anithanya
asked on
newbie: folder.htt and desktop.ini
i am a newbie i don't about this
i have two files appearing in my computer desktop.ini and folder.htt. i heard they are virus. how to remove them.
i have two files appearing in my computer desktop.ini and folder.htt. i heard they are virus. how to remove them.
I think what you are seeing are the "hidden" files that Windows usually doesn't display. The reason you are seeing them now is because you went into the View - Folder Options and unchecked the option to hide hidden and system files from view. You can turn that back on if you want and it should get rid of the files. By that I mean they are still there just as they always have been but you will not see them anymore.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My Virus Scan as identified it as infected what i should do?
If they are infected they must be repaired or deleted. Those are your only choices. If you delete them you may be able to restore them from another PC (same OS) or backup (unlikely that you would have one of those particular files). This can be a sticky subject because if they are deleted and the restore process is unsuccessful then you will have to reinstall and all of this puts your data at risk so first of all back up your data then clean the files. If they aren't cleanable then delete and try to restore as indicated above. Often too, Windows will recreate necessary files upon restart. I honestly don't know how it will treat these but a reboot after deleting may be of help. Best of luck to you.
The trouble with this virus is that if you just delete them manually, it will come back. Hence since it is a virus, use the virus cleaner to remove the virus. Good Luck.
This is all assuming that you HAVE a virus, anithanya.
There are a lot of hoaxes that fly around the Internet and are passed on unwittingly by those with an intermediate knowledge of computing. One such hoax is to delete the file SULFNBK.EXE in your C:\Windows\Command folder. If you do a file search for it, you will see that it has a strange icon that would make somebody new to computing suspect that it was a rogue file. It ISN'T - it's a system file that helps DOS use long filenames.
Another hoax is the suggestion to delete the file C:\Windows\SETDEBUG.EXE. Again, this file has a weird little Teddy Bear icon that would make an unsuspecting person think that it was out of place. It is a system file that helps with "Debugging" scripts. ie. tracing and reporting errors in command lines on your system.
You should have a look at this site first whenever you receive suggestions like this:
http://urbanlegends.about.com/library/blxatoz2.htm?once=true& Interesting reading, but look specifically in
http://urbanlegends.about.com/cs/virushoaxes1/ and
http://urbanlegends.about.com/cs/webhoaxes/
Assuming that you HAVE a virus, you would normally follow the recommendation of your AntiVirus software and, when it says that something CAN'T be repaired, then their website will give full details of what to do about it. Sometimes, this may be a bit advanced for your "newbie" skills or knowledge, so it would be adviseable to have somebody do it who knows what they are talking about.
If you were to start messing with folder.htt, then my suggestion would be first to boot to a Windows 98 boot floppy, do a "Show folders and files" command with the option that lets you see hidden files, rename folder.htt to something like "folder.old" and then boot normally to see if the file is recreated by Windows. The DOS Commands would be (depending on which folder.htt you are aiming for - here it is C:\Windows\System\folder.h
CD \
CD Windows
CD System
DIR /ah /p /b
REN folder.htt folder.old
It is a system file with "hidden" attributes which might have to be removed before you would be allowed to do this:
ATTRIB -h -s C:\Windows\System\folder.h
REN REN folder.htt folder.old
Let us know whether you actually have a virus, or whether this only came about through some general information from a bedroom computer technician interested in your welfare :-)
There are a lot of hoaxes that fly around the Internet and are passed on unwittingly by those with an intermediate knowledge of computing. One such hoax is to delete the file SULFNBK.EXE in your C:\Windows\Command folder. If you do a file search for it, you will see that it has a strange icon that would make somebody new to computing suspect that it was a rogue file. It ISN'T - it's a system file that helps DOS use long filenames.
Another hoax is the suggestion to delete the file C:\Windows\SETDEBUG.EXE. Again, this file has a weird little Teddy Bear icon that would make an unsuspecting person think that it was out of place. It is a system file that helps with "Debugging" scripts. ie. tracing and reporting errors in command lines on your system.
