VilmaTech.com > VilmaTech Blog > Desktop.ini Suddenly Appears to Be Flagged, Is Desktop.ini Virus and How to Fix it?

Desktop.ini Suddenly Appears to Be Flagged, Is Desktop.ini Virus and How to Fix it?

Published on January 27, 2014

About Desktop.ini

Desktop.ini is a text file hidden by default in Windows Operating System in an attempt to avert mistaken removal. It is developed early when DOS was created to store initialization information. Every new information will be written into .ini file including desktop.ini. The major feature of Desktop.ini is to help programmers or skillful PC users customize the properties, attributes and appearance of a folder. All Desktop.ini file contain [.ShellClassInfo] section, which is utilized to assign values and thus helps with the folder specification.

desktopini

In most cases, the below listed are the most commonly seen custom attributes:

  • ConfirmFileOp: when it is set to 0, error message warning “You Are Deleting a System Folder” will be triggered when a folder is removed.
  • IconFile: it shows the path of icon files and helps to specify a custom icon file such as .ico, .exe or .dll.
  • IconIndex: when it is set to 0, only one icon will be displayed.
  • InfoTip: a string of informational text will appear when mouse is hovered over a folder.

 
Let’s learn the magic by Desktop.ini with two examples offered by VilmaTech Online Support:

Example NO.1:

[ExtShellFolderViews]
{BE098140-A513-11D0-A3A4-00C04FD706EC}={BE098140-A513-11D0-A3A4-00C04FD706EC}
[{BE098140-A513-11D0-A3A4-00C04FD706EC}]
Attributes=1
IconArea_Image=11.jpg(tip: “11.jpg” indicates the image you saved on your computer)
[.ShellClassInfo]
ConfirmFileOp=50

By writing the above content in a notepad under a folder and saving it with the name “Desktop.ini”, the background of the folder will be changed to 11.jpg image.

 
Example NO.2:

[ExtShellFolderViews]
IconArea_Text=0x000000FF(tip: 0x000000FF is the code name for red )
Attributes=1
IconArea_Image=bg04.jpg (tip: “bg04.jpg” indicates the image you saved on your computer)
[.ShellClassInfo]
ConfirmFileOp=0

By writing the above content in a notepad under a folder and saving it with the name “Desktop.ini”, the background of the folder will be changed to bg04.jpg image and the color of the folder will be changed to red. Extra tip: 0x00008000 is for green, 0x00FF0000 is for blue, 0x00FFFFFF is for white.

After this section, it is made clear that Desktop.ini is everywhere in Microsoft Windows system, which is the reason why anti-virus programs will not be able to help fix Desktop.ini file when something wrong happens. Keep reading to seek answers to frequently asked questions about Desktop.ini file. In the event where your Desktop.ini problems are not mentioned in the following article, you are welcome to consult specialized technicians and get your problems solved.
 

Can Desktop.ini Be Removed?

As we have learned from the preceding paragraphs that Desktop.ini contains custom information of folders. If Desktop.ini file is removed randomly, customizations made to folders will be lost. However, it is no big deal to mistakenly remove a desktop.ini file in a Windows system folder since it will be recreated at the next system restart. Therefore the answer is YES.

live chat

 

Why Desktop.ini File Automatically Open?

The following two “desktop.ini” files have been reported to open automatically whenever system starts:

  1. [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
  2. [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787.

It should come to your knowledge that “LocalizedResourceName” refers to Limited resource name, “@%SystemRoot%\system32” is the address that the name refers; “shell32.dll” refers to Dynamic Link Library where contains information like ICO address; “-21787” is equivalent to ID/index.

Most PC users mistakenly think that the two desktop.ini files are vicious due to the weird activity. They can be stopped if their startup components are removed from system configuration. Though the two desktop.ini files are not virus, it should arouse your precaution that something has made modifications to the target system and vulnerability has come into being. Optimizations should be undertaken right away in an attempt to prevent intrusive infiltrations.
 

