[SOLVED] Suspicious files with invalid extentions reappear after deletion

Container for RESOLVED incidents, queries SOLVED by the experts, EXPIRED topics or those that have been CLOSED by the users.
Locked
avogadroschosen
Registered user
Registered user
Posts: 1
Joined: Thu, 09 Feb 2017, 11:47

[SOLVED] Suspicious files with invalid extentions reappear after deletion

Post by avogadroschosen » Thu, 09 Feb 2017, 15:02

I am dealing with a problem with suspicious files appearing at peculiar locations on a Windows 7 PC. The folders appear in directories like C:\, the Windows "temp" folder, the library folder, and the documents folder for each individual user. Inside each folder is a series of MS Office files, a JPEG, and a .txt document, though none of them can be opened by their respective programs. Each file and folder also has a suspicious name, as if random words were chosen from a dictionary and combined with numbers. For example a folder named "Abmirror89" or an Access file titled "fabrics.efforts.objection". Some of the folders are also hidden. If any of the folders are deleted, they all reappear within a few minutes with new names and filled with new files following a similar pattern, even after deleting with "Unlocker." The folders also seem to reinitialize after a reboot. A screenshot of one of the folders has been included.

I have scanned the entire PC offline with Panda Free Antivirus, Malwarebytes Free, Rogue Killer, TrendMicro CWS, BitDefender Rootkit Removal, TrendMicro RootKitBuster, and Spybot. None revealed any serious infections; only PUPs and the remains of a toolbar. Neither ADW Cleaner nor HijackThis shows any suspicious processes or services. I installed Cybereason Ransom Free and Malwarebytes AntiExploit and neither has yet to detect any malicious processes. I booted the PC using MS DaRT and removed each of the files through the Explorer feature, then checked for invalid OS files in case of a root kit. Upon rebooting the PC, the folders and files were recreated. There are no other symptoms than these suspicious files and folders.

UPDATE: I booted Windows in safe mode and deleted all of the files I could identify following similar random pattern. The files did not return while in safe mode, even if rebooted back into safe mode. However, they reappeared after a normal startup. I also discovered a new instance of these random files on the Windows system reserve space (D:\.) I have scanned the PC with rescue discs from Panda, AVG, and Bitdefender. None found any more signs of infection.

I have encountered similar problems before, but none which the previous measures did not neutralize the issue. Does this description match any particular malware variants? Could this be an undiscovered threat? Is there a simpler explanation as to why malware hasn't been detected?
2017-02-09 03_30_08-Greenshot.jpg
Example of random files
2017-02-09 03_30_08-Greenshot.jpg (330.52 KiB) Viewed 5922 times

mp3duk
Registered user
Registered user
Posts: 2
Joined: Tue, 14 Feb 2017, 21:30

Re: Suspicious files with invalid extentions reappear after deletion

Post by mp3duk » Tue, 14 Feb 2017, 22:25

I have a very similar problem on my PC. Folders with seemingly random names with a series of documents appear and keep re-appearing after being deleted. Scans from a big diversity of anti-malware solutions show no indication of compromise.

Today I ran ProcMon (from sysinternals). This leaded to a very disturbing insight. The process that keeps re-creating the random folders with documents is "system"...

Unless anybody else has any bright ideas or solutions for this problem, I think I will need to completely format and reinstall the system...

Anybody????

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Suspicious files with invalid extentions reappear after deletion

Post by VirusBuster » Tue, 21 Feb 2017, 16:15

Sorry for the delay
avogadroschosen wrote:I have scanned the entire PC offline with Panda Free Antivirus
Bear in mind that it is a cloud based product and by scanning offline you will lose detection capacity
Try running a scan with Panda Cloud Cleaner in Trusted Boot Scan mode
The web help is related to Trj/Necurs but the steps to activate the Trusted Boot Scan mode are the same

Does it detect anything?

In case the problem persists, we will need a Panda Support Information log
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

mp3duk
Registered user
Registered user
Posts: 2
Joined: Tue, 14 Feb 2017, 21:30

Re: Suspicious files with invalid extentions reappear after deletion

Post by mp3duk » Sat, 04 Mar 2017, 13:21

I finally figured out what is causing these files and folders to constantly re-appear: I'ts the cryptolocker-prevention-tool: Cyberreason RansomFree.

When I de-activate Cyberreason RansomFree the created files and folders disappear. When I re-activate RansomFree the files and folders re-appear.

Problem solved...

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Suspicious files with invalid extentions reappear after deletion

Post by VirusBuster » Mon, 06 Mar 2017, 10:05

ISSUE SOLVED
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

Locked

Return to “Virus - Archive Issues”