You should have a look at this site first whenever you receive suggestions like this:
http://urbanlegends.about.com/library/blxatoz2.htm?once=true& Interesting reading, but look specifically in
http://urbanlegends.about.com/cs/virushoaxes1/ and
http://urbanlegends.about.com/cs/webhoaxes/
Assuming that you HAVE a virus, you would normally follow the recommendation of your AntiVirus software and, when it says that something CAN'T be repaired, then their website will give full details of what to do about it. Sometimes, this may be a bit advanced for your "newbie" skills or knowledge, so it would be adviseable to have somebody do it who knows what they are talking about.
If you were to start messing with folder.htt, then my suggestion would be first to boot to a Windows 98 boot floppy, do a "Show folders and files" command with the option that lets you see hidden files, rename folder.htt to something like "folder.old" and then boot normally to see if the file is recreated by Windows. The DOS Commands would be (depending on which folder.htt you are aiming for - here it is C:\Windows\System\folder.h
CD \
CD Windows
CD System
DIR /ah /p /b
REN folder.htt folder.old
It is a system file with "hidden" attributes which might have to be removed before you would be allowed to do this:
ATTRIB -h -s C:\Windows\System\folder.h
REN REN folder.htt folder.old
Let us know whether you actually have a virus, or whether this only came about through some general information from a bedroom computer technician interested in your welfare :-)
Does your Anti Virus give the option to attemp to repair the infected files?
those files are not viruses but part of your file system. you need them for your operating system to function correctly.
simply leave them as they are and don't edit or delete them.
simply leave them as they are and don't edit or delete them.
I am sure by now you are getting confused by some of the posts so I ask that you please take a moment to verify for yourself (and us) what I think you already stated before and that is that you have a good antivirus package that has detected that the files in question are infected. Please note fellow posters that a file can become infected and that does not mean that the file itself is a virus but rather that it is infected with one. Assuming the files are indeed infected then clean if you can delete if you must.
Synux, you are quite right, it does end up with some apparently conflicting advice here.
Sorry, folks. It looks like I didn't "reload" the question while waiting for confirmation of whether there WAS a virus detected.
It would also appear that freshair forgot to do so :-)
Anithanya.
What is the name of the Virus that has been detected?
Does it name those 2 files as being infected, or has somebody just suggested that they could be infected when you have a virus?
Sorry, folks. It looks like I didn't "reload" the question while waiting for confirmation of whether there WAS a virus detected.
It would also appear that freshair forgot to do so :-)
Anithanya.
What is the name of the Virus that has been detected?
Does it name those 2 files as being infected, or has somebody just suggested that they could be infected when you have a virus?
Thank you for accepting my comment, anithanya, but I am curious to know more about what virus this is so that we may offer additional advice.
Have you resolved the issue?
Have you resolved the issue?
Kindly note that the above both files are W32. Redolf virus which can be cleaned using symantec or mcafee virus removal tools available for download from the net.
And for your information. it can be deleted, but if your system is on a large network, the chances are they may reappear. So the best option is to clean them using a virus removal tool.
And for your information. it can be deleted, but if your system is on a large network, the chances are they may reappear. So the best option is to clean them using a virus removal tool.
rrkamath. How are you sure that this refers to the W32.Redolph virus without any feedback to my question asking what virus it was.
As you will no doubt be aware, there are a number of viruses that can affect these 2 files, such as "VBS.Terrosist":
http://securityresponse.symantec.com/avcenter/venc/data/vbs.terrosist.html
This page explains how and why the virus writers do it:
http://www.astalavista.com/library/os/windows/folders.shtml
As you will no doubt be aware, there are a number of viruses that can affect these 2 files, such as "VBS.Terrosist":
http://securityresponse.symantec.com/avcenter/venc/data/vbs.terrosist.html
This page explains how and why the virus writers do it:
http://www.astalavista.com/library/os/windows/folders.shtml
It is redlof variant and it must be removed immediately coz it will create havoc by copying desktop. ini and folder.htt into all the folders that exists in the system and makes the system very slow. Remove the virus using virus scanners like NAV or Bitdefender in SAFE MODE. And manually remove the registry entries :
Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified.
Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the key
HKEY_LOCAL_MACHINE\SOFTWAR
In the right pane, delete the value
Kernel32
Navigate to the key
HKEY_CURRENT_USER\Identiti
Microsoft\Outlook Express\[Outlook Version].0\Mail
In the right pane, delete the values
Compose Use Stationery
Stationery Name
Wide Stationery Name
Navigate to the key
HKEY_CURRENT_USER\Software
In the right pane, delete the value
EditorPreference
Navigate to and delete these subkeys:
HKEY_CLASSES_ROOT\dllFile\
HKEY_CLASSES_ROOT\dllFile\
HKEY_CLASSES_ROOT\dllFile\
HKEY_CLASSES_ROOT\dllFile\
Exit the Registry Editor.
