[SOLVED] Is this ransomware?

[spodeworld]

Hi - My D and E drives (my data drives) keep getting these bizarre folders showing up all of a sudden with file names that don't seem to make sense. CyberReason told me that it found Ransomware and stopped it. None of my files seem to be locked at this point (even after restart). I've run malware bytes and Avast - nothing found. I also ran Kaspersky Anti-ransomware tool for Home free. Nothing found. Same for Trendmicro HouseCall online.

But, every time I delete these folders, new ones with similar names come back.

Here are some of the names on my D drive:
__Ecached189
__Elogs251
__Fresources255
abprogram12
acpackage35
acprogram123

on my E drive:
__Ecaches217
__Estorage34
Ostorage11
Rdata43

 

[alceryes]

Please post the report that Cyber Reason gave you when it found the ransomware.
Do these files appear in safe mode?

 

[spodeworld]

Cyberreason doesn't seem to have any logs. But, I remember that it popped up and told me it found suspected Ransomware and asked if I wanted to go ahead with the recommended action (I should have taken a screen shot) - I said yes. I'm running a full virus scan on all drives now, but will check in safe mode later. Seems like whenever I try to delete the folders, other ones with similar names show up. Also, when I restart. But, even when I run various virus scans on those folder, it comes up as clean.

 

[Ralston18]

Bizarre folder names being as listed in your OP (Original Post).

What are the actually filenames and their respective file extensions in those Folders?

If no files appear, check that the Hidden Files box is checked via the View tab.

Open Task Manager and Task Scheduler: do you see any references to Cyberreason? Or any of the listed folder names either in part or whole?

Also look for any applications that you did not put into Startup?

No need to immediately delete or change - just investigate further to identify what those apps are and do.

 

[mdd1963]

Anything mysterious running in task manager?

(A look at autoruns and/or a freefixer scan might be helpful...; clearly something is regenerating those folders, and it very likely is some sort of attempted ransomware...; if you can't find what is generating the folders, and a few assorted tools don't identify the process causing them, a nuke and pave may be the safest alternative...)

 

[spodeworld]

There's a lot of stuff in there - is there a way to get a list of what's in there an post it?

Anything mysterious running in task manager?

(A look at autoruns and/or a freefixer scan might be helpful...; clearly something is regenerating those folders, and it very likely is some sort of attempted ransomware...; if you can't find what is generating the folders, and a few assorted tools don't identify the process causing them, a nuke and pave may be the safest alternative...)

 

[spodeworld]

Some more folders showed up - here's some of the names of the files inside one new folder:

authority monday offered.sql
blockreservenotebookhut (appears to be a Word file)
fast.slide.utopian.loaded (appears to be a text file)
fork.bomb.kill.circumstances
gift.ranging
king_bobbie
mend.night.mental.led
oedipus.recently.year.close (appears to be an Excel file)
offense-ache (appears to be an Access file)
retail.namely.pem


I ran a full scan by Avast yesterday - came back clearn

Bizarre folder names being as listed in your OP (Original Post).

What are the actually filenames and their respective file extensions in those Folders?

If no files appear, check that the Hidden Files box is checked via the View tab.

Open Task Manager and Task Scheduler: do you see any references to Cyberreason? Or any of the listed folder names either in part or whole?

Also look for any applications that you did not put into Startup?

No need to immediately delete or change - just investigate further to identify what those apps are and do.

 

[alceryes]

Let's take a step back.
Is it possible for you to, back up your critical data, wipe and reinstall Windows, and reinstall all your programs from scratch? It may be the quickest/easiest route to correcting this weirdness.

 

[spodeworld]

Would like to avoid that - but it is a route I'll have to consider.

Let's take a step back.
Is it possible for you to, back up your critical data, wipe and reinstall Windows, and reinstall all your programs from scratch? It may be the quickest/easiest route to correcting this weirdness.

