Community Help Hub

Former Member · ‎11-12-2014

Can somebody please help me clean my computer of this virus?

Two desktop.ini files have appeared by themselves on my desktop as well as in other folders e.g.

C:\Program Files

Libraries\Documents

I am highly suspicious of these files as my computer seems to be running slower than it normally does, and is very slow to start up. When I log in to Windows 7 before loading the start-up screen it goes black for about 2 minutes before it appears. My issue seems to be very similar to this discussion(https://community.mcafee.com/thread/66993?tstart=0), however I am convinced I have a virus on my computer.

This issue follows from my McAfee virus scan finding two Artemis! issues which I posted about two days ago (https://community.mcafee.com/thread/75058). After being told that artemis!C649BD38C313 was a legitimate file and I could restore it, I am again highly suspicious of it because it has shown up again in my virus scan. This is very similar to the circumstances affecting michaelm2 in the discussion noted in the previous paragraph. He also ran a scan showing an artemis a couple of days before two desktop.in files appeared on his desktop.

What I have done to try and remove the virus

I have also read this discussion () and have done the following to try and remove the virus:

Ran a full scan of McAfee with the latest updates -this returned artemis!C649BD38C313, which again could not be quarantined
Ran Stinger -no virus's were found
Ran Malwarebytes Anti-Malware -which found a bunch of suspicious programs which I quarantined.

These actions don't seem to have fixed the issue has my desktop is still showing the desktop.ini files. Any help on this issue would be greatly appreciated.

Kind regards

Sta5y

catdaddy · ‎11-12-2014

Please try the following Removal Guide:Remove "Search Protect by Conduit" virus (Removal Guide)

Regards,

Catdaddy

McAfee Volunteer Moderator

Consumer Products

Cliff
McAfee Volunteer

catdaddy · ‎11-12-2014

The first Removal Guide should also remove the (Pup.Optional.Default Tab.A) as well. For it basically utilizes the same Tools. However should it be the case it does not, The following Removal Guide additionally uses the "Junkware" Removal Tool :Remove PUP.Optional.DefaultTab (Removal Guide)

I noticed you said you had "Quarantined" the Detections? I recommend Selecting them all to be removed/Restart.

You may find these two articles most informative on how they may have arrived on your system:

Regards,

Catdaddy

McAfee Volunteer Moderator

Consumer Products

Cliff
McAfee Volunteer

Former Member · ‎11-12-2014

Thanks Catdaddy, I'll go through that guide.

Do you have advice about what is creating the desktop.ini files?

catdaddy · ‎11-12-2014

You are quite Welcome

Did you ever submit the Artemis! Files to McAfee Labs. If so you should have received Analysis ID #,S.

Try those Removal Guides, and please kindly post back your results.

Regards,

Catdaddy

Cliff
McAfee Volunteer

Former Member · ‎11-12-2014

I tried to submit the Artemis, but it failed to submit. Can you please confirm I did it correctly? I went to "Quarantined and Potentially Unwanted Programs", selected the Artemis, then clicked "Send to McAfee".

Here are the results of the AdwCleaner:

# AdwCleaner v4.101 - Report created 13/11/2014 at 00:59:52

# Updated 09/11/2014 by Xplode

# Database : 2014-11-11.2 [Live]

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : stat5y - STAT5Y-PC

# Running from : C:\Users\stat5y\Downloads\adwcleaner_4.101.exe

# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Public\Util

Folder Deleted : C:\Users\stat5y\AppData\Local\Temp\mt_ffx

Folder Deleted : C:\Users\stat5y\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh

Folder Deleted : C:\Users\stat5y\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

File Deleted : C:\END

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE

Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CTBShow

Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CTBShow.1

Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CToolbarShower

Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CToolbarShower.1

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{964E5B18-8C68-42A2-91F7-99605C8777D9}

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\DefaultTab

Key Deleted : HKCU\Software\Softonic

Key Deleted : HKLM\SOFTWARE\Conduit

Key Deleted : HKLM\SOFTWARE\DefaultTab

Key Deleted : HKLM\SOFTWARE\Funmoods

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

-\\ Mozilla Firefox v16.0.2 (en-US)

-\\ Google Chrome v38.0.2125.111

*************************

AdwCleaner[R0].txt - [4252 octets] - [13/11/2014 00:56:06]

AdwCleaner[S0].txt - [3981 octets] - [13/11/2014 00:59:52]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4041 octets] ##########

catdaddy · ‎11-12-2014

Your screenshot shows that it detected both "Search Protect/Default Tab as well. Please Delete/Remove/Restart to remove all remnants. As for submitting the Artemis! detections, please refer to this thread on how to submit.

Cliff
McAfee Volunteer

exbrit · ‎11-12-2014

You know that desktop.ini files will also appear when you have system files checked in folder options > view in Windows Explorer?

catdaddy · ‎11-12-2014

Yes, That is why I asked if they showed up in Task Manager...

Cliff
McAfee Volunteer

Former Member · ‎11-12-2014

I did read that is some other discussions. What I don't understand is why that setting would check itself? My understanding is before they appeared it wouldn't have been checked in folder options, then somehow it becomes checked. Is it then a virus that has checked this in folder options?

Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Community Help Hub

Join the Community