# NewFolder.exe Worm



## main_mast (May 24, 2007)

Hi,

My USB Drive has a folder name "NewFolder.exe" and it is now transffered into my PC my Registry Editor, Task Manager & Folder Options are Disable now.
Please tell me the solution of this worm.
how can i remove it from my PC?

Thanks.


----------



## sjpritch25 (Sep 8, 2005)

Welcome to TSG 

Please download *HJT setup.exe* Here
Let it Place Hijackthis in C:\Program Files\Hijackthis
Open *Hijackthis.exe*
Click on *Do a System Scan and Save log file*
*Don't Fix any Items!!!*
Just copy and paste the contents of the log file to your reply.


----------



## main_mast (May 24, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 2:24:31 PM, on 6/26/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Creative\Shared Files\CAMTRAY.EXE
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
D:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\Program Files\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Grisoft\AVG7\avginet.exe
D:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe RVHOST.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Creative WebCam Tray] D:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [TypingSatellite] "D:\Program Files\TypingMaster\KBOOST.EXE"
O4 - HKCU\..\Run: [Yahoo Messengger] D:\WINDOWS\System32\RVHOST.exe
O4 - HKCU\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5989D7-B6F8-48AB-A5FC-079C656C31E2}: NameServer = 203.130.2.3 203.130.2.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe


----------



## sjpritch25 (Sep 8, 2005)

Be sure you have your* Flash *drive plugged in.

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Batch file, *get autoruns.bat*, Written by Mosaic1. Once extracted, open the folder and double click on the *get autoruns.bat* to run the fix.


The fix will make a report and if any autoruns are found, move them to a backup folder.

If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the *MountPoints* key are fixed.

A document, *Part 1.txt*, will be created. It will show the pre-cleaning state.

* Run get autoruns.bat again immediately.*

It will produce a file named *Part2.txt *and this one will show the state after the cleaning.

Please post the contents of *Part1.txt *and *Part2.txt* then along with a fresh *Hjackthis *log.


*** It is important that you follow these directions exactly. Don't skip the second run or the reporting sequence, as we will become confused.*


----------

