NewFolder.exe from Ipod

Please try to run ComboFix from safe boot mode.

Where are you looking for the MGlogs.zip file? When you ran MGtools.exe did you notice any of the error messages given on the Using MGtools download page? If you look in the C:\MGtools folder, do you see runkeys.txt and newfiles.txt?


Please C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis. And click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\Documents and Settings\Brian\Start Menu\Programs\Startup\Startup.exe

After killing all the above processes, click Back.

Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\system32\SSVICHOSST.exe
O4 - .DEFAULT User Startup: Startup.exe (User 'Default user')
O4 - Startup: Startup.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.


Now run Ccleaner!

Now see if you can run ComboFix as requested and also MGtools.exe.

Attach the below logs (assuming all went well):

• C:\avenger.txt
• C:\ComboFix.txt
• C:\MGlogs.zip

 

You needed to get a MGlogs.zip file after correcting this error. The log you just attached is not complete because of this error. However before getting a new log, let's do the below.

Do you know what the below file is for?
C:\tsremov.bat



Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You need to make sure that you are extracting the file into the C:\WINNT\system32 folder which should be the default. If you extract them anywhere else, it will not fix your problem.

 

Sounds like you lost a necessary system file. Look the below folder for a copy of shell.dll (note this is not the same as shell32.dll)

C:\WINNT\ServicePackFiles\i386

Do you see shell.dll
If yes then you need to copy shell.dll into the below two folders:
C:\WINNT\System
C:\WINNT\System32

This error message is also explained in the Using MGtools link. See the section titled Error Message Type 4


Now we need to use ComboFix again to remove some more files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You named one of them incorrectly:

You need to change it to just shell.dll

You will have to find and delete all of these yourself as our scans only look in key folders and will no show all that are created. What this infection does is create a fake exe file name with the same base name as the folder it is in. Like the below that we already deleted:

I believer they will all have a file size of 240,128 bytes. Below is another that I do see:

C:\Documents and Settings\LocalService\Application Data\Application Data.exe


Other than the above, your logs are clean. After you delete all of those bad EXE files, you can move on to the below if not having any other malware problems.


It is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

This is why you need to have a restricted user account created on your PC and only allow this account to be used by guests. Also you need to make sure you boot up to the Welcome screen and require a login and password for all user accounts including this restricted account.

If SUPERAntispyware is trying to remove this then blocking the fix would be the wrong thing to do. Either way, just continue on thru all instructions in the READ ME and attach new logs.

You could try disabling on access scan or whatever McAfee calls it now but this may not work.

 

This may not be so easily corrected this time. You may have literally hundreda of infected files on your PC. Almost every single folder on your PC that has been getting accessed in some way has an infected file in the folder with the same name as the folder. Here are just a few examples of what I mean:

Code:

C:\WINNT\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer.exe
C:\WINNT\Sun\Java\Deployment\Deployment.exe
C:\WINNT\Sun\Java\Java.exe
C:\WINNT\Sun\Sun.exe
C:\WINNT\system32\1025\1025.exe

There are many many more. These are exactly like what we previously fixed a bunch of. Along with this problem, you have a bunch of other infections. I will try to work up a fix but this will take awhile to do since there is so much work to do in order to create a fix for all of this. However, I do have to warn you that the fix may not work, or it may appear to work for a short time. That is until you access another folder where the infection has deposited a copy of itself. Then it will start spreading again. Since the logs do not make show everysingle folder on your PC, some of the infection can easily be missed.

I may have to write a utility that trys to scan you whole hard disk looking for possible infected files. In the meantime, please download the attach FindEXE.zip file and save it into the C:\MGtools folder. Then extract the FindEXE.bat file from this ZIP file also into the C:\MGtools folder. This will attempt to scan your whole hard disk for possible files related to this infection. When it finishes running, a file named EXEDUPE.txt will be in your C:\MGtools folder. Please attach this EXEDUPE.txt file to your next message. After getting this file, I will try to make up a fix for you.

 

Yes, 6775 to be exact (one file matching the size was valid).

Total clean reinstall.

You would have to be extremely careful with backups! No executable files should be backed up. However let's see if we can get it fixed first.

Names do not really mean too much since everyone may give them different names. Also you have more than one problem.

One is this: http://www.sophos.com/security/analyses/viruses-and-spyware/w32sohanar.html

The one making all of these files named like the folder name but with an EXE may be related to Trojan.Hiween.
See http://www.symantec.com/security_response/writeup.jsp?docid=2006-090809-0715-99&tabid=3

However I'm don't believe it is an exact match to Hiween.

The file size and date is what I'm look at the determine the infection for you. The important thing to note (and this is for other readers information) is that the file size and date for all cases of this infection will not be the same on all PCs. While the particular infection in this current thread always shows the file size to be 240,128 bytes and has a date/time of 2007-12-20 19:51:52, this will not necessarily be what is seen on another PC.

I will work on a fix. Possibly a batch file to remove all of the files. I don't want to put it into a script for ComboFix or Avenger since it is way to large and over 1.6 Gigabyte of malware files would windup being backed up which may not work properly.

 

You need to look on your USB drive for copies of this infection. Look in all folder on the drive for the file size to be 240,128 bytes and has a date/time of 2007-12-20 19:51:52 and delete them. If you don't get the USB drive cleaned using it on any PC will cause reinfection.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\system32\SSVICHOSST.exe
O4 - .DEFAULT User Startup: Startup.exe (User 'Default user')

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now please download the attached delexe.zip file and save it into the C:\MGtools folder. Then extract the delexe.bat file from this ZIP file also into the C:\MGtools folder. Now double click on the delexe.bat file which will try to delete the 6775 infected files which are all just copies of the SSVICHOSST.exe file.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot, run a new scan with SUPERAntispyware and save a new log.

Now run Ccleaner!

Now run the C:\MGtools\FindEXE.bat file again so we can check to see if any files were missed. New files could have been created since attaching your previous logs.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\avenger.txt
• SUPERAntispyware log
• the new EXEDUPE.txt log file from FindEXE.bat
• C:\MGlogs.zip

NOTE: It will require two messages to attach the four logs.

Make sure you tell me how things are working now!

 

This is actually good! It means it did not find anymore of those malware files named like the folders it is in. Are you seeing any yourself?

How are things running?

Your logs appear to be clean.

 

Actually neither Norton or McAfee are really that good at finding many forms of malware. McAfee will find and remove things Norton does not find too. Also Norton is well known for not detecting many problems and often it detects things and does nothing to remove them.

If you are not having any other malware problems, it is time to do our final steps:

2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!