 

[alceryes]

It may be an innocuous program doing this. Starting from scratch will allow you to easily find the culprit. Start wil a minimal build (maybe just Windows updates, drivers, and one of your favorite games) and see if the folders appear. Then slowly start adding your other applications and programs.

 

[Ralston18]

Any pattern with respect to the times that the folders and files start to appear?

• During or after playing some game.
• During or after running some utility or application
• During or after using a particular browser
• During or after some software update
• During or after visiting some particular website
• Are the D: and E: drives shared and available to other network devices/users?

Use File Explorer to examine some of those mysterious folders and files.

Right click either a Folder or a File, and select "Properties" at the bottom of the drop down menu.

Take a look at the various tabs and properties therein - may reveal some common factor.

 

[spodeworld]

I just looked at File History and noticed that this has been going on forever..starting back in 2018, which is when I set up this PC. It might be harmless because I haven't noticed anything after all this time (or not).

There are as of now 894 of these folders with about 9K of these files in File History for my D drive since 3/2018! (I'll probably delete them.)

What I noticed on my D drive is that when I remove the folders it usually creates 2 new ones within a few minutes - same for my E drive - both data drives. But, I just deleted them and did nothing, and then used Chrome and Edge very briefly, but after about 15 minutes they still haven't created news ones. I must be using something that causes new ones to get created after deleting those folders. Maybe that's what I need to track down. Another test would be to see what happens after restart.

After speaking with Microsoft help, I ran a full scan with Microsoft's Safety Scanner tool at their recommendation - scanned everything (except my drives with my drive images) and it found nothing. Am now running a full scan with esetonlinescanner, also recommended by the Microsoft Help chat, about 1/4 of the way done with that and so far nothing (a few million files between all drives). Just like all my other scans.

I also did check the properties of some of the weird files and nothing really stood out.

This is so weird

Any pattern with respect to the times that the folders and files start to appear?

• During or after playing some game.
• During or after running some utility or application --> that's what I need to figure out
• During or after using a particular browser --> just tried Chrome and Edge after deleting and they didn't come back
• During or after some software update
• During or after visiting some particular website --> good question
• Are the D: and E: drives shared and available to other network devices/users? --> No

Use File Explorer to examine some of those mysterious folders and files.

Right click either a Folder or a File, and select "Properties" at the bottom of the drop down menu.

Take a look at the various tabs and properties therein - may reveal some common factor.

It may be an innocuous program doing this. Starting from scratch will allow you to easily find the culprit. Start wil a minimal build (maybe just Windows updates, drivers, and one of your favorite games) and see if the folders appear. Then slowly start adding your other applications and programs.

 

[Ralston18]

Yes: Keep using File History.

Maybe just leave it open as a very small window.

Watch for when a folder appears and then take note of what you were doing and what all is running.

Try that as the system currently is.

If that fails to find the culprit then (per @alceryes) start with the minimal build and slowly start adding programs.
Just keep File History visible in order to catch the creation of new folders and files.

 

[spodeworld]

I have a more general question. Is malware, etc. always located on the drive with the operating system? Would it ever be found on a drive that is just for storing data? Thanks

 

[spodeworld]

So, did a scan with esetonline scanner - also recommended by Microsoft help and it found these results

9/25/2020 8:34:17 AM
Files scanned: 1633032
Detected files: 22
Cleaned files: 22
Total scan time 07:26:08
Scan status: Finished
E:\__Downloads\advanced-systemcare-setup.exe multiple detections,a variant of Win32/IObit.G potentially unwanted application,Win32/IObit.J potentially unwanted application,a variant of Win32/IObit.AG potentially unwanted application,Win32/UwS.AdvancedSystemCare.A application,a variant of Win32/IObit.AH potentially unwanted application,a variant of Win32/IObit.M potentially unwanted application,a variant of Win32/IObit.J potentially unwanted application,Win32/IObit.D potentially unwanted application,a variant of Win32/IObit.D potentially unwanted application cleaned by deleting

E:\__Downloads\PhotoScapeSetup_V3.7.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting

