Windows 10 computer with TOOLS infected folder on dekstop that cannot be deleted
Residential client brought a computer the other day that is interesting. He has a folder on the desktop named "TOOLS". Inside the folder are random picture files by extension and misc other extensions. 38,000+ files in fact. I cannot delete the folder under any OS (Linux, Ubuntu, Windows, Windows PE) connecting it to another system. I have tested the drive with WD Lifeguard diagnostic and found no problem. No performance issues with the drive (Seagate 500GB). SMART shows no concerns. CHKDSK shows MFT is corrupt and repairs. Norton and many other virus scanners find every file in the folder to be a virus, ADS, or something unwanted beyond PuP. I have never failed to remove a folder or file under Ubuntu. Another note is that it generally takes hours to access the profile folder in order to even see the TOOLS folder. Running scans took days to get partially through the TOOLS folder and cannot remove anything as of yet. Most of the scans are performed on a bench PC with this drive attached, and still have problems. I assume it is a combination of HDD problems (which I cannot determine) and virus infection. The folder appears to have been created in September 2014. The user has no recollection of how it came to be or when. He did state that years ago he got a fake tech scam call and let them into his computer. He only does e-mail and web browsing, so there wasn't anything exciting to steal from him. He didn't pay them, and that was the end in his mind. This is the first time I am seeing this computer ever. Computer is Windows 10.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you scanned these files in that folder, what infections were they?
Perhaps we can get a better clue if we know what some of the infections were.
Perhaps we can get a better clue if we know what some of the infections were.
ASKER
Data is backed up already, and new drive with clean install is already in place. I would like to dig deeper into this issue however.
Did you try Defender?
ASKER
Generic detections like trojan horse with no name. Nothing specfic, except one tech scam something which is why I questioned him on how the folder came to be.
ASKER
Defender was no help
Hard to know exactly what viruses might do. Try scanning and cleaning them up.
Thanks for the later update. So at this point, you do need to reinstall Windows.
Could it be a rootkit of some kind?
Yes, and one could spend all day trying to solve it.
Asker stated "...Data is backed up already, and new drive with clean install is already in place..."
Anyway that being said what program did you scan and that it detected these as Generic?
Try scanning with a different program and see if it comes up with something different? Can you post a log of what was found from your scans?
Anyway that being said what program did you scan and that it detected these as Generic?
Try scanning with a different program and see if it comes up with something different? Can you post a log of what was found from your scans?
Could easily have spread from another machine or the user's USB key.
ASKER
Computer already has new drive and clean OS install. Data recovered and returned. I am only interested in determining what actually happened. i cannot cleanup any viruses in the actual computer, since I no longer have it or one similar to it. It was an older PC from 2012 I think. I think it is a rootkit, yes. TDSSKiller did not find anything before. I still have the HDD and continue to work on it though.
ASKER
User has no external USB devices. Believed to have been from a remote support tech scam in 2014.
Norton and Avast for sure all found thousands of generic. Most programs found nothing.
Norton and Avast for sure all found thousands of generic. Most programs found nothing.
Could you locate any specifics on the phone call and any odd programs which may have been associated ... to try and pin it down via Google or did all look "normal" except for TOOLS?
ASKER
Forgot to mention after all these attempts, when the drive was back in the PC, It booted to an error loading MSASCuiL.exe
Yes, it is under the Windows Defender folder. I only noticed this now, because of John questioning about Defender and going back in my notes.
Yes, it is under the Windows Defender folder. I only noticed this now, because of John questioning about Defender and going back in my notes.
I looked throughout my own Defender folders and that folder above is not there.
Hmm...usually Norton and Avast has better logs and has a name for them?
Try Malwarebytes? or Windows Defender? Any logs from those?
Still would like a log to see what you are seeing.
Our hands are tied because the ONLY things we have to go off of is:
1. that something 'generic' is being detected.
2. the folder and the files?? can't be erased or removed in any platform. (what error or message do you get when removal is attempted?
3. the folder name is TOOLS
4. Potentially may be due to the Tech Scam in 2014. But we don't know what that was exactly about.
Try Malwarebytes? or Windows Defender? Any logs from those?
Still would like a log to see what you are seeing.
Our hands are tied because the ONLY things we have to go off of is:
1. that something 'generic' is being detected.
2. the folder and the files?? can't be erased or removed in any platform. (what error or message do you get when removal is attempted?
3. the folder name is TOOLS
4. Potentially may be due to the Tech Scam in 2014. But we don't know what that was exactly about.
ASKER
Context menu had strange entries:
File Ownership > No file or anything else
Open Powershell window here > powershell.exe -noexit -comman set-Location -LiteralPath '%V'
this is under key of directory and drive (Identical entry)
File Ownership > No file or anything else
Open Powershell window here > powershell.exe -noexit -comman set-Location -LiteralPath '%V'
this is under key of directory and drive (Identical entry)
Info on MSASCuiL.exe can be found here:
https://www.file.net/process/msascuil.exe.html
https://www.file.net/process/msascuil.exe.html
ASKER
Interesting John. I checked mine and they don't exist either. But it is listed as a core file for Defender when I look it up. Looking into further now.
Viruses and trojans write data without leaving tracks, so I am not sure what you might find.
ASKER
Thanks wakeup. That is the original location I looked that file up on. Maybe too quick to discount that. I have to dig through reports to find which scanner removed that file. Yes I check for system and hidden files.
ASKER
Did I mention one scan found these items to be ADS (Alternate Data Streams) infections. But still generic. I am combing thru reports slowly. 38K files in each.
ASKER
Inside that foler, Norton determined 2 by name:
PCTechhotline
PCFixSpeed
Everything else is heuristic detection.
