newfolder.exe containment procedure

[Derek]

I was having the same virus in my pc and I have finally contained it with the CA antivirus that I was having installed on my machine. For anyone whose computer is infected with the newfolder.exe virus, follow the below steps:

Virus info

How to Identify:
File Size equals 208Kb, uses a folder Icon the same name as parent folder, but is an executable:
NB: Turn on view of system files and hidden files, also show file extension types.
Removal instructions (Some of the info below was from AGV forum)
Description of what it does:
It will enter a directory and create an exe of that directory, eg Enter the directory c:\Program Files\ and it will create Program Files.exe

Properties of Program Files.exe:
Version:
Comments - Butterfly.
File version - 1.00
Internal name - My Things
Language - English (United states)
Legal Trademarks - 2007
Orignal file name - My Things.exe
Product Name - butterfly

You need to make sure to set the PC to show hidden and system files and file extensions. Where it is located:
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This is the registry key that starts the virus.

Physical location in windows XP:
c:\WINDOWS\Help\sched.exe or schedl.exe

If Windows 2000: C:\WINNT\Help\sched.exe or schedl.exe

How to stop it:

1. First of all turn off system restore
2. After that open Task Manager goto Processes sort by Image Name. Find the sched.exe and kill it.
3. You have to now delete the entry from the registery
4. After that you have to delete the sched.exe file
5. Now you need to find all the infected *.exe and delete them. If you run them, it will reinstall itself.
6. After that you have to search for *.exe from 01 May 2007 to present, look for hidden files with a maximum size of 209Kb and make a detailed list of them.
7. Now can you check the properties. If they match delete them! Empty the recycle bin.
8. After that reboot the machine and again check steps 1 to 3.
9. Now iff the user is using Offline files and folders and has no reason to be using them, clear the offline folder cache by using Shift + left CTRL + Delete then disable offline files and folders.
10. After that restart and again re-check 1, 2 and 3
11. Not The user may have browsed to network shares and used a memory stick, mp3 player or cellphone to view or store data. Run from step 5 to search and delete the dormant virus files.

You can also use a basic script which is shown below to the beginning of a longon batch file to kill the virus on your Windows XP workstation.

Code:

rem ****************************************************
rem Butterfly virus containment 06-06-07 mtd (thanks uct for the basics!)
rem ****************************************************
echo This batch will kill the schedl.exe
echo process and remove it from startup
echo ---------------------------------------
rem ---------------------------------------
taskkill /F /IM schedl.exe /T
REG DELETE
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v schedl
/f

del /ah c:\WINDOWS\Help\schedl.exe
cls
echo Completed "schedl.exe" removal

Hope this helps

[hindustnidude]

Thanks for the solution that you have given. I am also getting this newfolder.exe virus from last couple of days and I will try to follow your the steps that you have given to solve this case and see if it will work out or not. In the meanwhile if you got any new information or some better updates about removing this folder.exe virus automatically with some tools then let me know about it as well.

[BlackSunReyes]

You can download the Malwarebytes' Anti-Malware software, by searching it on the net, that will allow you to actively eradicate malware infecting your machine. It has a very simple interface which is divided into nine tabs, research, protection, update, quarantine, reports, exclusions, settings, tools. You have two methods of analysis - a quick scanning of your system with a base of reduced detection and a comprehensive review to carefully analyze all of your storage devices.