Then reboot normal.
Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified.
Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the key
HKEY_LOCAL_MACHINE\SOFTWAR
In the right pane, delete the value
Kernel32
Navigate to the key
HKEY_CURRENT_USER\Identiti
Microsoft\Outlook Express\[Outlook Version].0\Mail
In the right pane, delete the values
Compose Use Stationery
Stationery Name
Wide Stationery Name
Navigate to the key
HKEY_CURRENT_USER\Software
In the right pane, delete the value
EditorPreference
Navigate to and delete these subkeys:
HKEY_CLASSES_ROOT\dllFile\
HKEY_CLASSES_ROOT\dllFile\
HKEY_CLASSES_ROOT\dllFile\
HKEY_CLASSES_ROOT\dllFile\
Exit the Registry Editor.
Then reboot normal.
VBS.Terrosist is a Visual Basic (VB) Script virus that infects HTML files. It targets files that have the extensions .htt, .htm, .html, .asp, .php, or .jspin.
TECHNICAL DETAILS
When VBS.Terrosist is executed, it does the following:
Copies itself as:
%WinDir%\System\Blank.htm
%WinDir%\Web\Folder.htt
%WinDir%\System32\Folder.h
%WinDir%\Folder.htt
NOTE: If any files with these names already exist, VBS.Terrosist will infect the existing file or files.
Modifies the files:
%WinDir%\Web\Webview.css
%WinDir%\Web\Desktop.ini
%WinDir%\System32\Desktop.
%WinDir%\Desktop.ini
so that the file, Folder.htt, which is a copy of the virus, is executed when that particular folder is viewed in Explorer.
Searches for and infects the files that are in the local directory and have the extensions .htt, .htm, .html, .asp, .php, or .jspin.
On the 30th of April, June, August, October, and December of every year, VBS.Terrosist will rename the Win.ini and System.ini files to Won.chk and System.chk, respectively.
RECOMEDATIONS
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Update the virus definitions.
Run a full system scan and delete all the files detected as VBS.Terrosist. Replace the infected files from a clean backup, if required.
The renamed files should have their original filenames restored. If your system's registered owner is "Indonesian Today," then delete the affected registry values.
For specific details on each of these steps, read the following instructions.
1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
2. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan All Files."
Run a full system scan.
If any files are detected as infected with VBS.Terrosist, click Delete. Replace the infected files from a clean backup, if required.
If the virus renamed Win.ini and System.ini, use Windows Explorer to rename Won.chk to Win.ini and System.chk to System.ini.
If your system's registered owner is "Indonesian Today," then delete the affected registry values.
TECHNICAL DETAILS
When VBS.Terrosist is executed, it does the following:
Copies itself as:
%WinDir%\System\Blank.htm
%WinDir%\Web\Folder.htt
%WinDir%\System32\Folder.h
%WinDir%\Folder.htt
NOTE: If any files with these names already exist, VBS.Terrosist will infect the existing file or files.
Modifies the files:
%WinDir%\Web\Webview.css
%WinDir%\Web\Desktop.ini
%WinDir%\System32\Desktop.
%WinDir%\Desktop.ini
so that the file, Folder.htt, which is a copy of the virus, is executed when that particular folder is viewed in Explorer.
Searches for and infects the files that are in the local directory and have the extensions .htt, .htm, .html, .asp, .php, or .jspin.
On the 30th of April, June, August, October, and December of every year, VBS.Terrosist will rename the Win.ini and System.ini files to Won.chk and System.chk, respectively.
RECOMEDATIONS
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Update the virus definitions.
Run a full system scan and delete all the files detected as VBS.Terrosist. Replace the infected files from a clean backup, if required.
The renamed files should have their original filenames restored. If your system's registered owner is "Indonesian Today," then delete the affected registry values.
For specific details on each of these steps, read the following instructions.
1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
2. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan All Files."
Run a full system scan.
If any files are detected as infected with VBS.Terrosist, click Delete. Replace the infected files from a clean backup, if required.