E:\__Downloads\rcsetup153.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting

E:\__Downloads\spsetup130.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting

E:\__Downloads\zafwSetupWeb_150_653_17211.exe a variant of Win32/FusionCore.L potentially unwanted application deleted

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\$RECYCLE.BIN\S-1-5-21-677981649-1969434523-1367932014-1001\$R7HLFRR (2020_04_07 14_35_27 UTC).exe a variant of Win32/FusionCore.L potentially unwanted application deleted

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\$RECYCLE.BIN\S-1-5-21-677981649-1969434523-1367932014-1001\$RGPVDT7 (2019_12_08 16_14_09 UTC).exe multiple detections,a variant of Win32/IObit.G potentially unwanted application,Win32/IObit.J potentially unwanted application,a variant of Win32/IObit.AG potentially unwanted application,Win32/UwS.AdvancedSystemCare.A application,a variant of Win32/IObit.AH potentially unwanted application,a variant of Win32/IObit.M potentially unwanted application,a variant of Win32/IObit.J potentially unwanted application,Win32/IObit.D potentially unwanted application,a variant of Win32/IObit.D potentially unwanted application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\$RECYCLE.BIN\S-1-5-21-677981649-1969434523-1367932014-1001\$RULW7RM (2019_02_21 01_12_52 UTC).exe a variant of Win32/IObit.AE potentially unwanted application,a variant of Win32/IObit.AG potentially unwanted application,a variant of Win32/IObit.AX potentially unwanted application,a variant of Win32/IObit.AH potentially unwanted application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\advanced-systemcare-setup (2017_03_21 11_20_09 UTC).exe multiple detections,a variant of Win32/IObit.G potentially unwanted application,Win32/IObit.J potentially unwanted application,a variant of Win32/IObit.AG potentially unwanted application,Win32/UwS.AdvancedSystemCare.A application,a variant of Win32/IObit.AH potentially unwanted application,a variant of Win32/IObit.M potentially unwanted application,a variant of Win32/IObit.J potentially unwanted application,Win32/IObit.D potentially unwanted application,a variant of Win32/IObit.D potentially unwanted application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\advanced-systemcare-setup (2017_05_15 11_46_18 UTC).exe multiple detections,a variant of Win32/IObit.G potentially unwanted application,Win32/IObit.J potentially unwanted application,a variant of Win32/IObit.AG potentially unwanted application,Win32/UwS.AdvancedSystemCare.A application,a variant of Win32/IObit.AH potentially unwanted application,a variant of Win32/IObit.M potentially unwanted application,a variant of Win32/IObit.J potentially unwanted application,Win32/IObit.D potentially unwanted application,a variant of Win32/IObit.D potentially unwanted application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\driver_booster_setup (1) (2020_02_03 13_35_37 UTC).exe a variant of Win32/IObit.AN potentially unwanted application,a variant of Win32/IObit.AU potentially unwanted application,a variant of Win32/IObit.AQ potentially unwanted application,a variant of Win32/IObit.AS potentially unwanted application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\driver_booster_setup (2019_03_05 15_52_01 UTC).exe a variant of Win32/IObit.AJ potentially unwanted application,a variant of Win32/IObit.AE potentially unwanted application,a variant of Win32/IObit.AH potentially unwanted application,a variant of Win32/IObit.AU potentially unwanted application,a variant of Win32/IObit.AG potentially unwanted application,a variant of Win32/IObit.Z potentially unwanted application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\driver_booster_setup_c (2019_01_02 14_30_39 UTC).exe a variant of Win32/IObit.AJ potentially unwanted application,a variant of Win32/IObit.AE potentially unwanted application,a variant of Win32/IObit.AH potentially unwanted application,a variant of Win32/IObit.AU potentially unwanted application,a variant of Win32/IObit.AG potentially unwanted application,a variant of Win32/IObit.Z potentially unwanted application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\driver_booster_setup_free (2019_04_29 23_01_00 UTC).exe a variant of Win32/IObit.AJ potentially unwanted application,a variant of Win32/IObit.AE potentially unwanted application,a variant of Win32/IObit.AH potentially unwanted application,a variant of Win32/IObit.AU potentially unwanted application,a variant of Win32/IObit.AG potentially unwanted application,a variant of Win32/IObit.Z potentially unwanted application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\PhotoScapeSetup_V3.7 (2017_03_21 11_20_09 UTC).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\PhotoScapeSetup_V3.7 (2017_05_15 11_46_18 UTC).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\rcsetup153 (2017_03_21 11_20_09 UTC).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\rcsetup153 (2017_05_15 11_46_18 UTC).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\spsetup130 (2017_03_21 11_20_09 UTC).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\spsetup130 (2017_05_15 11_46_18 UTC).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\zafwSetupWeb_150_653_17211 (2017_03_21 11_20_09 UTC).exe a variant of Win32/FusionCore.L potentially unwanted application deleted

