Unusual File Manipulation with Sufix

[straycat19]

I had a friend bring his computer to me this evening because he thought it was infected with something.  So I booted it with my flash drive and ran a couple scanners on it and they found absolutely nothing.  So I asked him why he thought that it was infected and he showed me some files.  Every file on the computer, with the exception of those in the C:\Windows, My Documents, My Picutes, My Video, and My Music, had a file created with the same name, size, date, and creation and modified dates but with ~a1b2c3d4 added at the end.  For example  program.exe would also have program.exe~a1b2c3d4 and program.dll would also have program.dll~a1b2c3d4.  The extensions were exactly that, they were all different and jumbled but exactly 8 places.  These files had an access date of 12/15/2016.  At this point I made a full forensic image of the drive.  I then took a look at the files. They are perfectly  normal files, rename an exe to org and then remove the suffix off the identical file and it runs as a normal executable.  I have never seen anything like this ever.  I tried to do a little research on his system but his event logs are erased at every startup and his cookies and history are deleted when his browsers are closed.  In total there are 98,040 files occupying 26.2 GB.  I deleted all except 1635 files which refuse to delete normally so I will have to take special steps to delete them.   (I have looked at every software package he has on his system and there is nothing unusual, Office 2013, Acronis TrueImage, IE, Chrome, Firefox, Photoshop, NitroPDF, a few small games, VueScan, PowerISO, VirtualBox, CorelDraw, MPC-HC, Foobar2000, and a few others.  Nothing out of the ordinary and none of them are pirated programs, they are all retail licensed versions since he doesn't do that dishonest stuff.)

 

If you have seen this before and know what is causing it I would like to know because I have seen a lot of weird things in 49 years but nothing like this.  

[46&2]

(I have looked at every software package he has on his system and there is nothing unusual, Office 2013, Acronis TrueImage.......

I am sorry cant help much as I have never seen anything like what you describe either. Since you can delete the suffix and the files run normal it surely is NOT a "crypto" type ransonware, unless maybe one that was written poorly and while changing suffix it neglected to actually encrypt the files. I dunno :dunno:

I quoted you above, look at the last two words: Acronis Trueimage: He did NOT have a backup?

[straycat19]

He had a backup at home but I didn't have access to it.  (I keep telling him to get a Drobo 5N since it can be accessed from anywhere in the world.) Since the files were easy to identify because they looked like this

acd.dll
acd.dll~1j4dfqwm
ade.dll
ade.dll~p267era

I just used a copy of UltraFileSearchStd_470 and used the wildcard .???~???????? and set the date to 12/15/2016 12:00 a.m. to 12/15/2016 11:59 p.m. and it found all the files and I deleted them.  The ones I couldn't delete in Windows I used a boot flash drive and ran the program from it and deleted the remaining files.  It was actually faster than going to his house today or having him bring his NAS unit here, since I finished it in less than an hour last night.

 

Wouldn't have been a crypto ransomware because it didn't touch any of his personal files and those are the target of ransomware.  What good would it do to encrypt program files and not his documents or pictures?  That is what really makes it so weird, besides the fact he doesn't visit any suspicious sites and knows better than to click a link in an email.  He is a Mac guy, this is his first windows computer that I convinced him to buy when he retired 5 years ago. He still has his first Mac, an Apple II that he proudly shows off.  He taught me everything I know about Macs and has been a source of information for many years.