Solved

Newfolder.exe virus found

Posted on 2007-11-25
10
2,725 Views
Last Modified: 2013-12-04
Hi,

I am seeing my machine gets hanged and i wont be able to do any thing. If i press control alt del---task manager is disabled (regedit also) and i try to scan i wont find any virus or risks.

I am having symantec antivirus version 10.1.5.5000 and also updated.

If i boot in safe i will be able scan and do something, but i dont know how to remove this virus.

If i plugin any usb pen drive it shows some folder like newfolder.exe it wont allow to copy something to pen drive.

Is there any windows patches for this or any symantec patch???????

How to get rid of this.

0
Comment
Question by:expertblr
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 22

Expert Comment

by:orangutang
ID: 20348310
Try scanning with SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE). Also, send us your HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) log. Try running "net start msiserver" before trying to install SUPERAntiSpyware
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
ID: 20348388
Use this and follow the prompts.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe


If problem persists after using the tool, download and scan with Combofix.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 

Author Comment

by:expertblr
ID: 20348410
Hi,
I was not able install SuperAntispyware which i downloaded thro the link  and i was able to install the trendsecure hijack and i am pasting the log below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:48 AM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\SCVHOST.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\TEMP\Application Data\U3\000015D1A961F17F\LaunchPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iweb.ey.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iweb.ey.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Ernst & Young
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=internet:80;http=internet:80;https=internet:443
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iweb.ey.com;169.254.*.*;*.eylink.com;*.ey.net;*.quickplace.ey.com;199.49.190.*;198.134.44.*;*.ltdcenter.ey.com;<local>
F2 - REG:system.ini: Shell=Explorer.exe SCVHOST.exe
O1 - Hosts: 199.49.11.9 IN12
O1 - Hosts: 199.49.29.100 IN05
O1 - Hosts: 132.220.38.1 IN09
O1 - Hosts: 132.220.235.194 IN18
O1 - Hosts: 132.220.235.66 IN15
O1 - Hosts: 132.220.38.44 INPUNEMEYAD01.MEA.EY.NET
O1 - Hosts: 199.49.29.105 INCALCMEYAD01.MEA.EY.NET
O1 - Hosts: 132.220.92.11 lkcmbomeyiis01.mea.ey.net
O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Single Signon] C:\Program Files\Elitecore\Single Signon\SSCyberoam_7218.exe
O4 - HKLM\..\Run: [Kontiki] "C:\Program Files\Kontiki\khost.exe" -i -p ey-ey
O4 - HKLM\..\Run: [AAPAcqService] C:\Program Files\AAP\ACQ\EY.AAP.Acquisition.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Tally License Server] C:\Tally\tallylic9xserver.exe -s
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SCVHOST.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corporate Client.lnk = C:\Program Files\Elitecore\Cyberoam Client for Corporate\CyberoamClient.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SSCyberoamlogin.lnk = C:\Program Files\Cyberoam\SSCyberoam.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh307282.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.iweb.ey.com
O15 - Trusted Zone: http://*.iweb.ey.com
O15 - Trusted Zone: http://*.ey.net
O15 - Trusted Zone: http://*.eylink.com
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O15 - Trusted Zone: http://*.ey.com (HKLM)
O15 - Trusted Zone: http://*.ey.net (HKLM)
O15 - Trusted Zone: http://*.eyleads.com (HKLM)
O15 - Trusted Zone: http://*.eylink.com (HKLM)
O15 - Trusted Zone: http://*.eyqa.net (HKLM)
O15 - Trusted Zone: http://*.eyua.net (HKLM)
O15 - Trusted Zone: http://ey.fincad.com (HKLM)
O15 - Trusted Zone: http://*.intellinex-asp.com (HKLM)
O15 - Trusted Zone: http://*.intellinex.com (HKLM)
O15 - Trusted Zone: http://web.lexis.com (HKLM)
O15 - Trusted Zone: http://intellinex.raindance.com (HKLM)
O15 - Trusted Zone: http://*.smarttrainer4.com (HKLM)
O15 - Trusted Zone: http://*.surveymonkey.com (HKLM)
O15 - Trusted Zone: http://*.thomsonib.com (HKLM)
O15 - Trusted Zone: http://cserver.xtremelearning.com (HKLM)
O15 - Trusted IP range: http://199.51.65.79
O15 - Trusted IP range: http://130.94.72.17 (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://certificates.amadeusvista.com/sgwadmin/common/AutoUpdateATL26P100.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extraweb-apac.ey.com/home/extraweb/iNotes6.cab
O16 - DPF: {51B217FA-AA53-11D1-8295-006097970389} (NotesUserCtrl Class) - http://home.iweb.ey.com/kweb6/cab/notesuser.cab
O16 - DPF: {8DA26812-F2DD-498F-90EA-F22C22049FFF} (BMCViewer Control) - https://bdr118307.bmcgroup.com/BMCViewer.CAB
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mea.ey.net
O17 - HKLM\Software\..\Telephony: DomainName = mea.ey.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mea.ey.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mea.ey.net
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINDOWS\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\PSTARTSR.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SuperProServer - Unknown owner - C:\WINDOWS\spnsrvnt.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - C:\Tally\tallylicserver.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe

--
End of file - 9815 bytes


Let me know for further action
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20348484
rpggamergirl's suggestions should work.
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SCVHOST.exe
seems suspicious. Try removing it in safe mode with HijackThis
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20348487
And
F2 - REG:system.ini: Shell=Explorer.exe SCVHOST.exe
but try rpggamergirl's suggestion first.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:expertblr
ID: 20348579
Hi,

How to remove the log file which i have pasted????????/
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20348678
SDBot/IRCBot entries are showing in your logfile.
Please use SDFix tool.

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and upload the contents of the results file "Report.txt" at EE-Stuff.com

Also show us/upload a fresh hijackthis log afterwards.



0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20349256
You closed the question? Is the problem solved? We would have like to see more log and new hijackthis log.
0
 

Expert Comment

by:theory1213
ID: 22428849
I attempted the fix that was stated in the question and it did not work for me, I finally had to break down and use CA to wipe the hard drive of this menace and then used rpggamergirl 's  flash disenfector in order to get the run command and task manager working again.

Thanks rpggamergirl !!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22433168
theory1213,

You're welcome!
Glad to know that Flash_Disinfector has helped with yours.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now