Desktop.ini Can Be Used by Infections

The mostly utilized system files by infections are Svchost.exe and winlogon.exe. The reason that virus like Win32:Malware-gen would affect Desktop.ini file is the same as that would affect autorun.inf. The ability to recreate removed item attract infections and thus there have been more warning alert about Desktop.ini, its error messages and related problems:

  • Installed anti-virus programs give away alert warning about Desktop.ini but not able to fix it.
  • Computer starts out with firewall on, but it will be turned off several minutes later without the possibility to get it back on.
  • Detected virus returns after each removal and reboot.
  • Error warning is given away telling “desktop.ini windows system file found”.

The above problems are not directly caused by affected Desktop.ini. Due to the protection by desktop.ini, other vicious deeds are allowed to be executed smoothly to give rise to the above listed problems without the fear of being removed permanently.
 

Tell Difference

According to the experience from Global PC Support Center, the content of Desktop.ini created by infections is mainly a series of mazy characters coupled with date, which is not making Desktop.ini as hazardous as an executable file.

PC users can also check for any weird activities in Task Manager, installed security utilities, browsers (Firefox, Chrome, Opera, IE) on the sudden occurrence of desktop.ini. If everything’s shown to be normal, then the desktop.ini file is genuine.

In most cases, affected desktop.ini file will be shown together with autorun,inf under the root directory. Herein, VilmaTech Online Support would like to take Worm.Script.VBS.Agent.bz as example to give concrete knowledge for your reference:

The content of affected desktop.ini:

content of desktopini

The content of affected autorun.inf:

content of autoruninf

There was once a case where _desktop.ini confuses wide range of PC users. Always bear in mind that the genuine name for desktop.ini file is “desktop.ini” now and forever rather than others like _desktop.ini.

It is a knot when virus affect desktop.ini file to help with infiltration. Below is the manual instruction offered by VilmaTech Online Support given the fact that anti-virus programs are not able to deal with system items. Be noted that the below instruction pertains to fixing desktop.ini problems. If you want to remove the virus detected by installed security utilities that has affected desktop.ini file, more steps are required. On the occurrence of confusion in the middle of the fix, it is advisable to get professional assistance from recommended online PC security service.

live chat

 

Manual Instruction to Fix Desktop.ini Problems

Situation One – Desktop.ini file opens automatically at Windows start.

Tip: such situation can be seldom seen; one should pay attention to any vulnerability, especially web vulnerability afterwards.

Windows 7/XP/Vista

  • Use Win key and R key combination to activate Run box.

win+r

  • Type ‘MSCONFIG’ and hit Enter key to access startup window.

MSCONFIGintheRunBox

  • Find anything related to desktop.ini and press ‘Disable all’ to stop it from opening up automatically.

 
Windows 8

  • Enable Charms bar by hovering mouse to borders to any direction.
  • Type ‘Task’ and hit Enter key to select “Task Manager” in the popup screen with arrow keys.

win8 task manager

  • Hit Enter key to navigate to Startup tab and find anything related to desktop.ini.

win8 startup

  • Press ‘Disable’ to stop it from opening up automatically.

 
Attention: to exterminate web vulnerability, it is wise to reset browser settings and apply some steps to tighten up web security.

Step one: reset browser settings.

Internet Explorer
Click on the Tools menu to select Internet Options; then tap Advanced tab to press Restore Defaults button and then press OK for confirmation.
reset IE
 
Mozilla Firefox
Click on the Firefox menu to select Help; then choose Troubleshooting information in its drop-down list to press ‘Reset Firefox’ button.
reset_firefox_1
 
Google Chrome
Click on ‘Customize and Control Google Chrome’ menu to select ‘Options’; tap ‘Under the Hood’ tab to press ‘Reset to Defaults’ button.
reset gg4
 
Opera
Show hidden files and folders to remove Operapref.ini file under “C:\Users\user_name\AppData\Roaming\Opera\Opera\”.
reset opera

 
Step two: tighten up browser security.