J:\FileHistory\sbren\BRENER-HOME-PC\Data\D\__Downloads\zafwSetupWeb_150_653_17211 (2017_05_15 11_46_18 UTC).exe a variant of Win32/FusionCore.L potentially unwanted application deleted

 

[Ralston18]

Malware can end up on any drive. Mostly a matter of how much effort the bad guys wish to make towards infecting other files or drives. And not draw attention to such efforts.

J: drive? Is that drive known to you?

Is that drive via the same computer hosting the original D: and E: drives? If not, where is that drive?

In the "Type here to search" box, type "Create and format hard drive partitions".

You will not be doing that.

What you will be doing is capturing and posting the resulting Disk Management window.

 

[spodeworld]

Hi - The J drive is a portable HDD. It houses my File History for Windows 10.

Malware can end up on any drive. Mostly a matter of how much effort the bad guys wish to make towards infecting other files or drives. And not draw attention to such efforts.

J: drive? Is that drive known to you?

Is that drive via the same computer hosting the original D: and E: drives? If not, where is that drive?

In the "Type here to search" box, type "Create and format hard drive partitions".

You will not be doing that.

What you will be doing is capturing and posting the resulting Disk Management window.

 

[Ralston18]

Do the unexplained folders and files start appearing after the portable HDD (J: drive) has been connected.

Did you install any software relating to:

advanced-systemcare-setup

driver_booster_setup

rcsetup153

spsetup

zafwSetupWeb

Noted a reference to a Bundled Toolbar....

Are any related utilities being launched at startup via Task Manager?

 

[spodeworld]

I've installed all those at some point. Here's an image of a Cybereason warning that popped up when I just moved one of the new folders just now into a folder I created called Potential Malware: https://photos.app.goo.gl/APcxqW6GmqvW7HB7A

Do the unexplained folders and files start appearing after the portable HDD (J: drive) has been connected.

Did you install any software relating to:

advanced-systemcare-setup

driver_booster_setup

rcsetup153

spsetup

zafwSetupWeb

Noted a reference to a Bundled Toolbar....

Are any related utilities being launched at startup via Task Manager?

 

[Ralston18]

Do not move such folder or files any more. Just delete them outright if at all possible.

Uninstall every one of those software apps.

Use the corresponding uninstaller if there is one.

Otherwise just use Windows.

Look for any download folders that contain the application's zip files. Delete those files as well.

Ensure that "Show hidden files" is checked.

Check Task Manager and Task Scheduler for references to any of the applications.

Look in Process Explorer for any references to any of them. (You may need to download Process Explorer via Microsoft's website.)

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Stop any related running processes that you cannot identify. Do go online first and search to learn what any given process actually is and what it may be doing.

Run your AV apps on the J: drive - full scan.

There may be other ideas and suggestions posted. I have no problem with that.

Just "look before you leap"...

 

[USAFRet]

advanced-systemcare-setup
driver_booster_setup

Those are straight up malware in their own right. At best, they do nothing useful.