Desktop.

ini Suddenly Appears to Be Flagged, Is

Desktop.ini Virus and How to Fix it?
About Desktop.ini
Desktop.ini is a text file hidden by default in Windows Operating System in an attempt to avert mistaken
removal. It is developed early when DOS was created to store initialization information. Every new information
will be written into .ini file including desktop.ini. The major feature of Desktop.ini is to help programmers or
skillful PC users customize the properties, attributes and appearance of a folder. All Desktop.ini file contain
[.ShellClassInfo] section, which is utilized to assign values and thus helps with the folder specification.

In most cases, the below listed are the most commonly seen custom attributes:
ConfirmFileOp: when it is set to 0, error message warning You Are Deleting a System Folder will be
triggered when a folder is removed.
IconFile: it shows the path of icon files and helps to specify a custom icon file such as .ico, .exe or .dll.
IconIndex: when it is set to 0, only one icon will be displayed.
InfoTip: a string of informational text will appear when mouse is hovered over a folder.

Lets learn the magic by Desktop.ini with two examples offered by VilmaTech Online Support:
Example NO.1:

[ExtShellFolderViews]
{BE098140-A513-11D0-A3A4-00C04FD706EC}={BE098140-A513-11D0-A3A4-00C04FD706EC}
[{BE098140-A513-11D0-A3A4-00C04FD706EC}]
Attributes=1
IconArea_Image=11.jpg(tip: 11.jpg indicates the image you saved on your computer)
[.ShellClassInfo]
ConfirmFileOp=50

By writing the above content in a notepad under a folder and saving it with the name Desktop.ini, the
background of the folder will be changed to 11.jpg image.

Example NO.2:

[ExtShellFolderViews]
IconArea_Text=0x000000FF(tip: 0x000000FF is the code name for red )
Attributes=1
IconArea_Image=bg04.jpg (tip: bg04.jpg indicates the image you saved on your computer)
[.ShellClassInfo]
ConfirmFileOp=0

By writing the above content in a notepad under a folder and saving it with the name Desktop.ini, the
background of the folder will be changed to bg04.jpg image and the color of the folder will be changed to red.
Extra tip: 000008000 is for green, 0x00FF0000 is for blue, 0x00FFFFFF is for white.
After this section, it is made clear that Desktop.ini is everywhere in Microsoft Windows system, which is the
reason why anti-virus programs will not be able to help fix Desktop.ini file when something wrong happens.
Keep reading to seek answers to frequently asked questions about Desktop.ini file. In the event where your
Desktop.ini problems are not mentioned in the following article, you are welcome to consult specialized
technicians (https://plus.google.com/u/0/112671360248060681646/about?rel=author)and get your problems
solved.

Can Desktop.ini Be Removed?

As we have learned from the preceding paragraphs that Desktop.ini contains custom information of folders. If
Desktop.ini file is removed randomly, customizations made to folders will be lost. However, it is no big deal to
mistakenly remove a desktop.ini file in a Windows system folder since it will be recreated at the next system
restart. Therefore the answer is YES.

Why Desktop.ini File Automatically Open?

The following two desktop.ini files have been reported to open automatically whenever system starts:

1. [.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
(mailto:LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787)
2. [.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787.
(mailto:LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787.)

It should come to your knowledge that LocalizedResourceName refers to Limited resource name,
@%SystemRoot%\system32 is the address that the name refers; shell32.dll refers to Dynamic Link Library
where contains information like ICO address; -21787 is equivalent to ID/index.
Most PC users mistakenly think that the two desktop.ini files are vicious due to the weird activity. They can be
stopped if their startup components are removed from system configuration. Though the two desktop.ini files
are not virus, it should arouse your precaution that something has made modifications to the target system
and vulnerability has come into being. Optimizations should be undertaken right away in an attempt to prevent
intrusive infiltrations.

Desktop.ini Can Be Used by Infections

The mostly utilized system files by infections are Svchost.exe and winlogon.exe. The reason that virus like
Win32:Malware-gen (http://blog.vilmatech.com/win32malware-gen-remove-win32malware-gen-virusmanually-successfully/) would affect Desktop.ini file is the same as that would affect autorun.inf. The ability to
recreate removed item attract infections and thus there have been more warning alert about Desktop.ini, its
error messages and related problems:
Installed anti-virus programs give away alert warning about Desktop.ini but not able to fix it.
Computer starts out with firewall on, but it will be turned off several minutes later without the possibility to
get it back on.
Detected virus returns after each removal and reboot.
Error warning is given away telling desktop.ini windows system file found.
The above problems are not directly caused by affected Desktop.ini. Due to the protection by desktop.ini,
other vicious deeds are allowed to be executed smoothly to give rise to the above listed problems without the
fear of being removed permanently.

Tell Difference
According to the experience from Global PC Support Center, the content of Desktop.ini created by infections
is mainly a series of mazy characters coupled with date, which is not making Desktop.ini as hazardous as an
executable file.
PC users can also check for any weird activities in Task Manager, installed security utilities, browsers (Firefox,
Chrome, Opera, IE) on the sudden occurrence of desktop.ini. If everythings shown to be normal, then the
desktop.ini file is genuine.
In most cases, affected desktop.ini file will be shown together with autorun,inf under the root directory. Herein,
VilmaTech Online Support would like to take Worm.Script.VBS.Agent.bz as example to give concrete
knowledge for your reference:
The content of affected desktop.ini:

The content of affected autorun.inf:

There was once a case where _desktop.ini confuses wide range of PC users. Always bear in mind that the
genuine name for desktop.ini file is desktop.ini now and forever rather than others like _desktop.ini.
It is a knot when virus affect desktop.ini file to help with infiltration. Below is the manual instruction offered by
VilmaTech Online Support given the fact that anti-virus programs are not able to deal with system items. Be
noted that the below instruction pertains to fixing desktop.ini problems. If you want to remove the virus
detected by installed security utilities that has affected desktop.ini file, more steps are required. On the
occurrence of confusion in the middle of the fix, it is advisable to get professional assistance from
recommended online PC security service (http://blog.vilmatech.com/).

