|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
|
|
#1
November 12th, 2007, 08:44 PM
|
|||
|
|||
|
C:\WINDOWS background image
Hello,
After removing the worms Win32:VB-FHP and Win32:Sohara-T on my PC then looking around at some folders, a repeated image is pasted at the background of C:\WINDOWS folder. Because I did not check the content of C:\WINDOWS folder before the infection, does the worm persisting or this image have nothing to do with the worm? Although using HiJack, Keylogger, Anti-virus scan results are back from normal after the infection, I still got second thoughts. Do I need to format? cheers, asptips
|
|
#2
November 13th, 2007, 02:02 PM
|
||||
|
||||
|
The ability to add wallpapers to folders in Windows XP was removed, but not entirely.
You can still do this via the desktop.ini file located in any system folder. Just as you can add them, they may also be removed. Open the following file in any text editor. It is set to both hidden and system. C:\Windows\desktop.ini Now remove the lines similar to the following: Code:
[ExtShellFolderViews]
{BE098140-A513-11D0-A3A4-00C04FD706EC}={BE098140-A513-11D0-A3A4-00C04FD706EC}
[{BE098140-A513-11D0-A3A4-00C04FD706EC}]
IconArea_Image=C:\My Folder Background.jpg
Since JPG files can be used to transfer viruses, the possibility exists, however, unlikely. Still, be sure to run a full AV scan after removing the image, just in case.
__________________
 Click the image if at any point you don't like my decision.Scripting problems? Windows questions? Ask the Windows Guru!
|
|
#3
November 13th, 2007, 10:48 PM
|
|||
|
|||
|
Hi Nilpo,
This is the content of desktop.ini Quote:
Because the WinXP.ini is not an image file, I replace the extension to .JPG and indeed, it was the background image. I know nothing about these INI files, so I will do a full system scan. Thanks! Furthermore, the image was an anime character, Kenshin (Samurai X).  cheers, asptips
|
|
#4
November 13th, 2007, 11:10 PM
|
||||
|
||||
|
Please post the contents of c:\windows\system32\WindXP.ini
|
|
#5
November 13th, 2007, 11:12 PM
|
||||
|
||||
|
|
#6
November 13th, 2007, 11:13 PM
|
||||
|
||||
|
Deleting the file alone will not remove this infection. It also creates a series of registry entries and edits other system files.
I will create a WSH script for you that will remove it. Will post back.
|
|
#7
November 14th, 2007, 08:11 PM
|
|||
|
|||
|
Quote:
Hi Nilpo, The moment you made the first reply, I deleted afterwards the WinXP.INI. Am I at lost now? However, I did check the content and if I can remember, it has special characters and numbers in it and the first word in the line was either GIF or GIF32, sort of. I appreciate your help and cannot wait when Kenshin will get slice from your sword Nilpo!  cheers, asptips
|
|
#8
November 14th, 2007, 08:15 PM
|
||||
|
||||
|
Quote:
|
|
#9
November 15th, 2007, 08:50 AM
|
||||
|
||||
|
Just an update. This requires a lot of registry editing. This is quickly becoming a massive script.
In any case, I'm working on it and will post as soon as it's ready.
|
|
| Viewing: ASP Free Forums > System Administration > Windows OS > C:\WINDOWS background image |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
