Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

1 file folder is added to hard drives


  • Please log in to reply
5 replies to this topic

#1 steven2426

steven2426

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 11 April 2017 - 11:03 AM

Hello,

Computer Information:

Windows 7 Pro SP1

Intel core I5-4570 @3.20GHz

16.0GB Ram

Nvidia Geforce GTX 650 Graphics Card

 

 

My computer has had a folder added to 'C' Drive (aversions110), 'E' Drive (Cconfiguration197), and 'P" Drive (Aedate237).

When I shift - Delete these folders new ones come back with different or similar names.

All of the folders have various files in them ending in .pem, .xls, .mdb, .txt, .sql, .docx, .xlsx, .rtf, .doc, and .jpg in each folder.

I will not and have not clicked on these files.

It does not matter if I am connected to the internet or not when the folders are deleted new ones take their place.

 

A few days ago I noticed the 2 browsers I use (FF 52.0.2) and Vivaldi (1.8.770.54) ran slow for the first few sites that I use. After that they ran normal.

 

What I have Done:

I have run Zone Alarm Extreme Security and it found no problems.

Malwarebytes premimum and it found 1 pup which I deleted.

Spybot search and destroy and it found minimum problems all level 1 or 2. I have not pressed 'fix' as I am not sure that these are causing problems.

Ran CCleaner. No problems

Downloaded and ran Trend's 'Hijack This'

Downloaded and ran Trend's 'RUBotted' and it found nothing.

 

My Experience:

I am computer savvy but not when it comes to things like this and analyzing something like spybot and hijack this.

 

So the question needs to be asked is what is on my computer and how do I get rid of it.

 

I appreciate any help you can give me.

 

Steven

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 AM

Posted 12 April 2017 - 05:04 PM

What other security and malware prevention tools are you using? Specifically anything like Cybereason RansomFree, Cybersight RansomStopper, CryptoPrevent Premium (FolderWatch HoneyPot) or similar ransomware protection software?

Some of these programs deliberately create hidden dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap (bait) folders and "canary" files...patterns of files and hidden virtual files that ransomware is attracted to. They are monitored for any changes and meant to be targeted for encryption by ransomware before actual data files. When the anti-ransomware program detects any of these files has been modified it will display an alert that an attack is occurring and ask if you wish to terminate the process that is trying to access them. This feature is sometimes referred to as "Honeypot Detection" or "Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.
 
Cybereason RansomFree, Cybersight RansomStopper, CryptoPrevent Premium (FolderWatch HoneyPot) and CryptoMonitor by Nathan (DecrypterFixer) (no longer supported) are security programs which include this feature.

I quote Nathan Scott's explanation of Entrapment Protection from his now closed EasySync web site in this topic.

Entrapment Protection
Entrapment Protection lays numerous different types of traps all around your system that a Ransomware Infection cannot resist to touch. These traps send encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a Ransomware Infection falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action. Once this happens, the machine is locked down and you are alerted about the infection and prompted for your decision on what actions to take. During this time, no file modifications are allowed, so your files are safe while you think about your course of action. With this protection enabled you may notice a few hidden files, registry keys, folders, and services running, but don't worry, they are there to protect you!

Common dummy folder locations with random names typically include My Documents, Desktop and common folder variables such as %User Profile%, %AppData%, %LocalAppData%, %ProgramData%, %Temp%.
 
2q9jm7a.jpg
2mqw50l.jpg
fuugba.jpg
 
If you attempt to delete these files and folders, RansomFree will re-create them. In fact, any action taken to delete (modify) it's features, files and folders most likely will be interpreted as possible ransomware activity and trigger a warning alert.

RansomFree also deploys a “Disconnected Network Drive (A)” which is related to additional protection and detection of ransomware. The developers do no recommend you tamper with the drive.

The use of trap (bait, canary) files and folders is not a 100% solution...some data files probably will end up being encrypted by ransomware but whatever helps with prevention, I consider useful.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 steven2426

steven2426
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 13 April 2017 - 05:21 AM

I am somewhat embarrassed to report that I left 1 off off the list and it was  Cybereason that I left off.

On right clicking in the Task bar I note that they have "Pause Cybereason for 1 hour". I am hoping to be able to click on this and deleting the folders to verify this with the program paused. If this does not work then I will uninstall the program via Revo Pro then reinstall if I am able to delete the folders.

 

I need to take my wife for an important medical test this morning and when I return I will try this and report back my findings. I just want to make sure that is what the problem is.

 

Thank you for your knowledge and your reply.

 

By the way. How do I insert a photo located on my computer as I had screen captures of the folder contents but when I clicked on the image in your toolbar all I get is a place to insert a URL.

 

Steven



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 AM

Posted 13 April 2017 - 06:10 AM

How do I post a screen shot?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 steven2426

steven2426
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 13 April 2017 - 02:40 PM

Final report for this topic. Can be marked Solved.

 

In the task tray I right clicked on the Cybereason icon and clicked on "Pause Cybereason Ransom free for 1 Hour".

I had Computer opened, 1 panel for each drive and as soon as Cybereason paused, the file folders on all 3 drives disappeared.

When I restarted Cybereason the folders reappeared.

I will keep the program as every little bit helps.

 

Read the "How to post screen shots". Been awhile since I ran into this, forgot about it. Not a problem.

 

Thank you for all of your help.

 

Steven



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:31 AM

Posted 13 April 2017 - 04:32 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users