Sunday, June 14, 2009

Newfolder.exe virus Removal method

First of all, you have to remove its primary weapon. Autorun.inf. To do that, follow the instrustion

  • First, click on start >> run
  • Type “cmd” (without quotes) and press enter
  • Go to root, meannig, type “cd..” (without quotes) till you reach the command prompt “C:\>”
  • There, type “attrib -h -r -s autorun.inf” (without quotes) and press enter
  • Type “del autorun.inf” (without quotes) and press enter
  • Type “md\autorun.inf ” (without quotes) and press enter
  • This must be repeated on all drives. To change the drive just say “d:” (without quotes) or “e:” (without quotes) and so on.

Now lets remove it from the startup

  • Click start->run and type msconfig and click ok
  • Go to startup tab look for regsvr and uncheck the option click OK.
  • Click on Exit without Restart, cause there are still few things we need to do before we can restart the PC.
  • Now go to control panel -> scheduled tasks, and delete the At1 task listed their.

Now the gpedit part. If yours is XP home, then you will have to download and install it. You can do it from here. Once done follow these instructions

  • Click on start -> run and type gpedit.msc and click Ok
  • Go to users configuration->Administrative templates->system
  • Find “prevent access to registry editing tools” and change the option to disable.

Once you do this you have registry access back so that you can change their values. This is done as follows. Please take a backup before editing registry

  1. Click on start->run and type regedit and click ok
  2. Go to edit->find and start the search for regsvr.exe
  3. Delete all the occurrence of regsvr.exe. KEEP IN MIND regsvr32.exe is not to be deleted. Delete regsvr.exe occurrences only.
  4. At one ore two places you will find it after explorer.exe in theses cases only delete the regsvr.exe part and not the whole part. E.g. Shell = “Explorer.exe regsvr.exe” the just delete the regsvr.exe and leave the explorer.exe

Once this is done, close the Regedit window. Now the final step in the removal process

  1. Click on start->search->for files and folders.
  2. There click all files and folders and all your drives
  3. Type “*.exe” (without quotes) as filename to search for
  4. Click on ‘when was it modified ‘ option and select the specify date option. For example type from date as 1/1/2009 and also type To date as 1/2/2009. This depends on when your folders were modified.
  5. Now hit search and wait for all the exe’s to show up.
  6. Once search is over select all the exe files and shift+delete the files, caution must be taken so that you don’t delete the legitimate exe file that you have installed on 1st jan.
  7. Also selecting lot of files together might make your computer unresponsive so delete them in small bunches.
  8. Also find and delete regsvr.exe, svchost .exe( notice an extra space between the svchost and .exe)
  9. Make sure that you delete only the folders first as thats what is attacked in such viruses. The .exe files must be carefully deleted by examining them.