Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop.ini and mysterious files


  • Please log in to reply
5 replies to this topic

#1 cmtc

cmtc

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:39 PM

Posted 11 May 2017 - 05:47 PM

Hello,  

I've notice odd/overactive svchost.exe ( I Think) and strange ports and TCP connections as well as a loud whir from my computer during times it shouldn't.  I ignored it because a month ago I was helped on the malware forum.

 

I've noticed odd files all surrounded 2/8/2017 pointing to what I think may have been a bad Windows update? I had been forwarding my downloads to my desktop recently to make my graphic design work easier so my downloads folder should be free however, I found a desktop.ini file there (I have cleared out my downloads multiple times) with the following content:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21798
IconResource=%SystemRoot%\system32\imageres.dll,-184

Also a $RECYCLE.BIN (hidden) folder on my external hard drive that is password protected with protected inaccessible folders "S-1-5-21-1347167728-416190106-1569455515-1001" among other numerical variations all starting with S-1-5-21.  There's also one Windows(C:) drive As well as $GetCurrent and 60211AB1F80D File.

 

And a System Volume Information with the following contents on the external hard drive.  Also one on windows C but can't access it:

     _restore{10BF4F30-BD90-46CF-AFA6-76DD512DBC6C} (Folder)

     EfaSIDat (Folder)

     IndexerVolumeGrid (File)

     MountPointManagerRemoteDatabase (System File)

     Tracking.log

     WPSettings.dat

 

Am i infected??  Not sure since I don't understand all these files.  I've scanned the computer using everything but it comes up clean.  I still don't feel right about it.  I have all of my work programs and art files so I want to do everything that is possible to not wipe it clean.  

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:39 PM

Posted 11 May 2017 - 07:10 PM

I did searches for files and folders you had questions about. Nothing unusual and all seem to be okay. For instance, you can empty the

Recycle.Bin from your desktop for all drives and partitions connected to your computer.

 

The System Volume files being on the external drive could be explained by a backup for the internal hdd being stored on it which included restore points.

 

If you aren't experiencing any typical symptoms of malware and adware such as slooooow computer or excessive ads....then I think you can relax.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 cmtc

cmtc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:39 PM

Posted 12 May 2017 - 12:10 AM

Well I do experience periods of slowness where my programs freeze up and crash and I have RAM/Scratch Disk problems with some of my Adobe programs even though I have 716 free GB on my external where its set to and 66 GB on my Surface Pro 3.  It also has periods where it gets very warm and makes a loud whir noise even if it's just left open with minimal programs running (like google chrome and a windows folder).  I also notice that my bluetooth with my mouse will randomly drop so I keep moving it around sometimes for up to 30 seconds and it connects back again randomly.  (New-ish mouse didn't have problems before)

Weird connection/listening to "65.55.44.109" which has been reported as malicious. https://www.threatcrowd.org/ip.php?ip=65.55.44.109 among others.  Also the capital letters happened when I was typing and wouldn't type lower case even with caps lock on or of or shift key.  Had to minimize window



#4 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:39 PM

Posted 12 May 2017 - 05:42 AM

What programs have you used in the past week to remove malware and adware?

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 cmtc

cmtc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:39 PM

Posted 12 May 2017 - 08:46 AM

I've used:

   Rkill

   JRT

   TDSSKiller

   Windows Defender Offline

   Malwarebytes

   AdwCleaner

I have also used CCleaner multiple times to clean the Temp files and the Registry (I made backups) before, including last night.  

Scheduled Tasks

Yes	Task	Adobe Uninstaller	Adobe Systems Incorporated	C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe --sapCode=KBRG --productVersion=7.0 --productPlatform=win64 --appletID=AppsPanel_BL --appletVersion=1.0 --appMode=Uninstall
No	Task	AdobeAAMUpdater-1.0-MicrosoftAccount-[--EDITED--PRIVATE E-MAIL]	Adobe Systems Incorporated	C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe -mode=scheduled
Yes	Task	CCleanerSkipUAC	Piriform Ltd	"C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes	Task	CreateExplorerShellUnelevatedTask	Microsoft Corporation	C:\WINDOWS\explorer.exe /NOUACCHECK
Yes	Task	GoogleUpdateTaskMachineCore	Google Inc.	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes	Task	GoogleUpdateTaskMachineUA	Google Inc.	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes	Task	NordVPN	NordVPN	C:\Program Files (x86)\NordVPN\NordVPN.exe /startup
No	Task	OneDrive Standalone Update Task v2		%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Windows

