PC Technician - GAC_32 desktop.ini trojan - removal
GAC_32/Desktop.ini infection - removal
If your virus scan program reports a problem with files located at \windows\assembly\GAC_32\Desktop.ini or \windows\assembly\GAC_64\Desktop.ini you probably have the "Backdoor.win64.ZAccess.bs" trojan ( or some variations on this name ). This trojan manifests itself with re-directed web pages to unwanted advertisers.
The first problem with the trojan is the location. If you try to go to the directory "\windows\assembly" using windows explorer you will see something similar to the screen shot below:
This folder contains the "global assembly cache" or GAC. Look at the entries - where the hell are the folders GAC_32 and GAC-64. What's going on ? Now start up the command prompt - click this sequence Start > All programs > Accessories > Cmd Prompt and navigate to the directory by typing cd \windows\assembly and then type dir. You should see the screen shot shown below:
Now you can see the two directories GAC_32 and GAC-64 (note: for windows XP you will only see the one directory GAC_32 ). Note: on my computer my windows directory is called windowxp. Now if you descend into either GAC directory and type the following command
you should see the desktop.ini entry. This is a hidden file. This file cannot be deleted even if you use the attrib command:
attrib -h -r -s desktop.ini
and then try to delete it with the command
You will get an "access denied" message. I tried to do this in safe mode and still could not delete the file. I think if you use some backdoor method to access the file - using AVG Rescue disk e.g. - you may delete it but when you restart windows the files will appear again. I would love to see the code that's in the file ( it is about 5k bytes long) just to find out what these trojans actually do. The reason the file(s) re-appear is because the system file "windows\system32\services.exe" has been infected. You cannot delete this file as your computer will not boot if you do delete it. If you can delete the file(s) desktop.ini via the backdoor entry - then you may want to try replacing the suspect services.exe file using the following command ( from the command prompt window ) as shown below:
sfc /scanfile=c:\windows\system32\services.exe ( this option not available in windows XP )
If this is successful, then reboot using the backdoor entry and delete the desktop.ini file(s) in the GAC_32 and GAC_64 directories. Remember, windows XP will only have the GAC_32 directory.
If this manual removal didn't work for you - you can try another method - which I used - that worked for me. Go to the Kaspersky web site and get this download it's free. And click on the download button that works for you. I selected the English version 11. When I ran this program - I missed some messages that flashed by me - but be persistent and follow the instructions. I think after it ran - the program automatically uninstalled itself. But the trojan was removed. You can tell if this worked successfully - if after you reboot - the desktop.ini file(s) are gone and your browser should work without any re-directions to unwanted web ( advertiser's ) sites.
Some additional notes:
The "sfc" command described above is called the "system file checker" and it appears to be a useful tool ( that I wasn't aware of until now ). It can be used to check suspect issues with protected windows system files. It can be used with the following switches:
/scannow - which instructs sfc to scan ALL protected system files and repair if necessary.
/verifyonly - instructs the sfc command to do the same thing as /scannow but without repairing.
/scanfile=file - instructs sfc to scan and repair the specified file.