1 2 3 Previous Next 20 Replies Latest reply on Nov 13, 2014 6:21 AM by catdaddy

    Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop

    sta5y

      Can somebody please help me clean my computer of this virus?

       

      Two desktop.ini files have appeared by themselves on my desktop as well as in other folders e.g.

       

      C:\Program Files

      Libraries\Documents

       

      I am highly suspicious of these files as my computer seems to be running slower than it normally does, and is very slow to start up. When I log in to Windows 7 before loading the start-up screen it goes black for about 2 minutes before it appears. My issue seems to be very similar to this discussion(https://community.mcafee.com/thread/66993?tstart=0), however I am convinced I have a virus on my computer.

       

      This issue follows from my McAfee virus scan finding two Artemis! issues which I posted about two days ago (https://community.mcafee.com/thread/75058). After being told that artemis!C649BD38C313 was a legitimate file and I could restore it, I am again highly suspicious of it because it has shown up again in my virus scan. This is very similar to the circumstances affecting michaelm2 in the discussion noted in the previous paragraph. He also ran a scan showing an artemis a couple of days before two desktop.in files appeared on his desktop.


      What I have done to try and remove the virus

      I have also read this discussion (Re: Desktop.ini) and have done the following to try and remove the virus:

      • Ran a full scan of McAfee with the latest updates -this returned artemis!C649BD38C313, which again could not be quarantined
      • Ran Stinger -no virus's were found
      • Ran Malwarebytes Anti-Malware -which found a bunch of suspicious programs which I quarantined.
      • Malwarebytes Scan.PNG

       

      These actions don't seem to have fixed the issue has my desktop is still showing the desktop.ini files. Any help on this issue would be greatly appreciated.

       

      Kind regards

       

      Sta5y

        • 1. Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop
          catdaddy

          Please try the following Removal Guide:Remove "Search Protect by Conduit" virus (Removal Guide)

           

           

          Regards,

          Catdaddy

          McAfee Volunteer Moderator

          Consumer Products

          • 2. Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop
            catdaddy

            The first Removal Guide should also remove the (Pup.Optional.Default Tab.A) as well. For it basically utilizes the same Tools. However should it be the case it does not, The following Removal Guide additionally uses the "Junkware" Removal Tool :Remove PUP.Optional.DefaultTab (Removal Guide)

             

            I noticed you said you had "Quarantined" the Detections? I recommend Selecting them all to be removed/Restart.

             

            You may find these two articles most informative on how they may have arrived on your system:PUPs - Potentially Unwanted Programs - Basics

             

             

            Regards,

            Catdaddy

            McAfee Volunteer Moderator

            Consumer Products

            • 3. Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop
              sta5y

              Thanks Catdaddy, I'll go through that guide.

               

              Do you have advice about what is creating the desktop.ini files?

              • 4. Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop
                catdaddy

                You are quite Welcome

                Did you ever submit the Artemis! Files to McAfee Labs. If so you should have received Analysis ID #,S.

                 

                Try those Removal Guides, and please kindly post back your results.

                 

                Regards,

                Catdaddy

                • 5. Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop
                  sta5y

                  I tried to submit the Artemis, but it failed to submit. Can you please confirm I did it correctly? I went to "Quarantined and Potentially Unwanted Programs", selected the Artemis, then clicked "Send to McAfee".

                   

                  Here are the results of the AdwCleaner:

                   

                  # AdwCleaner v4.101 - Report created 13/11/2014 at 00:59:52

                  # Updated 09/11/2014 by Xplode

                  # Database : 2014-11-11.2 [Live]

                  # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

                  # Username : stat5y - STAT5Y-PC

                  # Running from : C:\Users\stat5y\Downloads\adwcleaner_4.101.exe

                  # Option : Clean

                   

                   

                  ***** [ Services ] *****

                   

                   

                   

                   

                  ***** [ Files / Folders ] *****

                   

                   

                  Folder Deleted : C:\Users\Public\Util

                  Folder Deleted : C:\Users\stat5y\AppData\Local\Temp\mt_ffx

                  Folder Deleted : C:\Users\stat5y\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh

                  Folder Deleted : C:\Users\stat5y\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

                  File Deleted : C:\END

                   

                   

                  ***** [ Scheduled Tasks ] *****

                   

                   

                   

                   

                  ***** [ Shortcuts ] *****

                   

                   

                   

                   

                  ***** [ Registry ] *****

                   

                   

                  Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh

                  Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE

                  Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CTBShow

                  Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CTBShow.1

                  Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CToolbarShower

                  Key Deleted : HKLM\SOFTWARE\Classes\FVDToolbar.CToolbarShower.1

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

                  Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}

                  Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}

                  Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

                  Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

                  Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{964E5B18-8C68-42A2-91F7-99605C8777D9}

                  Key Deleted : HKCU\Software\Conduit

                  Key Deleted : HKCU\Software\DefaultTab

                  Key Deleted : HKCU\Software\Softonic

                  Key Deleted : HKLM\SOFTWARE\Conduit

                  Key Deleted : HKLM\SOFTWARE\DefaultTab

                  Key Deleted : HKLM\SOFTWARE\Funmoods

                  Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Comp onents\0FF2AEFF45EEA0A48A4B33C1973B6094

                   

                   

                  ***** [ Browsers ] *****

                   

                   

                  -\\ Internet Explorer v11.0.9600.17344

                   

                   

                  Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

                   

                   

                  -\\ Mozilla Firefox v16.0.2 (en-US)

                   

                   

                   

                   

                  -\\ Google Chrome v38.0.2125.111

                   

                   

                   

                   

                  *************************

                   

                   

                  AdwCleaner[R0].txt - [4252 octets] - [13/11/2014 00:56:06]

                  AdwCleaner[S0].txt - [3981 octets] - [13/11/2014 00:59:52]

                   

                   

                  ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4041 octets] ##########

                  • 6. Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop
                    sta5y

                    This is what happens when I try to send the issue to McAfeeSubmit to McAfee error.PNG

                    • 7. Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop
                      catdaddy

                      As for the (Desktop.ini) files, are they showing up in your "Task Manger" as a (Running) process also?

                      Please inform us if "Hitman Pro" detects them during the Removal Guide.

                      • 8. Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop
                        catdaddy

                        Your screenshot shows that it detected both "Search Protect/Default Tab as well. Please Delete/Remove/Restart to remove all remnants. As for submitting the Artemis! detections, please refer to this thread on how to submit.

                        Can't remove artemis!C649BD38C313

                        • 9. Re: Please help -Suspected virus I can't remove-Two desktop.ini files appeared on desktop
                          Peter M

                          You know that desktop.ini files will also appear when you have system files checked in folder options > view in Windows Explorer?

                          1 2 3 Previous Next