Re: [Full-Disclosure] found suspicious desktop.ini in startup folders
From: Micheal Espinola Jr (michealespinola_at_gmail.com)
Date: 08/24/04
- Previous message: Rodrigo Barbosa: "[Full-Disclosure] Re: Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability"
- In reply to: Andrew: "Re: [Full-Disclosure] found suspicious desktop.ini in startup folders"
- Next in thread: Benjamin Piorczig: "Re: [Full-Disclosure] found suspicious desktop.ini in startup folders"
- Reply: Benjamin Piorczig: "Re: [Full-Disclosure] found suspicious desktop.ini in startup folders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Full Disclosure <full-disclosure@lists.netsys.com> Date: Tue, 24 Aug 2004 12:47:56 -0400
This typically contains information on directory view customizations,
but can also contain some CLSID trickery for special folders, like
Favorites.
On Tue, 24 Aug 2004 09:55:59 -0500, Andrew <aburns@premtech.com> wrote:
> I actually switched to a OS X PDC and had the same problem when
> establishing a user's intial login with a windows XP workstation rather
> than a windows 2k workstation.
> It was just a file XP put into the users' profile, and as the knowledge
> base said, just delete it from the profile on your server should fix
> the problem. If I recall correctly the reason it shows up is the
> differences in how the desktop is handled in roaming profiles between
> WinXP and Win2k. The company I work for is very small, and so I'm not
> positive on the differences for win2k3
>
> Andrew
>
>
>
> On Aug 24, 2004, at 3:35 AM, Nick FitzGerald wrote:
>
> > BillyBobKnob wrote:
> >
> >> Does anyone know if this file is used in an exploit since it was
> >> found in
> >> startup folders ?
> >
> > Does it "come back" following a restart, or a logout/login cycle, after
> > you delete it??
> >
> >> The contents of the file are:
> >>
> >> [.ShellClassInfo]
> >> LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
> >
> > This KnowledgeBase article mentions precisely these file contents:
> >
> > http://support.microsoft.com/?id=330132
> >
> > but gives no indication of what may cause its appearance on your
> > system. The suggested "fix" is simply deletion...
> >
> >
> > Regards,
> >
> > Nick FitzGerald
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
-- -Micheal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Rodrigo Barbosa: "[Full-Disclosure] Re: Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability"
- In reply to: Andrew: "Re: [Full-Disclosure] found suspicious desktop.ini in startup folders"
- Next in thread: Benjamin Piorczig: "Re: [Full-Disclosure] found suspicious desktop.ini in startup folders"
- Reply: Benjamin Piorczig: "Re: [Full-Disclosure] found suspicious desktop.ini in startup folders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
