Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Users in Windows and "Xtransfers46" folder in root folder


  • Please log in to reply
4 replies to this topic

#1 ronecook

ronecook

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenville, SC USA
  • Local time:03:12 PM

Posted 02 April 2018 - 06:32 PM

I purchased the laptop, in question, running Windows 7 Professional, 64-bit, from an individual, and I have not wiped and reloaded the operating system, like I usually do.  While using the computer recently, I saw a new folder in the root folder of my C: drive named "Xtransfers46".  Inside the folder are files named, "concentration recovery kneel knew.xls",  "departments_flatten_foam.doc", "editorial might fear.sql", "fashion_improved.rtf", "followed-desperately.pem", "hung_dallas_recognition_widely.docx", "rolled reactionary joe vianna.xlsx", "tiny_indian_trpic_secure.mdb", "verbal-religion.jpg", and "vocational.several.txt".  Once I discovered these files, and recognized them as suspicious,  I deleted them to the recycle bin, and then emptied the recycle bin.  The folder reappears soon afterwards, although I am unsure when,  if that occurs after a reboot or some other event.  When the "Xtransfers46" reappeared, I zipped all the files into a archived folder and deleted them and emptied the recycle bin.  I am not sure why I did that, but I wanted to see if I could manipulate the folder, and see how the folder and contents would respond to this manipulation.  The folder, "Xtransfers46" reappeared in the root folder.  

 

Some time later, I observed two new users in the Windows Users folder.  I had previously turned on "Show hidden files, folders and drives" so that I could see anything hidden.  These new users folders,"Akcha" and "V28mwf", are marked "hidden" and "Read-only".

 

I have several computers connected to my home network.  After suspecting that the original laptop (laptop #1) was infected, I began to check other computers which are connected to my network.  Laptop #2 shows two new Users, "Ak77wu" and "Ugscyt".  These folders are marked Read-only, but NOT hidden.  The root folder of laptop #2 contains "Ximages5" folder, with contents similar to laptop #1, but include files with unique names, "classify mathematical worse.rtl", "cogent.increasing.conference.lead.mdb", etc.  Looking further, desktop #1 has the mysterious folder in the root folder, but does not have the hidden users.  This computer is only on the network for a limited period, and not every day.  Laptop #3 is infected and has the two new Users, and the new folder in the root folder.

 

So, I am in trouble.  I am familiar with most of the software on Bleeping Computer, and have used most of them at one time or other, to clean and restore infected computers, Malwarebytes Anti-rootkit & Anti-malware, Spybot S&D, HitmanPro, AdwareCleaner, JRT, Rkill, Ransom Free, etc.  Today, however, I am not familiar with the malware which is visiting my computers, nor do I know how to invite it to leave.  I welcome the assistance of those who are willing to rescue and restore my computers to normal, and I thank you for your help in advance.

 

 



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 23,973 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 02 April 2018 - 08:20 PM

You are obviously infected. What I would do is pull all the computers off the network. Post in the BC Malware Removal Forum. You will need to explain to the BC member who helps you that you have multiple infected computers. Start with one. Read the pinned posts. You will need to provide the logs requested in the pinned posts or you will be kicked back to this forum. Once one computer is cleaned proceed to the next.



#3 ronecook

ronecook
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenville, SC USA
  • Local time:03:12 PM

Posted 03 April 2018 - 12:18 AM

Thank you, JohnC_21, for your advice.  I will begin the process right away!  Best wishes!   :guitar:



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 03 April 2018 - 09:12 PM

What other security and malware prevention tools are installed on the computer? Specifically anything like Cybereason RansomFree, Cybersight RansomStopper, CryptoPrevent Premium (FolderWatch HoneyPot) or similar ransomware protection software?

If so, see my comments in this topic. There are some ransomware protection software which deliberately create hidden dummy (trap, bait) folders containing randomly named "canary" files (.bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, .txt) in various locations and partitions on your computer as part of its functionality. These files and folders are commonly misidentified by users or incorrectly reported as being related to malware.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 04 April 2018 - 06:40 PM

I reread your first post and note that you did mention RansomFree,

....I am familiar with most of the software on Bleeping Computer, and have used most of them at one time or other, to clean and restore infected computers, Malwarebytes Anti-rootkit & Anti-malware, Spybot S&D, HitmanPro, AdwareCleaner, JRT, Rkill, Ransom Free, etc. ...

If you installed Cybereason RansomFree on this computer then I suspect that is indeed the program which created these hidden folders and files.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users