Windows 10 64 bit is on C: drive. D: drive is a software RAID that I keep almost all of my data on. My security software is Avira Free Antivirus and Cyberreason RansomFree.
I first noticed D:\!Cfound104 a few days ago. It's hidden. Directory listing:
commerce terms signify utterly.sql
There was also a .mdb that I deleted.
I tried to delete the folder several times. The first time (or second), I just used the regular delete procedure (which moves the folder to the Recycle bin) and it wouldn't delete. RansomFree said it was preventing malicious action. The next few times, I held down SHIFT as I pressed the DEL button and it deleted. But it returned with a different folder name. The first character was always an exclamation point. I don't know if the files in it were the same. Lastly, I tried to delete all of the files in
Now that D:\!Cfound104 is empty, another folder has appeared. D:\!Cfound104 was the first folder alphabetically on D: - now there's D:\!Bcache4. it's hidden and the first folder alphabetically on D:. There's D:\Xsettingsettings5 - hidden and with somewhat similar files in it. It the last folder alphabetically on D:.
Now after I've been poking around, I find other weird folders. I've moved my Documents folder from C:\Users\marc\Documents to D:\My Documents. Now I've found D:\My Documents\!Iapplication216, D:\My Documents\Xsorted8 and D:\My Documents\Ywrap70. All are hidden, all contain files akin to those in D:\!Cfound104, and they are the last two folders alphabetically in D:\My Documents.
I've found weird folders in C: - C:\Cversions75 and C:\Xvalue179, (not hidden and the first and last folders alphabetically in C:) - and - C:\Users\Akdyojx and C:\Users\Ql5z5uz (hidden and the first and last folders alphabetically in C:\Users). All four have files akin to those in D:\!Cfound104. All of these weird folders have been scanned with Avira, which found nothing.
I had a look in C:\Program Files, C:\Program Files (x86), C:\ProgramData, C:\Windows, C:\Windows10Upgrade, and a couple of other folders and haven't found anything else. Yet.
Just yesterday I noticed an additional mapped drive to a drive on my media server that duplicates a mapped drive that I created. I deleted the duplicate. Just now I see another duplicate mapped drive here. It has the same drive letter as the one I deleted last night, but I can't remember if it is mapped to the same drive on the media server as the duplicated mapped drive last night was. The media server runs LinuxLite.
What's going on here? Should I just nuke and pave? My media server is where I back up my data to. If I have some type of malware, how do I ensure that I don't transfer the malware to the media server? I don't want to transfer it over there, only to re-infect my Windows machine when I restore the data.
Are there any other questions I should ask?
Thanks to all.
Edited by marcerickson1, 19 May 2018 - 04:56 PM.