Plug-ins do not move by themselves (except for the FXPansion's limited edition polterGEIST
)
I have never heard of any malware moving them either.
----------------------------------------
Anyway, organising your plug-ins, removing duplicates etc would be a good idea. But it may take some time.
Are you using Reaper 64-bit or Reaper 32-bit? Are you using any other hosts?
Many people set up 2specific folders for their 64-bit and 32-bit VST2 plug-ins; e.g. C:/VST_plugins/64 and C:/VST_plugins/32, with sub-folders for different developers or categories (reverbs, EQ, synths, etc). VST3 plug-ins have to go (I think[*]) in specific folders ( C:\Program Files\Common Files\VST3 and C:\Program Files\Common Files (x86)\VST3 ) or sub-folders therein.
Once you have decided on the folder organisation you would need to uninstall each plug-in, using the developer's recommended method, tidy up any debris then reinstall the plug-in into the desired location.
As for VST2 vs VST3, I cannot comment as I have never used the latter.