If the virus renamed Win.ini and System.ini, use Windows Explorer to rename Won.chk to Win.ini and System.chk to System.ini.
If your system's registered owner is "Indonesian Today," then delete the affected registry values.
kuldeep_bhayana
Your post is very informative, and seems to have been copied and pasted from the link I provided to the Symantec site earlier(http://securityresponse.symantec.com/avcenter/venc/data/vbs.terrosist.html).
The thing that has caused confusion here is that anithanya originally stated :
>>> "i have two files appearing in my computer: desktop.ini and folder.htt. I HEARD they are virus". <<<
My response immediately after this was that they are normal system files, and that some advice that new users hear can be hoax information. I did say, however, "DON'T tamper with these files unless a Virus Scan identifies them as being infected".
Unfortunately, freshair and I did not see the follow up comment from anithanya that confirmed from a virus scan the file(s) was/were infected, but didn't give the virus name.
Synux noticed the confusion and asked what virus had been identified, but unfortunately another expert jumped to an early conclusion by assuming that the virus was the W32.Redolph virus, and I followed on by stating that it COULD be any number of other viruses INCLUDING the VBS.Terrorist.
anithanya went ahead and accepted my comment too early, and we still do not know the name of the virus, or whether he/she has fixed the problem using the virus scan "repair" option suggested by Talamasca, or whether he/she booted to DOS and deleted the files after changing the attributes as I detailed earlier.
This is unfortunate, but no sense in posting any more comments in this question, which is now closed.
Bill
Your post is very informative, and seems to have been copied and pasted from the link I provided to the Symantec site earlier(http://securityresponse.symantec.com/avcenter/venc/data/vbs.terrosist.html).
The thing that has caused confusion here is that anithanya originally stated :
>>> "i have two files appearing in my computer: desktop.ini and folder.htt. I HEARD they are virus". <<<
My response immediately after this was that they are normal system files, and that some advice that new users hear can be hoax information. I did say, however, "DON'T tamper with these files unless a Virus Scan identifies them as being infected".
Unfortunately, freshair and I did not see the follow up comment from anithanya that confirmed from a virus scan the file(s) was/were infected, but didn't give the virus name.
Synux noticed the confusion and asked what virus had been identified, but unfortunately another expert jumped to an early conclusion by assuming that the virus was the W32.Redolph virus, and I followed on by stating that it COULD be any number of other viruses INCLUDING the VBS.Terrorist.
anithanya went ahead and accepted my comment too early, and we still do not know the name of the virus, or whether he/she has fixed the problem using the virus scan "repair" option suggested by Talamasca, or whether he/she booted to DOS and deleted the files after changing the attributes as I detailed earlier.
This is unfortunate, but no sense in posting any more comments in this question, which is now closed.
Bill
Hey some of u here are confusing the guy !! , look those files should be system files , BUT they might be infected with vbs.redolf.A or .B ,
you can check one of that site , they tell you what is does , and what you need to do to remove it ,
http://softo.ukrainer.ru/article295.html
if you need further help you can post here again , ill be around !
enjoy your stay !
Mostafa Berg
you can check one of that site , they tell you what is does , and what you need to do to remove it ,
http://softo.ukrainer.ru/article295.html
if you need further help you can post here again , ill be around !
enjoy your stay !
Mostafa Berg
Mostafa
This answer is now closed, and has been for quite some time now. If you look at my last comment right above yours, it explains how the confusion arose. Did you read it?
The problem with this kind of question is that there are too many people who do an immediate google search for the file name and come straight back with the name of the Virus mentioned in the first hit on google.
That's what aggravated me, ie. all and sundry jumped to the conclusion that the files were infected by the "W32. Redolf" or "VBS.Terrorist" virus without feedback to confirm this.
With hindsight, Synux kept this question together and deserved the points.
This answer is now closed, and has been for quite some time now. If you look at my last comment right above yours, it explains how the confusion arose. Did you read it?
The problem with this kind of question is that there are too many people who do an immediate google search for the file name and come straight back with the name of the Virus mentioned in the first hit on google.
That's what aggravated me, ie. all and sundry jumped to the conclusion that the files were infected by the "W32. Redolf" or "VBS.Terrorist" virus without feedback to confirm this.
With hindsight, Synux kept this question together and deserved the points.