I was having the same virus in my pc and I have finally contained it with the CA antivirus that I was having installed on my machine. For anyone whose computer is infected with the newfolder.exe virus, follow the below steps:
Virus info
How to Identify:
File Size equals 208Kb, uses a folder Icon the same name as parent folder, but is an executable:
NB: Turn on view of system files and hidden files, also show file extension types.
Removal instructions (Some of the info below was from AGV forum)
Description of what it does:
It will enter a directory and create an exe of that directory, eg Enter the directory c:\Program Files\ and it will create Program Files.exe
Properties of Program Files.exe:
Version:
Comments - Butterfly.
File version - 1.00
Internal name - My Things
Language - English (United states)
Legal Trademarks - 2007
Orignal file name - My Things.exe
Product Name - butterfly
You need to make sure to set the PC to show hidden and system files and file extensions. Where it is located:
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This is the registry key that starts the virus.
Physical location in windows XP:
c:\WINDOWS\Help\sched.exe or schedl.exe
If Windows 2000: C:\WINNT\Help\sched.exe or schedl.exe
How to stop it:
- First of all turn off system restore
- After that open Task Manager goto Processes sort by Image Name. Find the sched.exe and kill it.
- You have to now delete the entry from the registery
- After that you have to delete the sched.exe file
- Now you need to find all the infected *.exe and delete them. If you run them, it will reinstall itself.
- After that you have to search for *.exe from 01 May 2007 to present, look for hidden files with a maximum size of 209Kb and make a detailed list of them.
- Now can you check the properties. If they match delete them! Empty the recycle bin.
- After that reboot the machine and again check steps 1 to 3.
- Now iff the user is using Offline files and folders and has no reason to be using them, clear the offline folder cache by using Shift + left CTRL + Delete then disable offline files and folders.
- After that restart and again re-check 1, 2 and 3
- Not The user may have browsed to network shares and used a memory stick, mp3 player or cellphone to view or store data. Run from step 5 to search and delete the dormant virus files.
You can also use a basic script which is shown below to the beginning of a longon batch file to kill the virus on your Windows XP workstation.
Code:
rem ****************************************************
rem Butterfly virus containment 06-06-07 mtd (thanks uct for the basics!)
rem ****************************************************
echo This batch will kill the schedl.exe
echo process and remove it from startup
echo ---------------------------------------
rem ---------------------------------------
taskkill /F /IM schedl.exe /T
REG DELETE
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v schedl
/f
del /ah c:\WINDOWS\Help\schedl.exe
cls
echo Completed "schedl.exe" removal
Hope this helps
Bookmarks