Removing Desktop_.ini Virus (W32.Fujacks.E)

A reader recently submitted a question about removing a strange virus. Although the question is a bit vague, I believe the Windows Guru has the solution for removing the Desktop_.ini virus.

Please let me know how to get rid of Desktop_.ini virus.
– Rakesh A.

Hello, Rakesh. Without properly identifying your virus, I’m left to do a bit of guessing. However, in your case, I believe I can make a fairly accurate guess. The only virus that I’m aware of that creates a file named Desktop_.ini is the W32.Fujacks.E worm.

Discovered in early 2007, the W32.Fujacks.E worm is a virus that copies itself to the root drive of all partitions and infects all files with certain executable types found on the local computer. The worm ends some security-related processes and services leaving your machine vulnerable to a more malicious attack.

While we can end the worm process and remove it, you will need a proper AV solution to clean the infected files on your computer.

Since this virus targets many popular AV solutions, the first step in removal should be to reinstall your anti-virus program to ensure that it is working properly. Avoid rebooting during this process.

Next, you should disable system restore if it is enabled. Right-click My Computer and choose Properties… to open the System Properties dialog box. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives and click Apply. Then, click Yes to the confirmation message. You must be logged on as an administrator.

At this point, you should update your virus definitions and run a full system scan with your anti-virus program. Most AV programs should detect and clean this virus from infected files. If you are unable to do this for any reason, reboot your computer in Safe Mode and attempt it from there.

Finally, and with the computer running in Normal mode, you can remove the registry entries created by the virus. Click start and choose Run… to open the Run dialog box. Enter regedit and click OK. Navigate to the following sub-key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

and delete the following value from the right-pane:

“svcshare”=”%System%\Drivers\spoclsv.exe”

The Desktop_.ini (W32.Fujacks.E) virus should be successfully removed from your computer.

Like the read? Share it!

10 Comments

  • Well, i am not sure how many variants are there for this one. But this one is spreading through Bluetooth phones a lot these days. Bluetooth enabled phones are jacked n pushed with this one. When the phone is attached to machine, the Autorun feature asks for the default thing to run “Setup.exe” and most of the users hit OK.. there u go!!
    Now, this one also disables Bluetooth on your machine, yeap u cant add or see devices. second, all your hidden files cant be seen now, even if you check “show hidden files” in folder options (it disables it again). Spoclsv is the culprit.. so find n delete it from registry (everywhere) and then restart machine.. do an attrib -s -h -r (that order) for all the files with dektop_* and spoclsv.* and note down paths.. shift+delete them.

    (i did all this) but have not been able to turn on my bluetooth or see my hidden files.. it still is there somewhere..
    u guys may be thinkin .. why the hell i dont get an AV.. well I dont have n dont want to buy.. n damn i have Vista!

    Now the question, If I have Task Manager on and then do a “Show hidden/system files” and hit apply/ok, I see some task coming in, run for a while and disappear again (rightfullly so) and task is shell32 ( if i rem it correctly).. but the task does a Show n then a DONT SHOW on hidden/system files.. any takes on that ( dont suggest me AV).. i wanna do what AVs would do (try to do).

  • Hi,
    this virus had been troubling me for a while. I used Kaspersky AV which could detect this virus, and it says that it did disinfect the system. But, am not sure if that really happened. Because, i still see the Desktop_.ini’ files in every folder on the system. Whenever i delete a folder, i see a message which says that the folder contains this Desktop_.ini file. Over the LAN in my college, my friends who are running a different AV can still detect a virus. Please help me.

    I did go to registry to delete the above suggested file. But, i didn’t find that file there.

    Suggested file was “svcshare”=”%System%\Drivers\spoclsv.exe”

  • Hi,

    After trying to remove Desktop_.ini as per given instruction by you,,, virus could not remove permanantly.

    “svcshare”=”%System%\Drivers\spoclsv.exe”

    This value could not found in registry. What is next solution for removing Desktop_.ini virus.

    Prakash

  • There are several other variants of this virus. Their startup entries may be found under either or both of the following keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    The entry may look like any of the following:

    “svohost” = “FuckJacks.exe”
    “Fuckjacks” = “FuckJacks.exe”
    “svcshare”=”spoclsv.exe”
    “logo1_.exe”=”C:\WINDOWS\logo_1.exe”
    “ati3evx.exe” = “C:\WINDOWS\ati3evx.exe”
    “svohost” = “C:\WINDOWS\system32\FuckJacks.exe”
    “System Boot Check” = “%System%\sysload3.exe”
    “svchost” = “%Windir%\svchost.exe”
    “EXPLORER” = “C:\Program Files\Common Files\System\wab32res.exe…”

    In addition to the information found in this article, you should also look for and delete the following registry key, if it exists:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasautol

    You should also look for and delete the following registry value:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\”StubPath” = “%System%\[RANDOM].exe”

  • Hi i am getting this type virus can u help me out pls

  • hi I am not downloaded for this link plz help

  • the virus disables regedit and any av i i install i can’t do more. is there any othere solution?

  • hi

    i have th Desktop_.ini Virus (W32.Fujacks.E) on my pc. Its not doing anything to corrupt any of my files, however it is still a problem. The advice about removing the registry entry is not working because i do not have that entries.
    I’ve searched for “spoclsv” or any of the suggestions above, but still cannot find any in my registry. Is there an AV that can remove this??

  • Hi

    One of my cd affected from this virus… Please help me to remove it as the cd contains very useful software backups…

  • Thank you for the above information. I will try it.

    in the meantime I would like to share a similar problem if any one has any solution to share:

    Recently, facining a problem which I belive is being caused by ‘desktop.ini’: it has created short cut of many folders; when I open any folder, I fing ‘desktop.ini’, and it will come back when deleted manually; whenever i# I tried to burn any file or folder, the ‘desktop.ini’ file also appear to be burnt.

    so could you advice how to get rid of this problem.

    looking forward to hearing from you all.

    sincerely

Leave a Reply

Contact

Wanna say hello?
Drop us a line!

You'll find us here

1 Microsoft Way,
Redmond,
WA 98052, United States