PCTechhotline
PCFixSpeed
Everything else is heuristic detection.
Be sure you do not spend more money in time (labour) than a proper fix is worth.
ASKER
This is not being billed to customer. This is for my knowledge. I own the company, so it costs me nothing but my time. Which I am ok with.
I think Jason is on a "personally funded journey" ... there comes a point where it gets personal and I think that is where he is ...
Some info on PCTechhotline:
https://www.bleepingcomputer.com/virus-removal/remove-pctechhotline
Probably wont help at this moment. But there's a least some background on it.
Info and other people wish issues and PCFixSpeed:
https://www.bleepingcomputer.com/forums/t/546669/pc-fix-speed/
https://www.bleepingcomputer.com/forums/t/494732/how-do-you-remove-cprogram-filespcfixspeedpcfixspeedexe/
https://www.bleepingcomputer.com/virus-removal/remove-pctechhotline
Probably wont help at this moment. But there's a least some background on it.
Info and other people wish issues and PCFixSpeed:
https://www.bleepingcomputer.com/forums/t/546669/pc-fix-speed/
https://www.bleepingcomputer.com/forums/t/494732/how-do-you-remove-cprogram-filespcfixspeedpcfixspeedexe/
Unfortunately since you are really only slaving the drive into a different computer and not booting up to the drive, you won't necessarily be able to see what is being done with the OS. You only have the data/storage. You won't get registry, hive or startup info when scanning.
ASKER
I like your comment N8iveIT. There was no actual Speedfix or Tech hotline installed on the computer.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
where is the tools folder located?
C:\users\username\desktop c:\users\public\desktop ?
use the command prompt to find the folder
C:\users\username\desktop c:\users\public\desktop ?
use the command prompt to find the folder
Interesting thread.
I'd suggest submitting some samples to https://www.virustotal.com/#/home/upload and see if the scanners there can give you a definite name.
Your problem will be with tracking down the original infection. If you can determine what infected the machine in the first place, then it should also give a clue as to what other Virus', Trojans or other malware was likely installed afterwards and how the undeletable folder was created.
Will be interested to see how this pans out.
I'd suggest submitting some samples to https://www.virustotal.com/#/home/upload and see if the scanners there can give you a definite name.
Your problem will be with tracking down the original infection. If you can determine what infected the machine in the first place, then it should also give a clue as to what other Virus', Trojans or other malware was likely installed afterwards and how the undeletable folder was created.
Will be interested to see how this pans out.
ASKER
Had same idea with Virustotal, and every sample I submitted came back as clean 100%.
You say this: "There was no actual Speedfix or Tech hotline installed on the computer."
But also said this: "The folder appears to have been created in September 2014. The user has no recollection of how it came to be or when. He did state that years ago he got a fake tech scam call and let them into his computer."
So it could be possible these may have been installed at some point in time? Maybe without the user knowing. But irrelevant now, as we are trying to figure out what could have possibly locked the folder.
Are you able to drag something into the folder? Anything really? Just curious if the folder has some sort of lock on it, aside from removal.
What about renaming the folder? Again just testing to see what all can be done to the folder.
But also said this: "The folder appears to have been created in September 2014. The user has no recollection of how it came to be or when. He did state that years ago he got a fake tech scam call and let them into his computer."
So it could be possible these may have been installed at some point in time? Maybe without the user knowing. But irrelevant now, as we are trying to figure out what could have possibly locked the folder.
Are you able to drag something into the folder? Anything really? Just curious if the folder has some sort of lock on it, aside from removal.
What about renaming the folder? Again just testing to see what all can be done to the folder.
ASKER
I just ran Norton full scan against the folder for a second time, it found nothing additional. But now I can delete the folder TOOLS in Windows environment on my Bench system. I guess I will never know exactly, but possible the drive is the culprit in addition to the malicious folder contents. If anyone wants to add thoughts before I close this thread, I can still run tests on the drive outside of the original system.
Well now that the TOOLS folder is gone and no longer stuck, you seemed to have backed up the data that needed and reinstalled the customer's computer and it is working, you can certainly test the drive with destructive tests to see if the drive is in optimal condition.
Otherwise we won't really know anything else.
Only other opinon not put out there was that maybe one of your Antivirus software tools locked the folder due to infection. But I do not understand why it would not erase in Ubuntu or something like that.
Otherwise we won't really know anything else.
Only other opinon not put out there was that maybe one of your Antivirus software tools locked the folder due to infection. But I do not understand why it would not erase in Ubuntu or something like that.
ASKER
Avast was the first scanner installed locally and attempted to remove the infected folder contents. Just FYI, in case Avast does lock the folder some how.
ASKER
Thanks to all that posted. Eventually after many scans over days on the bench computer, I was finally able to remove the entire TOOLS folder. I suspect the drive may have some problems I cannot detect with diagnostics is also partly to blame. No other useful information was found on this subject.
Hey Jason,
Thanks for coming back and giving us an update. What model/brand is the drive? and what tools did you use to diagnose it?
If you have a brand, perhaps the manufacture has diagnostic tools to test? Usually using their tool could potentially be better at diagnosing the drive. Try destructive tests with the diagnostic software? Scans/Cleans and moves bad blocks etc....
Thanks for coming back and giving us an update. What model/brand is the drive? and what tools did you use to diagnose it?
If you have a brand, perhaps the manufacture has diagnostic tools to test? Usually using their tool could potentially be better at diagnosing the drive. Try destructive tests with the diagnostic software? Scans/Cleans and moves bad blocks etc....
If Defender cannot clean it up, then I agree with the above. Back up and reinstall Windows fresh.