Anyone ever seen this particular malicious beast before?

[britechguy]

This is one of the strangest situations I've ever encountered with regard to any sort of infection. This is occurring on the Dell Inspiron where I just did a clean reinstall of Windows (though not completely, as in I did not hop out and do a diskpart clean, since I'm keeping the machine) last night. After that, I've let Windows "restore" the Dell based on what is backed up on my LG Gram, and I also reinstalled M365, AMD Adrenaline (for keeping the drivers up to date), Intel Support Assistant, and Dell Support Assistant, but that's all.

I have had a string of screaming warnings from Windows Defender this morning all of the general nature shown below, and all the threats are in that bizarre folder.





This keeps happening, over and over and over again on this machine, so I intend to do a complete nuke and pave in a few minutes. Even after doing a Windows Defender Offline Scan, after the machine has "come back to life" for a few moments, I start getting this stream again.

 

[sapphirescales]

Looks like you've got an infected file in OneDrive. I doubt a nuke n' pave will fix it. Download all your OneDrive files offline to the computer and run another scan. Hopefully it will identify which file is infected and you can log into your OneDrive account at onedrive.com and delete it from there.

EDIT: To clarify, Defender won't allow you to download an infected file to your computer. Defender scans all files downloaded from OneDrive. It looks like an infected file is being downloaded, removed by Defender, then downloaded again. You need to either completely disable Defender before trying to take your files offline, or better yet, download your files manually from onedrive.com. Then when you go to extract the zip file, Defender will tell you which file is infected or removed and you can then manually remove it from OneDrive.

If you do choose to just take all files offline instead of manually downloading them from OneDrive, enable and connect to the guest network on your router and make sure it's completely isolated from the rest of the network. That way if you end up downloading some ransomware it hopefully won't be able to infect any network shares you may have on your network. You should also run the net use */delete command to delete any saved network credentials and unmap any network drives you might have. That way if you do get infected by ransomware and aren't aware of it until you reconnect to your real network, it won't have your credentials. You shouldn't allow Windows to save any credentials for network shares in the first place but people are lazy and I wouldn't blame you keeping this "feature" enabled.

Another alternative is if this is a recent issue, the file might have been uploaded to OneDrive fairly recently. You can manually back up any recent files and revert your entire OneDrive to a few days ago. Though it's possible this file was uploaded to OneDrive a long time ago and you're only experiencing this now because this is the first time you've tried to download it.

Infected files in OneDrive really suck.

 

[britechguy]

The thing is that this is not occurring on any of the other machines where OneDrive is in use for the same account, not even once, and I have restarted, done scans, done anything I thought might trigger it on my other machines. Nada.

I am going to try a nuke and pave first. But now there's another wrinkle, when I try to do "the usual completely clean reinstall" I am not permitted to do my usual escape out to diskpart at the language selection screen and when I get to the "where do you want to install" choices it's being cranky because, you guessed it, the drive was BitLockered. I did not bother to turn this off immediately last night.

Microsoft has been making it consistently easier to do nuke and paves until BitLocker entered the picture as the default state, and all that ease seems to have been rolled back (effectively, anyway).

 

[britechguy]

P.S.: I'll be using Rufus to create my bootable Windows Media at least until the option for removing automatic BitLocker Device Encryption goes away.

Burning a new bootable thumb drive with that pernicious feature disabled at this moment.

 

[sapphirescales]

The thing is that this is not occurring on any of the other machines where OneDrive is in use for the same account, not even once, and I have restarted, done scans, done anything I thought might trigger it on my other machines. Nada.

It's likely on those other machines that OneDrive is not trying to download the file to be stored locally. The infected file may only be available in the cloud on those other machines. The only reason why OneDrive is trying to download the file on the new machine is because it has a fresh install of Windows.

P.S.: I'll be using Rufus to create my bootable Windows Media at least until the option for removing automatic BitLocker Device Encryption goes away.

Burning a new bootable thumb drive with that pernicious feature disabled at this moment.

Yeah I was just about to suggest that. Bitlocker is great but it shouldn't be forced on users. People should have the choice whether to enable it or not. Only a teeny tiny percentage of the population actually needs Bitlocker enabled. Business need it of course with the exception of some very small businesses and regular people who travel a lot, but that's about it. I enable Bitlocker on the drives that I use to back up my computer every six months and then store in a safe deposit box in my bank. I have a (somewhat justified) fear of my billing not going through on my safe deposit box and the bank throwing my drives away. I don't care about the drives themselves so much but I don't want all my data falling into someone else's hands.

 

[Markverhyden]

I'd log into the web portal for one drive and start looking. The file nested inside, beginning with S-1-5-21 is interesting. Files with those names are typically registry type files like SID's etc.

 

[britechguy]

Well, so far a nuke and pave after having decrypted the system drive and done a format on the OS partition is showing no sign of the same issue as things are progressing. It took a while to show up, but I'm not sure how long before.

I still have no issues on any other machines using OneDrive and one of those was set up within the past several weeks when I got an SSD and decided to nuke and pave that machine setting it up as a new machine, too.

The difference here being that I did decide to use the Win11 backup of my LG Gram's apps, settings, etc., as recovery for the Dell, but this is not a full system image in any way, shape or form. It's interesting to see how everything slowly makes its way on to the machine being set up over a very long time since the restore is being done over WiFi.