1 2 Previous Next 12 Replies Latest reply on May 17, 2014 3:41 AM by Peter M Branched to a new discussion.

    Rootkit/desktop.ini Problem

    michaelm2

      I'm running Windows 8 on my PC laptop (currently posting on a Mac).

       

      This morning when I booted up, there were two instances of "desktop.ini" on my desktop, which I had never seen before, so I Googled it. I found many forums telling me it was harmless, but also others telling me that this was caused by a rootkit virus. Indeed, I found many more instances of desktop.ini in other folders on my computer, such as Music and Videos. I decided to run a full scan of my computer using McAfee AntiVirus Plus (fully up-to-date). No issues were detected, however, I did notice that, whilst monitoring the scan, the item listed as "Scanning" (for example, "C:\Users\Michael\etc. etc. etc.") ocassionally came up as just "Rootkit". Even still, no issues were detected.

       

      I followed instructions listed in forums such as this one, using programs like Stinger, Rkill, and Kaspersky TDSSKiller, but again, no results were obtained. All of this was performed outwith safe mode, however, I have just finished a full scan of my hard drive in safe mode without any results being obtained. Additionally, in safe mode, Real-Time Scanning turned itself off automatically, no matter how many times I turned it back on. I performed a system restore earlier, and whilst this did get rid of the instances of "desktop.ini", I ran an additional full scan, and the "Rootkit" item came up again (although not being picked up as an issue by McAfee). I'm thinking that a full system reset is in order, unless anyone has any suggestions? Also, I don't have the OS disc with me currently, so I'd have to wait a few weeks until I get home to perform a reset. Would it be sufficiently safe to simply refrain from using the laptop until then, changing the passwords of my internet accounts on my Mac?

        • 1. Re: Rootkit/desktop.ini Problem
          catdaddy

          Hi michaelm2,

           

                               Welcome to the McAfee Communities. Please do not be alarmed when seeing "Rootkit" while performing a scan. This simply means that McAfee is "Scanning for Rootkits"  Not that you actually have one. This has been mentioned by all Moderators  and the wording if I am not terribly mistaken, will be addressed in the future.

           

                                  After all of your scans being run, and no detections found. I would not be concerned. Especially if your Security Center displays "You are Secure" To ease your mind even further, you can find a list of Superb Tools (Free) under my Signature, in the second link.

           

                                 Especially "Malwarebytes" ( Free ) Version only. Run this program in Normal Mode.

           

          Edited for Typos....

           

           

          All the very Best,

           

          Message was edited by: catdaddy on 5/16/14 11:36:48 AM CDT
          • 2. Re: Rootkit/desktop.ini Problem
            Peter M

            You might want to ask the desktop.ini question in this forum:  http://www.eightforums.com/

             

            I suspect that it's normal behaviour as I have some 50+ or so of those dotted around my various OS's and I certainly have nothing wrong here

             

            They are normally hidden files containing configuration settings.

             

            There are several tools listed in the last link in my signature below should you wish to use them.

             

            In particular the rootkit remover ones and Hijackthis which could be used to post a log on one of the forums recommended there for analysis.

            1 of 1 people found this helpful
            • 3. Re: Rootkit/desktop.ini Problem
              michaelm2

              Sorry, just an added point, the Stinger log (which I read I'm meant to post):

               

              McAfee® Labs Stinger™ Version 12.1.0.907 built on May 16 2014 at 13:49:52

              Copyright© McAfee, Inc. All Rights Reserved.

               

              AV Engine version v5610.1040 for Windows.

              Virus data file v1000.0 created on May 16, 2014

              Ready to scan for 6348 viruses, trojans and variants.

               

              Scan initiated on Friday, May 16, 2014 17:21:58

               

               

              Rootkit scan result : Not Scanned.

               

               

               

              Summary Report on Smart Scan

              File(s)

                        TotalFiles:............ 7993

                        Clean:................. 7993

                        Not Scanned:........... 0

                        Possibly Infected:..... 0

               

              Time: 00:01:05

               

              Scan completed on Friday, May 16, 2014 17:23:03

              • 4. Re: Rootkit/desktop.ini Problem
                Peter M

                As previously stated I don't think you need worry.

                1 of 1 people found this helpful
                • 5. Re: Rootkit/desktop.ini Problem
                  michaelm2

                  Thanks for the help (and Ex_Brit)! Is the disabling of Real-Time Scanning a Safe Mode thing? I've just rebooted normally and it all seems to be fine.

                  • 6. Re: Rootkit/desktop.ini Problem
                    Peter M

                    By the way under Folder Options > View you probably need to turn off view hidden System files then such files would not be visible anyway.

                     

                    http://www.eightforums.com/tutorials/4067-folder-options-open-windows-8-a.html

                     

                    Plus yes McAfee says Scanning: Rootkit....what it means is scanning FOR rootkits.

                    1 of 1 people found this helpful
                    • 7. Re: Rootkit/desktop.ini Problem
                      catdaddy

                      Without stepping in over anyone...To answer your question. The McAfee UI (Will not display) or open in Safe Mode. But one can Right click on a file,folder, or drive and still run a scan. You can hover over the Icon to view the progress.

                       

                      Actually Ex_Brit answers this same concern HERE

                       

                      Glad Everything is okay,

                       

                      Message was edited by: catdaddy on 5/16/14 2:31:06 PM CDT
                      • 8. Re: Rootkit/desktop.ini Problem
                        michaelm2

                        Strangely enough, I did manage to open the McAfee UI by right-clicking on the icon and clicking open. Out of safe mode real-time scanning still works.

                         

                        I can't believe I forgot to mention this in the original post, but the instances of "desktop.ini" became visible upon booting in the morning, after an alert the previous night of "Artemis!9212348B9F87 (Potentially Unwanted Program)". I hit remove threat immediately, and seeing something suspicious ("desktop.ini") on my desktop the next morning had me in a bit of a panic. Additionally, a Windows update was run between the times of shutting down and rebooting, so that could have been a factor as well. I checked the Artemis discussion section of the forums, and no-one else had gotten this code. I figure since all scans from all antivirus/anti-malware showed no threats, my computer should be in the clear? AntiVirus Plus says my computer is still secure, to clarify.

                        • 9. Re: Rootkit/desktop.ini Problem
                          Peter M

                          Artemis detections are unique so nobody else would have that code.   It is what the software gives to unknown yet suspicious entities.  It also automatically submits them to McAfee for analysis.

                          The labs in turn either add it to the malware database or clear it as non-harmful, a process that takes a few days usually..

                           

                          Now it could have been almost anything, and it also equally could be innocent.  But if I were you I would scan using some of the extra tools listed in the last link in my signature below.

                          RootkitRemover, Adwcleaner, Malwarebytes Free would be good for starters.   But as you suddenly saw these odd occurrences I would most definitely delve deeper to make sure you are OK.

                          1 2 Previous Next