Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do Linux-related websites drop random files on visitors' HDDs while browsing?


  • Please log in to reply
8 replies to this topic

#1 midimusicman79

midimusicman79

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:52 PM

Posted 20 June 2015 - 09:07 AM

Hi all!

 

I have some strange files located in the ROOT folder & USERPROFILE folder & PROGRAMDATA folder.

  1. One file is called All and lacks any extension.
  2. The second file is called .recently-used.xbel.
  3. A subfolder named gtk-2.0 which also contains a file named gtkfilechooser.ini.

I have uploaded all these to VirusTotal, and several of them seem quite unique, links are below:

 

https://www.virustotal.com/en/file/b61a1aa57b0ae641788731ad5b42bbbc2af6eaa61a4aaaaa6e88f22e5e1dd57e/analysis/1433598812/

 

https://www.virustotal.com/en/file/28d0401d1b8b5b1b2dd6987025196c8ebcd287a31f6759bd26cb8eb1ca27fc99/analysis/1433832316/

 

https://www.virustotal.com/en/file/165f015ab138ce1989f6be80d4c62b3ac4ddf15aec89485189c95c1c966b7b39/analysis/1434806094/

 

A while back I performed some research in order to possibly create a bootable Linux-CD (for general Windows troubleshooting purposes), so my theory is that these files could be affiliated with Linux.

 

So, my question is: Do Linux-related websites drop random files on visitors' HDDs while browsing?

 

And if so, could I possibly safely delete these files?

 

A scan with several AM-tools like EAM and MBAM neither detects anything, and nor does VirusTotal, so the files seem legitimate.

 

Thank you very much in advance!

 

Regards,

midimusicman79


Edited by midimusicman79, 21 June 2015 - 06:11 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:52 PM

Posted 20 June 2015 - 09:27 AM

Hi midimusicman79 :)

Allow me to say that you might be very confused here, since every websites will "drop" files on a user's computer, it's called the cache. Usually, these files aren't dropped in the location you mentionned, and I really doubt that they came from "Linux-related" websites. This is a generalization that doesn't exist. It's not because these files appears to be related with Linux that they are indeed "related" to it. Is it possible to know the last modification date of these files? Also, can you give me the exact location of each file?

Edit: Concerning your .recently-used.xbl file.

http://www.howtogeek.com/howto/16230/what-is-.recently-used.xbel-and-how-do-i-delete-it-for-good/

Edited by Aura., 20 June 2015 - 09:29 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:52 PM

Posted 21 June 2015 - 08:51 AM

Hi Aura.!

 

Thank you for the prompt and interesting reply! :)

 

The file All is actually a text file output from me running several Internet reset commands in conjunction with my topic here:

 

http://www.bleepingcomputer.com/forums/t/576670/how-to-dictionarily-reset-internet-from-cmd-by-using-a-script-in-windows-xp/

 

...you might be very confused here, since every websites will "drop" files on a user's computer, it's called the cache. Usually, these files aren't dropped in the location you mentionned, and I really doubt that they came from "Linux-related" websites. This is a generalization that doesn't exist. It's not because these files appears to be related with Linux that they are indeed "related" to it.

 

A quick Google-search clearly indicates that gtk-2.0 and gtkfilechooser.ini both belong to Linux. :thumbup2:

 

And another Google-search clearly indicates that .recently-used.xbel belongs to Linux as well. :thumbup2:

 

And the fact that the last modification dates of both files / folders correspond with each other, indicates that they come from a Linux-webserver, which I possibly have visited. :thumbup2:

 

The exact locations of the files are as follows:

  1. C:\All
  2. C:\Documents and Settings\Torbjoern Martin\.recently-used.xbel
  3. C:\Documents and Settings\Torbjoern Martin\Program Data\gtk-2.0\gtkfilechooser.ini

The last modification dates of the files are as follows:

  1. All: 21 May 2015, 00:48:32 PM
  2. .recently.used.xbel: 24 Mar 2015, 05:05:32 PM
  3. gtkfilechooser.ini: 24 Mar 2015, 04:52:54 PM

So, with that said, do you agree that all the files are safe to delete?

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:52 PM

Posted 21 June 2015 - 09:08 AM

They are completely safe to delete, yes. Also, .recently-used.xbel doesn't "belongs" to Linux. Did you read the HowToGeek article I posted?

So What Is It?

The quick answer is that it’s part of the GTK+ library used by a number of cross-platform applications, perhaps the most well-known of which is the Pidgin instant messenger client.

As the name implies, the file is used to store a list of the most recently used files. In the case of Pidgin, this comes into play when you are transferring files over IM, and that’s when the file will appear again.


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:52 PM

Posted 21 June 2015 - 09:25 AM

Hi again, Aura.!

 

Thank you for replying!

 

Yup, of course I read the link you posted, however I have never, ever used an IM-program, so IMO that does not really apply to me. And I cannot think of any so-called 'cross-platform' application either.

 

I have now just deleted all the files / folders. :thumbup2:

 

Thank you very much for the help! :) The issue has been successfully resolved! :)

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:52 PM

Posted 21 June 2015 - 09:27 AM

More programs are cross-platforms than you think, so they come from one of them (that you used in the past) and not a website.

And no problem, you're welcome :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:52 PM

Posted 23 June 2015 - 05:14 PM

Now midimusicman79, don't forget to delete all those cookies left by the websites you listed. If you don't, the nefarious Cookie Monster will visit your machine in the middle of the night...especially if you leave a glass of milk. :whistle:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:52 PM

Posted 25 June 2015 - 06:27 AM

Haha...a Cookie Monster joke...that was a good one! :lol:

 

Thank you!


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:52 PM

Posted 25 June 2015 - 07:13 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users