Desktop.ini hidden file attribute
I was recently faced with this confusing situation after doing some recent spyware & virus cleanup...
- Two notepad windows would open at startup with desktop.ini files
- ALL of the deskop.ini files on the entire computer were NOT hidden
- The Hidden checkbox on the file properties was unavailable (greyed out)
You can fix the notepad startup problem by simply deleting the desktop.ini files that have landed in the startup directories.
http://support.microsoft.com/?id=330132
The hidden attribute in the file properities is greyed out because desktop.ini is a "system" file.
So, you need to remove the system file attribute, then add the hidden file attribute. Here's what to do:
- Open a command prompt (Start -> Run - "cmd")
- Switch to the root of your C drive (cd c:\)
- type "attrib -s -h desktop.ini /s"
this removes the "system" attribute (-s) and the "hidden" attribute (-h) and does that to all desktop.ini files it finds in all subdirectories (/s)
the hidden attribute is removed to avoid any error messages - we're going to add that attribute back to ALL files next. - now to make all those files hidden, type "attrib +s +h desktop.ini /s"
This essentially restores the file attributes for all desktop.ini file to what they should be.
posted by Scott Snowden @ 2:18 PM
2 comments
links to this post
2 Comments:
Be very careful about the desktop.ini files.
If the file is actually named _desktop.ini then this is the result of a virus infection.
W32/HLLP.Philis.ini is the detection for the "_desktop.ini" files created by variants of W32/HLLP.Philis virus. These are created as a hidden system files and contain the date on which virus was executed to visit the folder in which the file resides.
Characteristics
W32/HLLP.Philis.ini is the detection for the "_desktop.ini" files created by variants of W32/HLLP.Philis virus.
W32/HLLP.Philis is a file infecting virus that prepends its code to executable files. More information about one of its variants is availavle at the following link:
http://vil.nai.com/vil/content/v_140647.htm
Variants of The W32/HLLP.Philis virus create this file with the name "_desktop.ini" in every folder that they visit while looking for executable files to infect. This is created as a hidden system file and contains the date on which virus was executed to visit the folder in which the file resides. The date is shown in yyyy/mm/dd format.
Variants of W32/HLLP.Philis virus also spread via network shares. If the virus is able to access a shared resource, it first copies W32/HLLP.Philis.ini to the root of the share to mark the share as visited by the virus and then infects executables present in the share. So, in the case of a shared printer, the viruses' infection routine effectively creates printer job to print the date as contained in W32/HLLP.Philis.ini that the virus tries to copy.
Symptoms
Presence of hidden system files named "_desktop.ini" in many folders.
Method of Infection
This detection is for the "_desktop.ini" files created by variants of W32/HLLP.Philis virus. These files do not infect/replicate on their own.
More information about one of the variants of W32/HLLP.Philis virus is availavle at:
http://vil.nai.com/vil/content/v_140647.htm
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants
N/A
All Information
Overview -
W32/HLLP.Philis.ini is the detection for the "_desktop.ini" files created by variants of W32/HLLP.Philis virus. These are created as a hidden system files and contain the date on which virus was executed to visit the folder in which the file resides.
Characteristics
Characteristics -
W32/HLLP.Philis.ini is the detection for the "_desktop.ini" files created by variants of W32/HLLP.Philis virus.
W32/HLLP.Philis is a file infecting virus that prepends its code to executable files. More information about one of its variants is availavle at the following link:
http://vil.nai.com/vil/content/v_140647.htm
Variants of The W32/HLLP.Philis virus create this file with the name "_desktop.ini" in every folder that they visit while looking for executable files to infect. This is created as a hidden system file and contains the date on which virus was executed to visit the folder in which the file resides. The date is shown in yyyy/mm/dd format.
Variants of W32/HLLP.Philis virus also spread via network shares. If the virus is able to access a shared resource, it first copies W32/HLLP.Philis.ini to the root of the share to mark the share as visited by the virus and then infects executables present in the share. So, in the case of a shared printer, the viruses' infection routine effectively creates printer job to print the date as contained in W32/HLLP.Philis.ini that the virus tries to copy.
Symptoms
Symptoms -
Presence of hidden system files named "_desktop.ini" in many folders.
Method of Infection
Method of Infection -
This detection is for the "_desktop.ini" files created by variants of W32/HLLP.Philis virus. These files do not infect/replicate on their own.
More information about one of the variants of W32/HLLP.Philis virus is availavle at:
http://vil.nai.com/vil/content/v_140647.htm
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
Post a Comment
Links to this post:
Create a Link
<< Home