Removing Desktop_.ini Virus (W32.Fujacks.E)
(15 votes, average: 4.93 out of 5)
Loading ...A reader recently submitted a question about removing a strange virus. Although the question is a bit vague, I believe the Windows Guru has the solution for removing the Desktop_.ini virus.
Please let me know how to get rid of Desktop_.ini virus.
Hello, Rakesh. Without properly identifying your virus, I’m left to do a bit of guessing. However, in your case, I believe I can make a fairly accurate guess. The only virus that I’m aware of that creates a file named Desktop_.ini is the W32.Fujacks.E worm.
Discovered in early 2007, the W32.Fujacks.E worm is a virus that copies itself to the root drive of all partitions and infects all files with certain executable types found on the local computer. The worm ends some security-related processes and services leaving your machine vulnerable to a more malicious attack.
While we can end the worm process and remove it, you will need a proper AV solution to clean the infected files on your computer.
Since this virus targets many popular AV solutions, the first step in removal should be to reinstall your anti-virus program to ensure that it is working properly. Avoid rebooting during this process.
Next, you should disable system restore if it is enabled. Right-click My Computer and choose Properties… to open the System Properties dialog box. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives and click Apply. Then, click Yes to the confirmation message. You must be logged on as an administrator.
At this point, you should update your virus definitions and run a full system scan with your anti-virus program. Most AV programs should detect and clean this virus from infected files. If you are unable to do this for any reason, reboot your computer in Safe Mode and attempt it from there.
Finally, and with the computer running in Normal mode, you can remove the registry entries created by the virus. Click start and choose Run… to open the Run dialog box. Enter regedit and click OK. Navigate to the following sub-key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and delete the following value from the right-pane:
“svcshare”=”%System%\Drivers\spoclsv.exe”
The Desktop_.ini (W32.Fujacks.E) virus should be successfully removed from your computer.
Related Posts:
Recent Articles 
January 22nd, 2008 at 5:48 am
Well, i am not sure how many variants are there for this one. But this one is spreading through Bluetooth phones a lot these days. Bluetooth enabled phones are jacked n pushed with this one. When the phone is attached to machine, the Autorun feature asks for the default thing to run “Setup.exe” and most of the users hit OK.. there u go!!
Now, this one also disables Bluetooth on your machine, yeap u cant add or see devices. second, all your hidden files cant be seen now, even if you check “show hidden files” in folder options (it disables it again). Spoclsv is the culprit.. so find n delete it from registry (everywhere) and then restart machine.. do an attrib -s -h -r (that order) for all the files with dektop_* and spoclsv.* and note down paths.. shift+delete them.
(i did all this) but have not been able to turn on my bluetooth or see my hidden files.. it still is there somewhere..
u guys may be thinkin .. why the hell i dont get an AV.. well I dont have n dont want to buy.. n damn i have Vista!
Now the question, If I have Task Manager on and then do a “Show hidden/system files” and hit apply/ok, I see some task coming in, run for a while and disappear again (rightfullly so) and task is shell32 ( if i rem it correctly).. but the task does a Show n then a DONT SHOW on hidden/system files.. any takes on that ( dont suggest me AV).. i wanna do what AVs would do (try to do).
January 28th, 2008 at 1:39 am
Hi,
this virus had been troubling me for a while. I used Kaspersky AV which could detect this virus, and it says that it did disinfect the system. But, am not sure if that really happened. Because, i still see the Desktop_.ini’ files in every folder on the system. Whenever i delete a folder, i see a message which says that the folder contains this Desktop_.ini file. Over the LAN in my college, my friends who are running a different AV can still detect a virus. Please help me.
I did go to registry to delete the above suggested file. But, i didn’t find that file there.
Suggested file was “svcshare”=”%System%\Drivers\spoclsv.exe”
September 5th, 2008 at 1:29 am
Hi,
After trying to remove Desktop_.ini as per given instruction by you,,, virus could not remove permanantly.
“svcshare”=”%System%\Drivers\spoclsv.exe”
This value could not found in registry. What is next solution for removing Desktop_.ini virus.
Prakash
September 5th, 2008 at 3:09 am
There are several other variants of this virus. Their startup entries may be found under either or both of the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The entry may look like any of the following:
“svohost” = “FuckJacks.exe”
“Fuckjacks” = “FuckJacks.exe”
“svcshare”=”spoclsv.exe”
“logo1_.exe”=”C:\WINDOWS\logo_1.exe”
“ati3evx.exe” = “C:\WINDOWS\ati3evx.exe”
“svohost” = “C:\WINDOWS\system32\FuckJacks.exe”
“System Boot Check” = “%System%\sysload3.exe”
“svchost” = “%Windir%\svchost.exe”
“EXPLORER” = “C:\Program Files\Common Files\System\wab32res.exe…”
In addition to the information found in this article, you should also look for and delete the following registry key, if it exists:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasautol
You should also look for and delete the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\”StubPath” = “%System%\[RANDOM].exe”
November 10th, 2008 at 9:42 am
Hi i am getting this type virus can u help me out pls