new folder.exe

Hi,

I have Virus in My System… Its Creating .EXE (Application ) files in all the Folders.

For example, if the Folder Name is One, In side the Folder One, its Creating One.exe

if the Folder Name is First, In side the Folder First, its Creating First.exe

then i used avast home edition 4.7 .Its remove all the infection from my system,even it cleaned from the ram.
Now i have a problem like that but now its name is folder.exe (application)
Avast 4.7 home edition is not being detect it.
now my system is getting slow.
What i can do?
i m using Win XP professional

If you wish post a HiJackThis log and I will have a look

brother i have serious problem
i try with boot time scan but it also failed to detect any thing.
my computer is linked with a small group of line network,
the all systems have this problem.our net work speed with each other is become very slow now.we have big trouble to transfer the data with each other
Please give some advise

A hackthis log would be really helpfull. :wink:

Al968

“hackthis log” i cant understad what u mean

Check this Polonus’ guide: http://forum.avast.com/index.php?topic=22069.msg183507#msg183507
or http://www.pchell.com/support/hijackthistutorial.shtml

A lot of double posting, qamar! Please pick one post so we can help you! You also have posted the exact problem here at this post http://forum.avast.com/index.php?topic=25004.msg204849#msg204849

It might be better to just post under your new folder.exe post

yeah :stuck_out_tongue:
Try avoid doing that
Thanks

Al968

Since Trend Micro is apparently able to clean this, use the on-line virus scanner here: http://www.trendmicro.com/hc_intro/default.asp
and post back. The on-line scanner is able to clean virus and worms!

sory 4 late reply
i try 2 used trend micro on line house call butt my internet connection is too slow.trend micro on line house call give me the response time about 4 or 5 hours
to scan.
so i down load hijackthis & its gives me log of my computer is

Logfile of HijackThis v1.99.1
Scan saved at 8:07:29 PM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Windows Explorer.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.intervideo.com/jsp/Product_Signin.jsp?customer=3031&appid=20&regid=2fce8R&product=2H6PBLOIEGLA9M8FHP9B422VQH7LBO6TKQD4&lang=&locale=0x0409
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Explorer] C:\WINDOWS\Windows Explorer.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\ypager.exe” -quiet
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

Please rename HiJackThis.exe to Gotcha.exe (or anything else you like) an re-run and re-post Ta
This looks like part of your problem C:\WINDOWS\Windows Explorer.exe

Yes, it looks similar to WUKILL.E worm/Wukill.E!Trojan

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WUKILL.E&VSect=P

Since it is slowing his internet connection and has difficult downloads, might be best to disable
HKLM..\Run: [Explorer] C:\WINDOWS\Windows Explorer.exe using MSCONFIG
Then restart Windows to allow him to download any suggested programs.

;D Good thought Ta

I was hoping you would agree! :wink:

qamar, try Start>Run type in MSCONFIG then OK click on “Startup” tab, untick [Explorer] C:\WINDOWS\Windows Explorer.exe and restart Windows then follow essexboy’s advice

brothers
trendmicro on line house call performed full system scan in my computer.
its found
troj_vb.bla 52 infections
ddos_generic 02 infections
on automatic clean its failed to clean infected exe C:\WINDOWS\Windows Explorer.exe
on manual clean its gives only two options 1st delete infection & 2nd to leave (no action)
when i chose 1st ,its failed
the folder.exe is remain in my system.
2nd thing to tell is that my avast is now crypt, neither it is uninstalling nor installing
when i open my task manager its closed immediately.

Hi qamar,
Did you use MSCONFIG to disable Windows Explorer.exe before using “house call”?
It is very important to disable Windows Explorer.exe using MSCONFIG then RESTART Windows.

i know about the problem of Explorer.exe from trend micro ,then i came back in forum.
there r two Explorer.exe’s working .which one i disable

You have to disable the one called “windows explorer.exe”.

Do not disable the one called “explorer.exe”.

The “windows explorer.exe” is actually a trojan!

Please note the “windows” part in “windows explore.exe

Look for: C:\WINDOWS\Windows Explorer.exe and disable on “Startup” tab in MSCONFIG then restart Windows.

If that fails it can be temporarily disabled (if there is not a hidden infector) by checking the item in HJT and fixing

It will be good if you download, install, update and run other trojan remover tools:
a-squared
Free AVG Antispyware
SUPERantispyware
Spyware Terminator