Newfolder.exe virus found

Hi,

I am seeing my machine gets hanged and i wont be able to do any thing. If i press control alt del---task manager is disabled (regedit also) and i try to scan i wont find any virus or risks.

I am having symantec antivirus version 10.1.5.5000 and also updated.

If i boot in safe i will be able scan and do something, but i dont know how to remove this virus.

If i plugin any usb pen drive it shows some folder like newfolder.exe it wont allow to copy something to pen drive.

Is there any windows patches for this or any symantec patch???????

How to get rid of this.

expertblrAsked:
Who is Participating?
 
rpggamergirlConnect With a Mentor Commented:
Use this and follow the prompts.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe


If problem persists after using the tool, download and scan with Combofix.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 
orangutangCommented:
Try scanning with SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE). Also, send us your HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) log. Try running "net start msiserver" before trying to install SUPERAntiSpyware
0
 
expertblrAuthor Commented:
Hi,
I was not able install SuperAntispyware which i downloaded thro the link  and i was able to install the trendsecure hijack and i am pasting the log below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:48 AM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\SCVHOST.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\TEMP\Application Data\U3\000015D1A961F17F\LaunchPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iweb.ey.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iweb.ey.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Ernst & Young
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=internet:80;http=internet:80;https=internet:443
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iweb.ey.com;169.254.*.*;*.eylink.com;*.ey.net;*.quickplace.ey.com;199.49.190.*;198.134.44.*;*.ltdcenter.ey.com;<local>
F2 - REG:system.ini: Shell=Explorer.exe SCVHOST.exe
O1 - Hosts: 199.49.11.9 IN12
O1 - Hosts: 199.49.29.100 IN05
O1 - Hosts: 132.220.38.1 IN09
O1 - Hosts: 132.220.235.194 IN18
O1 - Hosts: 132.220.235.66 IN15
O1 - Hosts: 132.220.38.44 INPUNEMEYAD01.MEA.EY.NET
O1 - Hosts: 199.49.29.105 INCALCMEYAD01.MEA.EY.NET
O1 - Hosts: 132.220.92.11 lkcmbomeyiis01.mea.ey.net
O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Single Signon] C:\Program Files\Elitecore\Single Signon\SSCyberoam_7218.exe
O4 - HKLM\..\Run: [Kontiki] "C:\Program Files\Kontiki\khost.exe" -i -p ey-ey
O4 - HKLM\..\Run: [AAPAcqService] C:\Program Files\AAP\ACQ\EY.AAP.Acquisition.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Tally License Server] C:\Tally\tallylic9xserver.exe -s
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SCVHOST.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corporate Client.lnk = C:\Program Files\Elitecore\Cyberoam Client for Corporate\CyberoamClient.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SSCyberoamlogin.lnk = C:\Program Files\Cyberoam\SSCyberoam.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh307282.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.iweb.ey.com
O15 - Trusted Zone: http://*.iweb.ey.com
O15 - Trusted Zone: http://*.ey.net
O15 - Trusted Zone: http://*.eylink.com
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O15 - Trusted Zone: http://*.ey.com (HKLM)
O15 - Trusted Zone: http://*.ey.net (HKLM)
O15 - Trusted Zone: http://*.eyleads.com (HKLM)
O15 - Trusted Zone: http://*.eylink.com (HKLM)
O15 - Trusted Zone: http://*.eyqa.net (HKLM)
O15 - Trusted Zone: http://*.eyua.net (HKLM)
O15 - Trusted Zone: http://ey.fincad.com (HKLM)
O15 - Trusted Zone: http://*.intellinex-asp.com (HKLM)
O15 - Trusted Zone: http://*.intellinex.com (HKLM)
O15 - Trusted Zone: http://web.lexis.com (HKLM)
O15 - Trusted Zone: http://intellinex.raindance.com (HKLM)
O15 - Trusted Zone: http://*.smarttrainer4.com (HKLM)
O15 - Trusted Zone: http://*.surveymonkey.com (HKLM)
O15 - Trusted Zone: http://*.thomsonib.com (HKLM)
O15 - Trusted Zone: http://cserver.xtremelearning.com (HKLM)
O15 - Trusted IP range: http://199.51.65.79
O15 - Trusted IP range: http://130.94.72.17 (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://certificates.amadeusvista.com/sgwadmin/common/AutoUpdateATL26P100.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extraweb-apac.ey.com/home/extraweb/iNotes6.cab
O16 - DPF: {51B217FA-AA53-11D1-8295-006097970389} (NotesUserCtrl Class) - http://home.iweb.ey.com/kweb6/cab/notesuser.cab
O16 - DPF: {8DA26812-F2DD-498F-90EA-F22C22049FFF} (BMCViewer Control) - https://bdr118307.bmcgroup.com/BMCViewer.CAB
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mea.ey.net
O17 - HKLM\Software\..\Telephony: DomainName = mea.ey.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mea.ey.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mea.ey.net
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINDOWS\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\PSTARTSR.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SuperProServer - Unknown owner - C:\WINDOWS\spnsrvnt.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - C:\Tally\tallylicserver.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe

--
End of file - 9815 bytes


Let me know for further action
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
orangutangCommented:
rpggamergirl's suggestions should work.
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SCVHOST.exe
seems suspicious. Try removing it in safe mode with HijackThis
0
 
orangutangCommented:
And
F2 - REG:system.ini: Shell=Explorer.exe SCVHOST.exe
but try rpggamergirl's suggestion first.
0
 
expertblrAuthor Commented:
Hi,

How to remove the log file which i have pasted????????/
0
 
rpggamergirlCommented:
SDBot/IRCBot entries are showing in your logfile.
Please use SDFix tool.

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and upload the contents of the results file "Report.txt" at EE-Stuff.com

Also show us/upload a fresh hijackthis log afterwards.



0
 
rpggamergirlCommented:
You closed the question? Is the problem solved? We would have like to see more log and new hijackthis log.
0
 
theory1213Commented:
I attempted the fix that was stated in the question and it did not work for me, I finally had to break down and use CA to wipe the hard drive of this menace and then used rpggamergirl 's  flash disenfector in order to get the run command and task manager working again.

Thanks rpggamergirl !!
0
 
rpggamergirlCommented:
theory1213,

You're welcome!
Glad to know that Flash_Disinfector has helped with yours.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.