New folder virus please help

[pampachak]

Hi techspot members..

I followed ur 8 step process and I am attaching my logfiles here with this thread...
the new folder virus in my PC is creating a lot of havoc. each folder which I click is having in itself another folder of same name. I am not able to access my taskmanager. folder customisation option I.e. to hide folders is also not availabe..
thanks in advance..

pampachak

 

[WinXPert]

I. Download the following:

Autorun Protector 1.1 (requires .NET Framework 2.0 so you have to install this first before Autorun Protector.
Click Enable | Clear.
On Drive C: click Remove | Create.
Repeat with D: E: and F:

II. Open Notepad and copy/paste the following:

[Version]
Signature="$Chicago$"
Provider=Symantec

[DefaultInstall]
AddReg=UnhookRegKey

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0

Save as UNHOOKEXEC.INF

Right Click UNHOOKEXEC.INF | Install

III. Launch Explorer and delete all files on F:\WINDOWS\Prefetch

IV. Now you have to delete CHROME.EXE and NEW FOLDER.EXE

Launch Notepad and copy/paste the following:

C:
CD \
ATTRIB -R -H -S *.EXE
DEL CHROME.EXE
DEL "NEW FOLDER.EXE"
ATTRIB -R -H -S autorun.inf
DEL autorun.inf
D:
CD \
ATTRIB -R -H -S *.EXE
DEL CHROME.EXE
DEL "NEW FOLDER.EXE"
CD \SONGS\NEW FOLDER
ATTRIB -R -H -S *.EXE
DEL "NEW FOLDER.EXE"
ATTRIB -R -H -S autorun.inf
DEL autorun.inf
E:
CD \
ATTRIB -R -H -S *.EXE
DEL CHROME.EXE
DEL "NEW FOLDER.EXE"
ATTRIB -R -H -S autorun.inf
DEL autorun.inf
F:
CD \
ATTRIB -R -H -S autorun.inf
DEL autorun.inf

Save as Kill.cmd

Double click Kill.cmd

Reboot

 

[WinXPert]

I just reviewed you hijackthis log I believe Google Chrome is compromised. You have to do the above instructions in Safe Mode and uninstall Chrome first, you can install it later.

Delete the following files:

F:\Documents and Settings\krishna\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

F:\WINDOWS\system32\chrome.exe

Create a backup of system.ini and edit. Look for chrome.exe. Delete chrome.exe not the whole line. Save.

Run Hijackthis and delete all entries of "chrome.exe".

Run CCleaner. Scan for Issues.

Launch explorer and search for chrome.exe and new folder.exe. Just playing safe should the batch file missed something. Delete all occurrences using Shift-Del.

Reboot in Safe Mode and do a virus scan.

Re-install a clean copy of Goggle Chrome.

Hope this works!

 

[WinXPert]

Food for thought. You have to change how you use explorer. Enable Folders and when you navigate use the folder tree, the left side panel. Never click on a folder icon on the right side panel. Trojans propagate this way, it makes your folder hidden and creates and EXE of the same name. For example in your case you have a NEW FOLDER directory and a NEW FOLDER.EXE. Switch to details view and you can delete all EXE disguising with a folder icon.