Comments on: Removing Desktop_.ini Virus (W32.Fujacks.E)

By: w32/fujack.ini

w32/fujack.ini — Mon, 10 Nov 2008 14:42:13 +0000

Hi i am getting this type virus can u help me out pls

By: Nilpo

Nilpo — Fri, 05 Sep 2008 08:09:00 +0000

There are several other variants of this virus. Their startup entries may be found under either or both of the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The entry may look like any of the following:

“svohost” = “FuckJacks.exe”
“Fuckjacks” = “FuckJacks.exe”
“svcshare”=”spoclsv.exe”
“logo1_.exe”=”C:\WINDOWS\logo_1.exe”
“ati3evx.exe” = “C:\WINDOWS\ati3evx.exe”
“svohost” = “C:\WINDOWS\system32\FuckJacks.exe”
“System Boot Check” = “%System%\sysload3.exe”
“svchost” = “%Windir%\svchost.exe”
“EXPLORER” = “C:\Program Files\Common Files\System\wab32res.exe…”

In addition to the information found in this article, you should also look for and delete the following registry key, if it exists:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasautol

You should also look for and delete the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\”StubPath” = “%System%\[RANDOM].exe”

By: Prakash

Prakash — Fri, 05 Sep 2008 06:29:07 +0000

Hi,

After trying to remove Desktop_.ini as per given instruction by you,,, virus could not remove permanantly.

“svcshare”=”%System%\Drivers\spoclsv.exe”

This value could not found in registry. What is next solution for removing Desktop_.ini virus.

Prakash

By: Suresh

Suresh — Mon, 28 Jan 2008 06:39:35 +0000

Hi,
this virus had been troubling me for a while. I used Kaspersky AV which could detect this virus, and it says that it did disinfect the system. But, am not sure if that really happened. Because, i still see the Desktop_.ini’ files in every folder on the system. Whenever i delete a folder, i see a message which says that the folder contains this Desktop_.ini file. Over the LAN in my college, my friends who are running a different AV can still detect a virus. Please help me.

I did go to registry to delete the above suggested file. But, i didn’t find that file there.

Suggested file was “svcshare”=”%System%\Drivers\spoclsv.exe”

By: Seemit

Seemit — Tue, 22 Jan 2008 10:48:34 +0000

Well, i am not sure how many variants are there for this one. But this one is spreading through Bluetooth phones a lot these days. Bluetooth enabled phones are jacked n pushed with this one. When the phone is attached to machine, the Autorun feature asks for the default thing to run “Setup.exe” and most of the users hit OK.. there u go!!
Now, this one also disables Bluetooth on your machine, yeap u cant add or see devices. second, all your hidden files cant be seen now, even if you check “show hidden files” in folder options (it disables it again). Spoclsv is the culprit.. so find n delete it from registry (everywhere) and then restart machine.. do an attrib -s -h -r (that order) for all the files with dektop_* and spoclsv.* and note down paths.. shift+delete them.

(i did all this) but have not been able to turn on my bluetooth or see my hidden files.. it still is there somewhere..
u guys may be thinkin .. why the hell i dont get an AV.. well I dont have n dont want to buy.. n damn i have Vista!

Now the question, If I have Task Manager on and then do a “Show hidden/system files” and hit apply/ok, I see some task coming in, run for a while and disappear again (rightfullly so) and task is shell32 ( if i rem it correctly).. but the task does a Show n then a DONT SHOW on hidden/system files.. any takes on that ( dont suggest me AV).. i wanna do what AVs would do (try to do).