  • Disable banner, ServerSignature and ServerTokens from being tracked down to the extent that what is actually running on a target computer and where is the PC user going.
  • Disable Directory index by opening up terminal before executing the following commands:

rm -f /etc/apache2/mods-enabled/autoindex.load
rm -f /etc/apache2/mods-enabled/autoindex.conf

  • Check permissions assigned to shared network drives to limit the number of people who can make modifications
  • Set each PC’s software management tools to prevent vicious items from accessing certain critical directories.
  • Restrict vulnerability in IIS (Internet Information Services).
  • Impose restrictions on Apache HTTP Server to prevent virus from reading all information of the machine.
  • Disable WebDAV to assure that virus cannot modify files to upload vicious codes by deleting dav, dav_fs and dav_lock files on terminal through commands:

rm -f /etc/apache2/mods-enabled/dav.load
rm -f /etc/apache2/mods-enabled/dav_fs.conf
rm -f /etc/apache2/mods-enabled/dav_fs.load
rm -f /etc/apache2/mods-enabled/dav_lock.load

  • Install website monitor, Firewall to help filter junk sites and sites with sensitive content so as to decrease the possibility to be affected by virus.
  • Adopt IDS (Intrusion Detect System) to analyze collected information from computer networks or computing system in an attempt to help detect any action violating security policy and sign of under attack.
  • Turn off request from TRACE HTTP to prevent online conversation from being hijacked by navigating the terminal to /etc/apache2/apache2.conf.

 
 

Situation Two – Desktop.ini file is affected by virus to cause error message.

 
1.    run reputable anti-virus program to remove detected vicious items as possible and remember the directory of flagged desktop.ini file.

2.    end running processes like rundl132.exe, rundll32.exe, logo_1.exe and other strange ones such as WINLOGON.EXE to help fix desktop.ini problem.

rundll32 process

3.    if you don’t have special preference of folder characteristic, if it recommended to remove all desktop.ini in dustbin and under C:\Windows; or you can navigate to the directory of the flagged desktop.ini file and carry out the following steps:

  • Hold Win key and R key at once to bring up Run box again.
  • Type “CMD.exe” and hit Enter key to bring up a black box with flashing slash/line.

run cmd

  • Type “/s” and hit Enter key, which will help you remove all desktop.ini file under that directory.

 
4.    Hit Start Menu to access notepad under “Accessory” to write it with the following text:

notepad

del a:\_desktop.ini /f/s/q/a
del b:\_desktop.ini /f/s/q/a
del c:\_desktop.ini /f/s/q/a   del d:\_desktop.ini /f/s/q/a
del e:\_desktop.ini /f/s/q/a   del g:\_desktop.ini /f/s/q/a   del h:\_desktop.ini /f/s/q/a   del i:\_desktop.ini /f/s/q/a
del j:\_desktop.ini /f/s/q/a
del k:\_desktop.ini /f/s/q/a

when done, save as the file with suffix “.bat” and double click to execute the file.

save as bat file

 

To sum up:

Desktop.ini file belongs to Windows system file that contains customization information of folders. The file features a typical ability that is to re-produce removed files at each Windows starts. Because of the capability, desktop.ini is targeted by infections, Trojan horse particularly, to help with re-image after being removed by reputable anti-virus programs. Technically speaking, affected desktop.ini file is not hazardous at all. However, it hinders from successful removal to help make further harms in another way. Therefore no hesitation should be taken in fixing desktop.ini problem. Due to the fact that desktop.ini belongs to system file, it is advisable to fix it with manual way. Should there be any obstacle because of deficient computer knowledge, you are welcome to seek professional help from VilmaTech Online Support that is always within your reach.

live chat

 
Other Articles You Might Be Interested In

Svchost.exe – How to Fix Svchost.exe Problem

Winlogon.exe, Remove Winlogon Process Error Message and Winlogon.exe Virus

Remove Autorun.inf Virus – What Is Autorun.inf and How to Remove Autorun.inf Virus

Subscribe to our RSS feed

Latest Posts

Categories

Archives