Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird directories - some hidden - all over my Windows 10 computer


  • Please log in to reply
1 reply to this topic

#1 marcerickson1

marcerickson1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 19 May 2018 - 03:31 PM

Windows 10 64 bit is on C: drive.  D: drive is a software RAID that I keep almost all of my data on.  My security software is Avira Free Antivirus and Cyberreason RansomFree.

I first noticed D:\!Cfound104 a few days ago.  It's hidden.  Directory listing:

confer.meeting.control.doc
arrivefriendly.pem
commerce terms signify utterly.sql
conquest_aim.docx
defendsubjectapplaud.xls
eugene-television-danger.mdb
hellotruckconcepts.xlsx
housing thomas.rtf
lordsuggestclearentering.doc
painswept.jpg
property-talents.txt

There was also a .mdb that I deleted.  

I tried to delete the folder several times.  The first time (or second), I just used the regular delete procedure (which moves the folder to the Recycle bin) and it wouldn't delete.  RansomFree said it was preventing malicious action.  The next few times, I held down SHIFT as I pressed the DEL button and it deleted.  But it returned with a different folder name.  The first character was always an exclamation point.  I don't know if the files in it were the same. Lastly, I tried to delete all of the files in

Now that D:\!Cfound104 is empty,  another folder has appeared.  D:\!Cfound104 was the first folder alphabetically on D: - now there's D:\!Bcache4.  it's hidden and the first folder alphabetically on D:.  There's D:\Xsettingsettings5 - hidden and with somewhat similar files in it.  It the last folder alphabetically on D:.

Now after I've been poking around, I find other weird folders. I've moved my Documents folder from C:\Users\marc\Documents to D:\My Documents.  Now I've found D:\My Documents\!Iapplication216, D:\My Documents\Xsorted8 and D:\My Documents\Ywrap70.  All are hidden, all contain files akin to those in D:\!Cfound104, and they are the last two folders alphabetically in D:\My Documents.

I've found weird folders in C: - C:\Cversions75 and C:\Xvalue179, (not hidden and the first and last folders alphabetically in C:) - and - C:\Users\Akdyojx and C:\Users\Ql5z5uz (hidden and the first and last folders alphabetically in C:\Users).  All four have files akin to those in D:\!Cfound104.  All of these weird folders have been scanned with Avira, which found nothing.

I had a look in C:\Program Files, C:\Program Files (x86), C:\ProgramData, C:\Windows, C:\Windows10Upgrade, and a couple of other folders and haven't found anything else.  Yet.

Just yesterday I noticed an additional mapped drive to a drive on my media server that duplicates a mapped drive that I created.  I deleted the duplicate.  Just now I see another duplicate mapped drive here.  It has the same drive letter as the one I deleted last night, but I can't remember if it is mapped to the same drive on the media server as the duplicated mapped drive last night was.  The media server runs LinuxLite.

What's going on here?  Should I just nuke and pave?  My media server is where I back up my data to.  If I have some type of malware, how do I ensure that I don't transfer the malware to the media server?  I don't want to transfer it over there, only to re-infect my Windows machine when I restore the data.

Are there any other questions I should ask?

 

Thanks to all.


Edited by marcerickson1, 19 May 2018 - 04:56 PM.


BC AdBot (Login to Remove)

 


#2 marcerickson1

marcerickson1
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 24 May 2018 - 03:53 AM

Reply from Cybereason:

 

Hello Marc,

The files and folders that you're seeing are expected behavior of RansomFree. They are bait files that lure ransomware toward them first. This enables RansomFree to detect and stop ransomware before it's able to encrypt your valuable files.

The canary files are designed so that ransomware will likely attack them first, minimizing the number of your own files that are affected when a ransomware attack occurs. You can also read more about them from our FAQ section on our website from the link below.

https://ransomfree.cybereason.com/faq/#1481108823971-7a4150b6-8a0b

Canary folders and canary files exist in four general parts of a user's file system:

- All main drives (non-removable, non-USB-connected)
- The main users directory (usually C:\Users)
- Each logged-in user's "Documents" (My Documents) directory
- Each logged-in user's "Desktop" directory

To be a little more specific and to help you finding these files they begin with folder names with a letter that ensures its place at the top of either an ascending or descending alphabetical sort of the folder in which they appear. The remainder of the folder name consists of either random letters, numbers, or tech- related words such as (Adkji123, X9tools09).

Note: Do not remove the canary files, as they are necessary for ransomware detection. If removed, the files are regenerated automatically after a short period of time.

Kind regards,
Cybereason Support Team






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users