This morning while reinstalling Windows 10, I was looking for some files in my [AppData]/Local folder and found a bunch of folders that appear to be associated with something called "Aliyun". When I searched for it it appears to be something inserted from China. There are eight (8) folders that have been created all with the following format:
[AppData]/Local/unali-######### (Where '#########' is a number between '792531' and '217336302' on my machine)
I search for "remove Aliyun" and got this page: https://leijingwei.com/posts/remove-and-block-aliyun/ It looks pretty complicated to get rid of this thing. Is this something I should worry about? Is there a way to have Norton360 antivirus remove it?
I did some more digging and figured out that all of these components of Aliyun are a support system for the backup software I use, (which is a Chinese-based software system). I wrote to the Support group of the company to verify it, and received the following reply:
----------------------------
Firstly, we confirm these files are part of our products.
Secondly, why do our products contain some files related to Aliyun?
Aliyun is a business cloud storage provider in China, which is the counterpart of Onedrive or AWS, it provides cloud storage service for numerous individuals and enterprises, our Todo Backup also uses its service as EaseUS cloud. That is why you find relevant files in our products.
Finally, we deeply understand your concern about data security and privacy issues, and we can promise that these files are totally harmless, and it will not steal your personal information. You are not recommended to delete these files from your computer, as it will lead to the corruption of our software.
If you have any problems with our products, please contact us without hesitation.
FWIW!! The 8 folders shown are not present on any of my machines. Please review the screenshot provided. This IS a viral package that remains resident on the drive, as that is what is it designed to do. Though you didn't install it, its there. There are websites that push malware unknowingly. A simple visit will start the process of intrusion. Downloading FREEWARE SOFTWARE is another favorite avenue for delivering a malicious package. Alibaba Cloud services are the most likely source of your files and were most likely resident before the Windows reinstall. Did you reinstall due to a prior infection or suspected infection?
There is a forum post over on Bleeping Computer which identifies Aliyun as an embedded trojan which they successfully remediated. You can also go there for assistance if you wish.
Have you tried reformatting your drive before installing the OS?
If you have reformatted before laying down the new image then the files would have come from your Windows 10 image. If you did not reformat then it is possible those files were there all along. If it were me I would try to remove those files in any way possible either by following the instructions in the link you provided or doing a clean install.
It is a great deal of work to restore all personal data, files and 3rd party software. I have done this several times over the last 10 years and found it to be 2-3 days worth of work to get back to normal. But in the end I had a clean system.
I didn't SAY it "was a virus". I gave as much information as I had and ASKED if it COULD BE a virus.
"Aliyun has been continuously flagged as a malicious domain that delivers malware" - I did not install it or request it, I simply discovered it after my Windows 10 upgrade and asked about it. When I Googled the filenames, THAT'S WHERE 'Aliyun' "came into the picture."
The image I downloaded and used to upgrade the machine was from a supposed Microsoft site:
I scanned my machine both with Norton360 and with Malwarebytes. Norton reported nothing; and Malwarebytes found about 20 "PUPs" and quarantined them all, but none of them indicate that they have anything to do with "Aliyun", and the files I reported as being found in my [AppData]/Local folder are still there and were not removed.
All: THE issue I read into this is WHERE did the image come from that is being used to reinstall Windows 10? If replacing the hard drive was the issue and If, the OP had the OS registered under his MS credentials, they only needed the ISO, make a bootable USB drive.
Aliyun has been continuously flagged as a malicious domain that delivers malware therefore where does Aliyun come into the picture?
Have you scanned with Norton or Malwarebytes to determine that it is a virus? The info I found says it is a cloud computing company from China associated with Alibaba. There is much to be said about spyware if you have read the latest news about TikTok also another Chinese venture.
If you scan and you find a virus you will be able to remove it. Otherwise you will have to remove it yourself as long as you are not using any of the software for other reasons of course.