Manual Instruction to Fix Desktop.ini Problems

Situation One Desktop.ini file opens automatically at Windows start.
Tip: such situation can be seldom seen; one should pay attention to any vulnerability, especially web
vulnerability afterwards.
Windows 7/XP/Vista
Use Win key and R key combination to activate Run box.

Type MSCONFIG and hit Enter key to access startup window.

Find anything related to desktop.ini and press Disable all to stop it from opening up automatically.

Windows 8
Enable Charms bar by hovering mouse to borders to any direction.
Type Task and hit Enter key to select Task Manager in the popup screen with arrow keys.

Hit Enter key to navigate to Startup tab and find anything related to desktop.ini.

Press Disable to stop it from opening up automatically.

Attention: to exterminate web vulnerability, it is wise to reset browser settings and apply some steps to tighten
up web security.
Step one: reset browser settings.
Internet Explorer
Click on the Tools menu to select Internet Options; then tap Advanced tab to press Restore Defaults button
and then press OK for confirmation.

Mozilla Firefox
Click on the Firefox menu to select Help; then choose Troubleshooting information in its drop-down list to
press Reset Firefox button.

Google Chrome
Click on Customize and Control Google Chrome menu to select Options; tap Under the Hood tab to press
Reset to Defaults button.

Opera
Show hidden files and folders to remove Operapref.ini file under C:\Users\user_name\AppData\Roaming
\Opera\Opera\.

Step two: tighten up browser security.

Disable banner, ServerSignature and ServerTokens from being tracked down to the extent that what is
actually running on a target computer and where is the PC user going.
Disable Directory index by opening up terminal before executing the following commands:
rm -f /etc/apache2/mods-enabled/autoindex.load
rm -f /etc/apache2/mods-enabled/autoindex.conf

Check permissions assigned to shared network drives to limit the number of people who can make
modifications

Set each PCs software management tools to prevent vicious items from accessing certain critical
directories.
Restrict vulnerability in IIS (Internet Information Services).
Impose restrictions on Apache HTTP Server to prevent virus from reading all information of the machine.
Disable WebDAV to assure that virus cannot modify files to upload vicious codes by deleting dav, dav_fs
and dav_lock files on terminal through commands:
rm -f /etc/apache2/mods-enabled/dav.load
rm -f /etc/apache2/mods-enabled/dav_fs.conf
rm -f /etc/apache2/mods-enabled/dav_fs.load
rm -f /etc/apache2/mods-enabled/dav_lock.load

Install website monitor, Firewall to help filter junk sites and sites with sensitive content so as to decrease
the possibility to be affected by virus.
Adopt IDS (Intrusion Detect System) to analyze collected information from computer networks or
computing system in an attempt to help detect any action violating security policy and sign of under attack.
Turn off request from TRACE HTTP to prevent online conversation from being hijacked by navigating the
terminal to /etc/apache2/apache2.conf.

Situation Two Desktop.ini file is affected by virus to cause error message.

1.

run reputable anti-virus program to remove detected vicious items as possible and remember the

directory of flagged desktop.ini file.

2.

end running processes like rundl132.exe, rundll32.exe, logo_1.exe and other strange ones such as

WINLOGON.EXE to help fix desktop.ini problem.

3.

if you dont have special preference of folder characteristic, if it recommended to remove all desktop.ini in

dustbin and under C:\Windows; or you can navigate to the directory of the flagged desktop.ini file and carry
out the following steps:
Hold Win key and R key at once to bring up Run box again.
Type CMD.exe and hit Enter key to bring up a black box with flashing slash/line.

Type /s and hit Enter key, which will help you remove all desktop.ini file under that directory.

4.

Hit Start Menu to access notepad under Accessory to write it with the following text:

del a:\_desktop.ini /f/s/q/a

del b:\_desktop.ini /f/s/q/a

i:\_desktop.ini /f/s/q/a

del d:\_desktop.ini /f/s/q/a

del g:\_desktop.ini /f/s/q/a

del h:\_desktop.ini /f/s/q/a

del e:\_desktop.ini /f/s/q/a

del

del c:\_desktop.ini /f/s/q/a

del j:\_desktop.ini /f/s/q/a

del k:\_desktop.ini /f/s/q/a

when done, save as the file with suffix .bat and double click to execute the file.

To sum up:
Desktop.ini file belongs to Windows system file that contains customization information of folders. The file
features a typical ability that is to re-produce removed files at each Windows starts. Because of the capability,
desktop.ini is targeted by infections, Trojan horse particularly, to help with re-image after being removed by
reputable anti-virus programs. Technically speaking, affected desktop.ini file is not hazardous at all. However,
it hinders from successful removal to help make further harms in another way. Therefore no hesitation should
be taken in fixing desktop.ini problem. Due to the fact that desktop.ini belongs to system file, it is advisable to
fix it with manual way. Should there be any obstacle because of deficient computer knowledge, you are
welcome to seek professional help from VilmaTech Online Support (http://www.vilmatech.com
/services.html)that is always within your reach.