No	HKCU:Run	CCleaner Monitoring	Piriform Ltd	"C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
No	HKLM:Run	Adobe Creative Cloud	Adobe Systems Incorporated	"C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
Yes	HKLM:Run	emsisoft anti-malware	Emsisoft Ltd	"c:\program files\emsisoft anti-malware\a2guard.exe" /d=60
No	HKLM:Run	iTunesHelper	Apple Inc.	"C:\Program Files\iTunes\iTunesHelper.exe"
Yes	HKLM:Run	Malwarebytes TrayApp	Malwarebytes	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe
No	HKLM:Run	WindowsDefender		"%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Yes	HKLM:Run	ZAM	Copyright 2017.	"C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /minimized
Yes	Startup Common	Secunia PSI Tray.lnk	Secunia	C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

Uninstall
Adobe Creative Cloud Adobe Systems Incorporated 5/9/2017 253 MB 4.0.1.188

Adobe Extension Manager CC Adobe Systems Incorporated 3/5/2017 132 MB 7.3.2
Adobe Illustrator CC 2017 Adobe Systems Incorporated 5/9/2017 0.95 GB 21.1.0
Adobe Photoshop CC 2017 Adobe Systems Incorporated 5/9/2017 0.95 GB 18.1.1
Alarms & Clock Microsoft Corporation 4/27/2017 10.1704.1013.0
App Installer Microsoft Corporation 2/17/2017 1.0.10332.0
Apple Application Support (64-bit) Apple Inc. 4/12/2017 184 MB 5.4.1
Apple Mobile Device Support Apple Inc. 4/12/2017 41.8 MB 10.3.1.2
Apple Software Update Apple Inc. 4/12/2017 4.94 MB 2.3.0.177
Blender Blender Foundation 5/9/2017 640 MB 2.78.3
Bonjour Apple Inc. 4/12/2017 3.28 MB 3.1.0.1
Calculator Microsoft Corporation 3/14/2017 10.1703.601.0
Camera Microsoft Corporation 5/10/2017 2017.308.50.0
CCleaner Piriform 5/9/2017 19.8 MB 5.29
Debug Diagnostics 2 Update 2 Microsoft Corporation 4/20/2017 56.8 MB 2.2.0.13
Emsisoft Anti-Malware Emsisoft Ltd. 4/20/2017 550 MB 12.0
Foxit PhantomPDF Foxit Software Inc. 5/11/2017 915 MB 8.3.0.14878
Foxit Reader Foxit Software Inc. 5/11/2017 165 MB 8.3.0.14878
Google Chrome Google Inc. 3/14/2017 350 MB 58.0.3029.96
HP AiO Printer Remote HP Inc. 4/21/2017 70.1.235.0
Intel® Processor Graphics Intel Corporation 4/24/2017 20.19.15.4568
iTunes Apple Inc. 4/12/2017 565 MB 12.6.0.95
Mail and Calendar Microsoft Corporation 5/3/2017 17.8126.42377.0
Malwarebytes version 3.0.6.1469 Malwarebytes 4/20/2017 194 MB 3.0.6.1469
Maps Microsoft Corporation 3/29/2017 5.1703.762.0
Microsoft Sticky Notes Microsoft Corporation 4/10/2017 1.8.0.0
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 2/17/2017 3.04 MB 8.0.56336
Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Corporation 5/8/2017 3.83 MB 8.0.56336
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Corporation 5/8/2017 1.63 MB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Corporation 2/17/2017 830 KB 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 5/8/2017 1.26 MB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 2/17/2017 634 KB 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 Microsoft Corporation 2/17/2017 18.0 MB 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 Microsoft Corporation 3/10/2017 10.9 MB 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 Microsoft Corporation 5/9/2017 20.5 MB 11.0.61030.0
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 Microsoft Corporation 5/8/2017 17.3 MB 11.0.61030.0
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 Microsoft Corporation 5/9/2017 12.0.30501.0
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40649 Microsoft Corporation 4/12/2017 20.5 MB 12.0.40649.5
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 Microsoft Corporation 5/9/2017 17.1 MB 12.0.30501.0
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 Microsoft Corporation 5/8/2017 23.5 MB 14.0.24215.1
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 Microsoft Corporation 5/9/2017 18.7 MB 14.0.23918.0
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Microsoft Corporation 3/13/2017 2.42 MB 10.0.50903
Movies & TV Microsoft Corporation 5/5/2017 10.17032.10341.0
Node.js Node.js Foundation 5/9/2017 65.1 MB 4.7.3
NordVPN NordVPN 3/21/2017 19.1 MB 6.0.1
OneNote Microsoft Corporation 5/5/2017 17.8067.57781.0
Phone Companion Microsoft Corporation 2/9/2017 10.1609.2561.0
Photos Microsoft Corporation 5/5/2017 17.425.10010.0
Revo Uninstaller 2.0.3 VS Revo Group, Ltd. 4/12/2017 21.2 MB 2.0.3
Secunia PSI (3.0.0.11005) Secunia 4/12/2017 7.93 MB 3.0.0.11005
Store Microsoft Corporation 5/8/2017 11703.1001.45.0
Store Purchase App Microsoft Corporation 2/9/2017 11608.1000.2431.0
Surface Microsoft Corporation 5/4/2017 19.0.604.0
Toggl Desktop Toggl 2/17/2017
TreeSize Free V3.4.5 JAM Software 3/8/2017 5.63 MB 3.4.5
Voice Recorder Microsoft Corporation 4/24/2017 10.1704.952.0
WD Backup Western Digital Technologies, Inc. 2/22/2017 23.5 MB 1.0.5556.3650
WD Drive Utilities Western Digital Technologies, Inc. 2/22/2017 34.2 MB 1.3.2.2
WD Quick View Western Digital Technologies, Inc. 2/22/2017 20.5 MB 2.4.10.17
Weather Microsoft Corporation 4/21/2017 4.20.1102.0
WhoCrashed 5.53 Resplendence Software Projects Sp. 4/18/2017 12.8 MB
Windows Software Development Kit - Windows 10.0.14393.33 Microsoft Corporation 4/25/2017 226 MB 10.1.14393.33
WinPcap 4.1.3 CACE Technologies 3/5/2017 4.1.0.2980
WinRAR 5.40 (64-bit) win.rar GmbH 2/24/2017 5.73 MB 5.40.0
Wireshark 2.2.6 (64-bit) The Wireshark developer community, https://www.wireshark.org 4/13/2017 169 MB 2.2.6
 
