Jump to content

Unexpected directories appearing - is this malware?

Recommended Posts

I run a simple system - a Win7 PC and a Synology NAS protected by Malwarebyes (3.06), and MS security essentials.

Over the last few days I've noticed directories and files appearing on one of the the NAS partitions which is dedicated to mirroring the content of my main data drive.

The directories have irregular names like X30n, Xdates236, xdocuments167, xhelper197 etc. Within each of  these directories are 10 files with names like conferences.bridget.bought.rude.pem, educational.involved.indigenous.jpg, hughes.machine.rtf, liberty.emancipate.dish.txt, regularly_coefficient_ramey.sql. These file names bear no relation to any content on my system and the files themselves and when I try to open them in a sandboxed environment the formats are reported as invalid.

I'm an experienced user but haven't seen this behaviour before. I've run various security scans but none of them picks anything up. Suggestions welcome!

Link to post
Share on other sites

  • Root Admin

Hello @cpearmain and :welcome:


I'm not familiar with those names either but we can check your computer to see what's loading or running and try to get to the bottom of it.


Please read the following and post back the 3 requested logs as an attachment.
Diagnostic Logs

Link to post
Share on other sites

Thanks for your swift response Ron.

I have uploaded the logs as requested. I've also sent a couple of screen shots illustrating the structure of the directories being created and the files contained within them. Since I posted here I've noticed that similar directories are appearing on the main PC drive.

I'd be grateful for any assistance you can offer.

Charles Pearmain





Screen Capture of shared drive on NAS - 1.JPG

Screen Capture of shared drive on NAS - 2.JPG

Link to post
Share on other sites

  • Root Admin

Though you're using Firefox as your default browser I would highly recommend that you update Internet Explorer to version 11

Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)

Have you setup the Apache web server on your system at some point?

S2 Apache2.4; "Q:\xampp\apache\bin\httpd.exe" -k runservice [X]

Please uninstall the following Java unless it's required for a specific program written in that old version of Java. If poossible run your computer without Java. If you have to have it make sure it's up to date at all times.

Java 7 Update 21 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217021FF}) (Version: 7.0.210 - Oracle)
Java 7 Update 25 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417025FF}) (Version: 7.0.250 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

You're running a very old unsupported version of Malwarebytes. Please uninstall the program and download the latest 3.0.6 version of Malwarebytes and then after the update run a Threat Scan from your system and post back that new log. Follow the removal instructions below

Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x



Link to post
Share on other sites

  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.



Link to post
Share on other sites


Thank you for your helpful suggestions.

  • I have removed Java as recommended.
  • I do run Apache as part of the AMPPS portable development environment. It is installed on an External drive (Q)
  • I use (and have done so for many years!) Winpatrol to manage my startup programs
  • I'm running the latest version of MBAM - v 3.0.6 (as reported by the application). I don't know whether there are remnants of earlier installations still present that are being reported by your analysis tool? Should I still follow your instructions to do a clean removal and restore? How do I preserve my Premium (never expire) licence if I do this - the 'Deactivate Licence' option in MBAM/My Account/Subscription Details?

I attach the 'Fixlog.txt' file as requested.


Link to post
Share on other sites

  • Root Admin

If you have the latest version and it's working well then no need to remove and reinstall it.

How is the computer running now? Are those file, folders still showing up? Meaning, new ones, not the ones that are already there.



Edited by AdvancedSetup
Link to post
Share on other sites

I'm still seeing these directories being created at set times, however when they are deleted, a different pair of directories are created almost immediately. By trial and error I think I've tracked down the culprit to Cybereason's RansomFree application that I installed a couple of weeks ago. Ironically this was to plug a perceived gap in Malwarebytes V2.x.x - the lack of ransomware protection.

With the arrival of MBAM V3, I guess the Cybereason product is redundant and may be removed?

I'm sorry to waste your time on what turns out to have been a wild goose chase but am impressed with your support - thank you!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.