cancel
Showing results for 
Search instead for 
Did you mean: 

Rootkit/desktop.ini Problem

Jump to solution

I'm running Windows 8 on my PC laptop (currently posting on a Mac).

This morning when I booted up, there were two instances of "desktop.ini" on my desktop, which I had never seen before, so I Googled it. I found many forums telling me it was harmless, but also others telling me that this was caused by a rootkit virus. Indeed, I found many more instances of desktop.ini in other folders on my computer, such as Music and Videos. I decided to run a full scan of my computer using McAfee AntiVirus Plus (fully up-to-date). No issues were detected, however, I did notice that, whilst monitoring the scan, the item listed as "Scanning" (for example, "C:\Users\Michael\etc. etc. etc.") ocassionally came up as just "Rootkit". Even still, no issues were detected.

I followed instructions listed in forums such as this one, using programs like Stinger, Rkill, and Kaspersky TDSSKiller, but again, no results were obtained. All of this was performed outwith safe mode, however, I have just finished a full scan of my hard drive in safe mode without any results being obtained. Additionally, in safe mode, Real-Time Scanning turned itself off automatically, no matter how many times I turned it back on. I performed a system restore earlier, and whilst this did get rid of the instances of "desktop.ini", I ran an additional full scan, and the "Rootkit" item came up again (although not being picked up as an issue by McAfee). I'm thinking that a full system reset is in order, unless anyone has any suggestions? Also, I don't have the OS disc with me currently, so I'd have to wait a few weeks until I get home to perform a reset. Would it be sufficiently safe to simply refrain from using the laptop until then, changing the passwords of my internet accounts on my Mac?

1 Solution

Accepted Solutions
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 13

Re: Rootkit/desktop.ini Problem

Jump to solution

Hi michaelm2,

                     Welcome to the McAfee Communities. Please do not be alarmed when seeing "Rootkit" while performing a scan. This simply means that McAfee is "Scanning for Rootkits"  Not that you actually have one. This has been mentioned by all Moderators  and the wording if I am not terribly mistaken, will be addressed in the future.

                        After all of your scans being run, and no detections found. I would not be concerned. Especially if your Security Center displays "You are Secure" To ease your mind even further, you can find a list of Superb Tools (Free) under my Signature, in the second link.

                       Especially "Malwarebytes" ( Free ) Version only. Run this program in Normal Mode.

Edited for Typos....

All the very Best,

Message was edited by: catdaddy on 5/16/14 11:36:48 AM CDT
Cliff
McAfee Volunteer

View solution in original post

12 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 13

Re: Rootkit/desktop.ini Problem

Jump to solution

Hi michaelm2,

                     Welcome to the McAfee Communities. Please do not be alarmed when seeing "Rootkit" while performing a scan. This simply means that McAfee is "Scanning for Rootkits"  Not that you actually have one. This has been mentioned by all Moderators  and the wording if I am not terribly mistaken, will be addressed in the future.

                        After all of your scans being run, and no detections found. I would not be concerned. Especially if your Security Center displays "You are Secure" To ease your mind even further, you can find a list of Superb Tools (Free) under my Signature, in the second link.

                       Especially "Malwarebytes" ( Free ) Version only. Run this program in Normal Mode.

Edited for Typos....

All the very Best,

Message was edited by: catdaddy on 5/16/14 11:36:48 AM CDT
Cliff
McAfee Volunteer

View solution in original post

Re: Rootkit/desktop.ini Problem

Jump to solution

Thanks for the help (and Ex_Brit)! Is the disabling of Real-Time Scanning a Safe Mode thing? I've just rebooted normally and it all seems to be fine.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 4 of 13

Re: Rootkit/desktop.ini Problem

Jump to solution

By the way under Folder Options > View you probably need to turn off view hidden System files then such files would not be visible anyway.

http://www.eightforums.com/tutorials/4067-folder-options-open-windows-8-a.html

Plus yes McAfee says Scanning: Rootkit....what it means is scanning FOR rootkits.

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 5 of 13

Re: Rootkit/desktop.ini Problem

Jump to solution

Without stepping in over anyone...To answer your question. The McAfee UI (Will not display) or open in Safe Mode. But one can Right click on a file,folder, or drive and still run a scan. You can hover over the Icon to view the progress.

Actually Ex_Brit answers this same concern HERE

Glad Everything is okay,

Message was edited by: catdaddy on 5/16/14 2:31:06 PM CDT
Cliff
McAfee Volunteer

Re: Rootkit/desktop.ini Problem

Jump to solution

Strangely enough, I did manage to open the McAfee UI by right-clicking on the icon and clicking open. Out of safe mode real-time scanning still works.

I can't believe I forgot to mention this in the original post, but the instances of "desktop.ini" became visible upon booting in the morning, after an alert the previous night of "Artemis!9212348B9F87 (Potentially Unwanted Program)". I hit remove threat immediately, and seeing something suspicious ("desktop.ini") on my desktop the next morning had me in a bit of a panic. Additionally, a Windows update was run between the times of shutting down and rebooting, so that could have been a factor as well. I checked the Artemis discussion section of the forums, and no-one else had gotten this code. I figure since all scans from all antivirus/anti-malware showed no threats, my computer should be in the clear? AntiVirus Plus says my computer is still secure, to clarify.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 7 of 13

Re: Rootkit/desktop.ini Problem

Jump to solution

Artemis detections are unique so nobody else would have that code.   It is what the software gives to unknown yet suspicious entities.  It also automatically submits them to McAfee for analysis.

The labs in turn either add it to the malware database or clear it as non-harmful, a process that takes a few days usually..

Now it could have been almost anything, and it also equally could be innocent.  But if I were you I would scan using some of the extra tools listed in the last link in my signature below.

RootkitRemover, Adwcleaner, Malwarebytes Free would be good for starters.   But as you suddenly saw these odd occurrences I would most definitely delve deeper to make sure you are OK.

Re: Rootkit/desktop.ini Problem

Jump to solution

OK, thanks, I've already scanned with Malwarebytes Free and McAfee RootkitRemover, with no trojans or threats detected. There were some files quarantined with the Malwarebytes Free scan - almost all of it was from AppData\Roaming\Mozilla\Firefox, with one Registry Key and one Registry value also quarantined. I've just tried Adwcleaner with similar results to Malwarebytes Free - one file from Firefox AppData, a few Registry Keys, and a bunch of lines from a Firefox AppData file beginning with "user_pref("extensions...". Would you recommend sticking to using my Mac (never had any virus troubles with it) until the labs determine what it was?

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 9 of 13

Re: Rootkit/desktop.ini Problem

Jump to solution

Without seeing the files detected from MalwareBytes/Adwcleaner scans, it is difficult to say whether to delete/remove and restart to (Complete) the process.I can only assume that the files mentioned are related to certain preferences set in FireFox...Proxy settings by chance?

Ex_Brit,PeaceKeeper,and Hayton would be more knowledgeable in this aspect. As they either utilize FireFox/Chrome.

Again, in order to complete the Detection/Removal of items, you need to (Restart/ReBoot) your machine to complete the process. That generally is the case with all of the Scans, in order to fully remove all remnants.

Regards,

Cliff
McAfee Volunteer
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 10 of 13

Re: Rootkit/desktop.ini Problem

Jump to solution

Not sure what to advise at this point other than look for unknowns in your browser add-ons and get rid of unwanted ones.

You could try posting a Hijackthis log on a specialist forum as I suggest further down that last link in my signature.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community