TechSpot

New folder virus please help

By pampachak
Oct 14, 2009
  1. hi techspot members..

    i followed ur 8 step process and i am attaching my logfiles here with this thread...
    the new folder virus in my PC is creating a lot of havoc. each folder which i click is having in itself another folder of same name. i am not able to access my taskmanager. folder customisation option i.e. to hide folders is also not availabe..
    thanks in advance..

    pampachak
     

    Attached Files:

  2. WinXPert

    WinXPert TS Guru Posts: 445

    I. Download the following:

    Autorun Protector 1.1 (requires .NET Framework 2.0 so you have to install this first before Autorun Protector.
    Click Enable | Clear.
    On Drive C: click Remove | Create.
    Repeat with D: E: and F:

    II. Open Notepad and copy/paste the following:

    [Version]
    Signature="$Chicago$"
    Provider=Symantec

    [DefaultInstall]
    AddReg=UnhookRegKey

    [UnhookRegKey]
    HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
    HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
    HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
    HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
    HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
    HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0


    Save as UNHOOKEXEC.INF

    Right Click UNHOOKEXEC.INF | Install

    III. Launch Explorer and delete all files on F:\WINDOWS\Prefetch

    IV. Now you have to delete CHROME.EXE and NEW FOLDER.EXE

    Launch Notepad and copy/paste the following:

    C:
    CD \
    ATTRIB -R -H -S *.EXE
    DEL CHROME.EXE
    DEL "NEW FOLDER.EXE"
    ATTRIB -R -H -S autorun.inf
    DEL autorun.inf
    D:
    CD \
    ATTRIB -R -H -S *.EXE
    DEL CHROME.EXE
    DEL "NEW FOLDER.EXE"
    CD \SONGS\NEW FOLDER
    ATTRIB -R -H -S *.EXE
    DEL "NEW FOLDER.EXE"
    ATTRIB -R -H -S autorun.inf
    DEL autorun.inf
    E:
    CD \
    ATTRIB -R -H -S *.EXE
    DEL CHROME.EXE
    DEL "NEW FOLDER.EXE"
    ATTRIB -R -H -S autorun.inf
    DEL autorun.inf
    F:
    CD \
    ATTRIB -R -H -S autorun.inf
    DEL autorun.inf


    Save as Kill.cmd

    Double click Kill.cmd

    Reboot
     
  3. WinXPert

    WinXPert TS Guru Posts: 445

    I just reviewed you hijackthis log I believe Google Chrome is compromised. You have to do the above instructions in Safe Mode and uninstall Chrome first, you can install it later.

    Delete the following files:

    F:\Documents and Settings\krishna\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

    F:\WINDOWS\system32\chrome.exe


    Create a backup of system.ini and edit. Look for chrome.exe. Delete chrome.exe not the whole line. Save.

    Run Hijackthis and delete all entries of "chrome.exe".

    Run CCleaner. Scan for Issues.

    Launch explorer and search for chrome.exe and new folder.exe. Just playing safe should the batch file missed something. Delete all occurrences using Shift-Del.

    Reboot in Safe Mode and do a virus scan.

    Re-install a clean copy of Goggle Chrome.

    Hope this works!
     
  4. WinXPert

    WinXPert TS Guru Posts: 445

    Food for thought. You have to change how you use explorer. Enable Folders and when you navigate use the folder tree, the left side panel. Never click on a folder icon on the right side panel. Trojans propagate this way, it makes your folder hidden and creates and EXE of the same name. For example in your case you have a NEW FOLDER directory and a NEW FOLDER.EXE. Switch to details view and you can delete all EXE disguising with a folder icon.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...