 
I recently uninstalled odd/old version numbered Microsoft Visual C++ Redistributables (All with an install date of 2/8/17) that would not prompt automatic update notifications (Not even on Secunia) and reinstalled them from Windows Official Website.  The one's with the date 5/8/2017 are all of those files.  After those files were updated, Secunia then recognized that the nod.js file had been out of date for a while as well and so I fixed that too. Not sure if that's important.

Thanks for your help :)

Edited by cmtc, 12 May 2017 - 08:47 AM.


#6 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:39 PM

Posted 12 May 2017 - 01:22 PM

Suggest Disabling these Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    Task    Adobe Uninstaller    Adobe Systems Incorporated    C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe --sapCode=KBRG --productVersion=7.0 --productPlatform=win64 --appletID=AppsPanel_BL --appletVersion=1.0 --appMode=Uninstall

Yes    Task    GoogleUpdateTaskMachineUA    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes    Task    NordVPN    NordVPN    C:\Program Files (x86)\NordVPN\NordVPN.exe /startup

 

Suggest Disabling these Startups:

Yes    HKLM:Run    ZAM    Copyright 2017.    "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /minimized
Yes    Startup Common    Secunia PSI Tray.lnk    Secunia    C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

 

If MBAM and Emsisoft are free versions....suggest Disabling them, too.

 

Keep in mind that Disabling those items can be easily reversed if one or more being Disabled creates too much of a hassle.

 

The programs you used to check for malware and adware would be what I suggest to use in this forum. If you still think there is

malware causing a problem you can start a new topic in the malware removal forum following the directions below.

 

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users