This one cropped up today on a users machine they use at home. Windows 7 wasn’t patched… at all. Malwarebytes and Avast found a bunch of stuff, but Trojan horse Patched_c.LYT was rotten. Even Kaspersky’s TDSSKiller and Combofix could not rid the machine of it.
When we try all the suggestions on Google we just can’t seem to get permission to access to the GAC directory (BTW: GAC stands for Global Assembly Cache). Older versions of Windows would allow browsing of the GAC from Explorer, but Windows 7 has something called the Assembly Cache Viewer installed into Explorer by default. Nice if you are a programmer, not so nice if you are hunting down desktop.ini.
Enough background… how do I delete desktop.ini already!?!
Ok… ok… don’t get your bind in a panties!
There are three ways of getting to the file, but each will take a bit of work on your part. I’ll start with the solution I used: BartPE.
I had an old copy of BartPE built on a Dell 170 (Windows XP) and I wasn’t sure if a Dell 790 (Windows 7) would boot from that CD. It did! And that is the key, you have to boot from somewhere other than the actual installation of Windows 7 you are using. Once you get access to the directory structure you are home free.
Now simply navigate to c:\windows\assembly\GAC\ and delete desktop.ini. Once caveat, I was using a CMD shell so I had to ERASE /A HS desktop.ini since it is a hidden system file. In the BartPE Explorer window YMMV.
The other two methods of getting to the file:
-Download and burn Hirens Boot CD and boot the problem machine from that. Everything else remains the same.
-Remove the hard drive from the machine and attach it to a second machine and navigate to the GAC.
I prefer BartPE simply because I am used to using it.
If you can, first, run all the malware, rootkit, and antivirus programs you have available to clean the system as much as possible. If all goes well, the last thing to take care of is the desktop.ini file.