cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
sta5y
sta5y
Level 7
Report Inappropriate Content
Message 1 of 21
‎11-12-2014 03:26 AM

Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Can somebody please help me clean my computer of this virus?

Two desktop.ini files have appeared by themselves on my desktop as well as in other folders e.g.

C:\Program Files

Libraries\Documents

I am highly suspicious of these files as my computer seems to be running slower than it normally does, and is very slow to start up. When I log in to Windows 7 before loading the start-up screen it goes black for about 2 minutes before it appears. My issue seems to be very similar to this discussion(https://community.mcafee.com/thread/66993?tstart=0), however I am convinced I have a virus on my computer.

This issue follows from my McAfee virus scan finding two Artemis! issues which I posted about two days ago (https://community.mcafee.com/thread/75058). After being told that artemis!C649BD38C313 was a legitimate file and I could restore it, I am again highly suspicious of it because it has shown up again in my virus scan. This is very similar to the circumstances affecting michaelm2 in the discussion noted in the previous paragraph. He also ran a scan showing an artemis a couple of days before two desktop.in files appeared on his desktop.


What I have done to try and remove the virus

I have also read this discussion () and have done the following to try and remove the virus:

  • Ran a full scan of McAfee with the latest updates -this returned artemis!C649BD38C313, which again could not be quarantined
  • Ran Stinger -no virus's were found
  • Ran Malwarebytes Anti-Malware -which found a bunch of suspicious programs which I quarantined.
  • Malwarebytes Scan.PNG

These actions don't seem to have fixed the issue has my desktop is still showing the desktop.ini files. Any help on this issue would be greatly appreciated.

Kind regards

Sta5y

0 Kudos
Reply
20 Replies
catdaddy
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 21
‎11-12-2014 03:38 AM

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Please try the following Removal Guide:Remove "Search Protect by Conduit" virus (Removal Guide)

Regards,

Catdaddy

McAfee Volunteer Moderator

Consumer Products

Cliff
McAfee Volunteer
0 Kudos
Reply
catdaddy
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 3 of 21
‎11-12-2014 03:45 AM

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

The first Removal Guide should also remove the (Pup.Optional.Default Tab.A) as well. For it basically utilizes the same Tools. However should it be the case it does not, The following Removal Guide additionally uses the "Junkware" Removal Tool :Remove PUP.Optional.DefaultTab (Removal Guide)

I noticed you said you had "Quarantined" the Detections? I recommend Selecting them all to be removed/Restart.

You may find these two articles most informative on how they may have arrived on your system:

Regards,

Catdaddy

McAfee Volunteer Moderator

Consumer Products

Cliff
McAfee Volunteer
0 Kudos
Reply
sta5y
sta5y
Level 7
Report Inappropriate Content
Message 4 of 21
‎11-12-2014 03:54 AM

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Thanks Catdaddy, I'll go through that guide.

Do you have advice about what is creating the desktop.ini files?

0 Kudos
Reply
catdaddy
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 5 of 21
‎11-12-2014 04:02 AM

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

You are quite Welcome

Did you ever submit the Artemis! Files to McAfee Labs. If so you should have received Analysis ID #,S.

Try those Removal Guides, and please kindly post back your results.

Regards,

Catdaddy

Cliff
McAfee Volunteer
0 Kudos
Reply
sta5y
sta5y
Level 7
Report Inappropriate Content
Message 6 of 21
‎11-12-2014 04:16 AM

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

I tried to submit the Artemis, but it failed to submit. Can you please confirm I did it correctly? I went to "Quarantined and Potentially Unwanted Programs", selected the Artemis, then clicked "Send to McAfee".

Here are the results of the AdwCleaner:

# AdwCleaner v4.101 - Report created 13/11/2014 at 00:59:52

# Updated 09/11/2014 by Xplode

# Database : 2014-11-11.2 [Live]

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : stat5y - STAT5Y-PC

# Running from : C:\Users\stat5y\Downloads\adwcleaner_4.101.exe

# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Public\Util

Folder Deleted : C:\Users\stat5y\AppData\Local\Temp\mt_ffx

Folder Deleted : C:\Users\stat5y\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh

Folder Deleted : C:\Users\stat5y\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

File Deleted : C:\END

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE

Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CTBShow

Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CTBShow.1

Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CToolbarShower

Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CToolbarShower.1

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{964E5B18-8C68-42A2-91F7-99605C8777D9}

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\DefaultTab

Key Deleted : HKCU\Software\Softonic

Key Deleted : HKLM\SOFTWARE\Conduit

Key Deleted : HKLM\SOFTWARE\DefaultTab

Key Deleted : HKLM\SOFTWARE\Funmoods

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

-\\ Mozilla Firefox v16.0.2 (en-US)

-\\ Google Chrome v38.0.2125.111

*************************

AdwCleaner[R0].txt - [4252 octets] - [13/11/2014 00:56:06]

AdwCleaner[S0].txt - [3981 octets] - [13/11/2014 00:59:52]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4041 octets] ##########

0 Kudos
Reply
catdaddy
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 7 of 21
‎11-12-2014 04:27 AM

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Your screenshot shows that it detected both "Search Protect/Default Tab as well. Please Delete/Remove/Restart to remove all remnants. As for submitting the Artemis! detections, please refer to this thread on how to submit.

Cliff
McAfee Volunteer
0 Kudos
Reply
exbrit
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 8 of 21
‎11-12-2014 04:59 AM

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

You know that desktop.ini files will also appear when you have system files checked in folder options > view in Windows Explorer?

0 Kudos
Reply
catdaddy
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 9 of 21
‎11-12-2014 05:03 AM

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

Yes, That is why I asked if they showed up in Task Manager...

Cliff
McAfee Volunteer
0 Kudos
Reply
sta5y
sta5y
Level 7
Report Inappropriate Content
Message 10 of 21
‎11-12-2014 11:05 AM

Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

I did read that is some other discussions. What I don't understand is why that setting would check itself? My understanding is before they appeared it wouldn't have been checked in folder options, then somehow it becomes checked. Is it then a virus that has checked this in folder options?

0 Kudos
Reply

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC