Jump to content

Recommended Posts

Hello, buddies.
That's my very first post on this forum, and I'm here to ask for help after trying a bunch of other stuff. I got caugth by a Ransomware recently, and I decided to use the system recovery (my computer is a Dell so it has a factory reset). But after doing so, my computer is showing a file called "desktop.ini" in a lot of folders. Also, if I delete it, it always comes back. I guess it infected my recovery partition as well. Sometimes, the recovery partition shows up on the explorer when I access the Windows Explorer. What can I do about it?

Link to post
Share on other sites

Hi davidleite94 :)

desktop.ini isn't malicious, it's a file that stores display/view settings for the current folder it is located in. It'll always be recreated by Windows when it gets deleted.

http://www.digitalcitizen.life/why-are-there-two-desktopini-files-my-desktop-what-do-they-do

To hide them, follow the instructions in the link above and make sure that "Hide protected operating system files (Recommended)" is checked. Then they should dissapear.

Link to post
Share on other sites

I didn't said so, but there are some shortcuts being created in some folders, like Users, Program Files, ProgramData and AppData. They are created when I do the system restore and when I click on some folders like System Volume Information and $Recycle.Bin. The Recovery partition also shows up sometimes, when I restart my computer. I think that's some strange behavior.

Link to post
Share on other sites

Quote

but there are some shortcuts being created in some folders

What shortcuts?

Quote

Users, Program Files, ProgramData and AppData

These are all legitimate Windows folders.

Quote

when I click on some folders like System Volume Information and $Recycle.Bin.

These are legitimate Windows folders as well, though they are system folders.

Quote

I think that's some strange behavior.

It isn't strange. It looks like your System Restore disabled the option to hide protected operating system files. If you enable it (by following the instructions I provided above), these will be hidden once more, and your view will turn back to what it was before.

Link to post
Share on other sites

I tried what you said. But it doesn't solve it, what keeps making me think that this is not normal. Also, when I copy files from my computer to clouds or pendrives or other one's computers, desktop.ini also shows up on other computers. I've read about this in a lot of other posts, everybody saying it is normal, but I really don't think so. I'll just let it go since no one knows how to solve this.

Edited by davidleite94
One wrong letter.
Link to post
Share on other sites

Is it normal. The desktop.ini file isn't malicious, nor is it related to an infection. What might be happening however is that your desktop.ini files lost their "System" file attribute, which means that they won't hide even if you check "Hide protected operating system files (recommended)".

Let's see if that's the case. Follow the instructions for FRST in the thread below, and provide me the FRST.txt and Addition.txt logs.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

 

Link to post
Share on other sites

I don't see any desktop.ini files listed in your logs, though I can see a few browser hijacks which we will remove.

Also, I see that you have two Antivirus installed: AVG and McAfee. You should never have more than one Antivirus installed at the time on a system, since having more than one can create system instability and conflict. So I would uninstall one of them, and keep the other (ideally, keep the on you're presently paying for).

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

fixlist.txt

Link to post
Share on other sites

Quote

but there's another computer that I use at work and it might be infected by hijacks as well.

Is that your computer or your employer's computer? If it belongs to your employer, are you allowed to seek assistance for it online, and not from your IT department? Just making sure.

Link to post
Share on other sites

When it finished, it asked me to restart the computer. I guess that that's the log, I'll paste what's on it:

Resultado da Correção pela Farbar Recovery Scan Tool (x64) Versão: 12-06-2017
Executado por david (13-06-2017 01:14:17) Run:1
Executando a partir de C:\Users\david\Downloads
Perfis Carregados: david (Perfis Disponíveis: david)
Modo da Inicialização: Normal
==============================================

fixlist Conteúdo:
*****************
CloseProcesses:
CreateRestorePoint:

ProxyServer: [S-1-5-21-3541513695-1080155128-3958550182-1001] => proxy.facip.ufu.br:3128
CHR StartupUrls: Default -> "hxxps://www.facebook.com/","hxxp://www.google.com/","hxxp://www.startpageing123.com/?type=hp&ts=1490263764&z=53aecd22f8a673ba1cee4d9g3zet6eaoaq1c6mcq4q&from=che0812&uid=WDCXWD10JPVX-22JC3T0_WD-WX51A169603E9603E"

EmptyTemp:
*****************

Processos fechados com sucesso.
Ponto de Restauração criado com sucesso.
HKU\S-1-5-21-3541513695-1080155128-3958550182-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => valor não encontrado (a).
Chrome StartupUrls => removido (a) com sucesso.

=========== EmptyTemp: ==========

BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 45865945 B
Java, Flash, Steam htmlcache => 933 B
Windows/system/drivers => 5738041 B
Edge => 3592437 B
Chrome => 793621741 B
Firefox => 12037277 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 1102507 B
systemprofile32 => 0 B
LocalService => 12412 B
NetworkService => 1694 B
david => 479640821 B

RecycleBin => 6296226 B
EmptyTemp: => 1.3 GB de dados temporários Removidos.

================================


O sistema precisou ser reiniciado.

==== Fim de Fixlog 01:16:08 ====

Link to post
Share on other sites

And this is a fix for your work computer. Also same advice for it: uninstall one of the two Antivirus installed, and keep the other. You also have two firewall installed: McAfee and ZoneAlarm, so uninstall one as well.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

 

fixlist.txt

Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.