they clean up their act. I know that this is also almost definitely a part of the program as well, but did it also create another drive for you guys? Thanks.

 

I am so sad now - I removed all of that data for nothing. I should have asked this website first before freaking out and reinstalling windows. I was this close to changing all of my passwords- which would have taken a long time. Thanks guys - this was a real relief. Now to get to reinstalling my programs!

 

The missing network drive was also a part of how their software worked - once I uninstalled it, that missing network drive was gone - it only appeared after the most recent update (along with those random folders and files).

 

I hope they fix this soon.



#11 CaveStoryKing64

CaveStoryKing64
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 PM

Posted 17 January 2017 - 07:18 PM

I looked on the RansomFree website and found a google group where lots of other people are reporting the same thing. Apparently they are trap folders that, if the ransomware tries to encrypt, will set off RansomFree and it will tell you that you have a ransomware on your system. I think that this a a very good idea, but they should tell people that it will happen when they install it so they don't freak out wondering where they came from. Here is an article on this website that describes how it works.

https://www.bleepingcomputer.com/news/security/ransomfree-is-the-latest-app-that-tries-to-stop-ransomware-infections-on-windows/

Thank y'all for helping me, I really appreciate it.



#12 orford

orford

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 04 March 2017 - 06:08 AM

Hi all - I am glad I found you and this thread. Here's another victim reporting!

 

Since a couple of day I experienced these funny self-creating meaningless non-addressable Folders and Files at the beginning and end of a drive... VIRUS! I concluded BUT no positives from any of my Anti-Virus protectors.

 

So what is the common denominator?

 

Also a couple of days ago I installed guess what  Cybereason.com RansomFree... thanks to you it has become clear to me that these could be "the strategically placed Feelers" they mention explaining their modus operandi.

 

Could anyone point me to the RansomFree Forum that was mentioned above?

 

Regards,

 

Orford



#13 CaveStoryKing64

CaveStoryKing64
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 PM

Posted 09 March 2017 - 07:38 PM

Hi all - I am glad I found you and this thread. Here's another victim reporting!

 

Since a couple of day I experienced these funny self-creating meaningless non-addressable Folders and Files at the beginning and end of a drive... VIRUS! I concluded BUT no positives from any of my Anti-Virus protectors.

 

So what is the common denominator?

 

Also a couple of days ago I installed guess what  Cybereason.com RansomFree... thanks to you it has become clear to me that these could be "the strategically placed Feelers" they mention explaining their modus operandi.

 

Could anyone point me to the RansomFree Forum that was mentioned above?

 

Regards,

 

Orford

Here is the forum we were talking about:

https://groups.google.com/a/cybereason.com/forum/#!topic/ransomfree-support/74u75F35Cy4



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:38 PM

Posted 09 March 2017 - 08:15 PM

Yes there are some ransomware protection software which deliberately create hidden (read only) dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap (bait) folders and "canary" files...patterns of files and hidden virtual files that ransomware is attracted to. They are monitored for any changes and meant to be targeted for encryption by ransomware before actual data files. When the anti-ransomware program detects any of these files has been modified it will display an alert that an attack is occurring and ask if you wish to terminate the process that is trying to access them. This feature is sometimes referred to as "Honeypot Detection" or "Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.

Cybereason RansomFree, Cybersight RansomStopper, CryptoPrevent Premium (FolderWatch HoneyPot) and CryptoMonitor by Nathan (DecrypterFixer) (no longer supported) are security programs which include this feature.

This is Nathan Scott's explanation of Entrapment Protection from his now closed EasySync web site in this topic.

Entrapment Protection
Entrapment Protection lays numerous different types of traps all around your system that a Ransomware Infection cannot resist to touch. These traps send encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a Ransomware Infection falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action. Once this happens, the machine is locked down and you are alerted about the infection and prompted for your decision on what actions to take. During this time, no file modifications are allowed, so your files are safe while you think about your course of action. With this protection enabled you may notice a few hidden files, registry keys, folders, and services running, but don't worry, they are there to protect you!

Common dummy folder locations with random names typically include My Documents, Desktop and common folder variables such as %User Profile%, %AppData%, %LocalAppData%, %ProgramData%, %Temp%.
 
The use of trap files and folders is not a 100% solution...some data files typically will end up being encrypted by ransomware but whatever helps with prevention, I consider useful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 te7

te7

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 07 June 2017 - 09:33 AM

Another victim here. After I went to all the trouble of enabling system restore on my Windows 10 PC (with a successful restore after some time). Also have ransom free. Luckily found this thread and saved me lot of headache with malware detection efforts.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users