How to remove new folder exe or regsvr exe or autorun inf virus

March 29th, 2008 | Save to del.icio.us now(32)

I want to tell you a story, two days back i got affected by this virus very badly as it eat up all my empty hard disk space of around 700 MB .
I was surprised that my most reliable friend Avast, for the first time failed me in this war against viruses but then again avg and bitdiffender also failed against it. This virus is know popularly as regsvr.exe virus, or as new folder.exe virus and most people identify this one by seeing autorun.inf file on their pen drives, But trend micro identified it as WORM_DELF.FKZ. It is spreading mostly using pen drives as the medium.

Well, so here is the story of how i was able to kill the monster and reclaim my hard disk space.
Manual Process of removal

I prefer manual process simply because it gives me option to learn new things in the process.

So let’s start the process off reclaiming the turf that virus took over from us.

1. Cut The Supply Line
1. Search for autorun.inf file. It is a read only file so you will have to change it to normal by right clicking the file , selecting the properties and un-check the read only option
2. Open the file in notepad and delete everything and save the file.
3. Now change the file status back to read only mode so that the virus could not get access again.
4. 
5. Click start->run and type msconfig and click ok
6. Go to startup tab look for regsvr and uncheck the option click OK.
7. Click on Exit without Restart, cause there are still few things we need to do before we can restart the PC.
8. Now go to control panel -> scheduled tasks, and delete the At1 task listed their.
2. Open The Gates Of Castle
1. Click on start -> run and type gpedit.msc and click Ok.
2. 
3. If you are Windows XP Home Edition user you might not have gpedit.msc in that case download and install it from Windows XP Home Edition: gpedit.msc and then follow these steps.
   
4. Go to users configuration->Administrative templates->system
5. Find “prevent access to registry editing tools” and change the option to disable.
6. 
7. Once you do this you have registry access back.
3. Launch The Attack At Heart Of Castle
1. Click on start->run and type regedit and click ok
2. Go to edit->find and start the search for regsvr.exe,
3. 
4. Delete all the occurrence of regsvr.exe; remember to take a backup before deleting. KEEP IN MIND regsvr32.exe is not to be deleted. Delete regsvr.exe occurrences only.
5. At one ore two places you will find it after explorer.exe in theses cases only delete the regsvr.exe part and not the whole part. E.g. Shell = “Explorer.exe regsvr.exe” the just delete the regsvr.exe and leave the explorer.exe
4. Seek And Destroy the enemy soldiers, no one should be left behind
1. Click on start->search->for files and folders.
2. Their click all files and folders
3. Type “*.exe” as filename to search for
4. Click on ‘when was it modified ‘ option and select the specify date option
5. Type from date as 1/31/2008 and also type To date as 1/31/2008
6. 
7. Now hit search and wait for all the exe’s to show up.
8. Once search is over select all the exe files and shift+delete the files, caution must be taken so that you don’t delete the legitimate exe file that you have installed on 31^st January.
9. Also selecting lot of files together might make your computer unresponsive so delete them in small bunches.
10. Also find and delete regsvr.exe, svchost .exe( notice an extra space between the svchost and .exe)
5. Time For Celebrations

1. Now do a cold reboot (ie press the reboot button instead) and you are done.

I hope this information helps you win your own battle against this virus. Soon all antivirus programs will be able to automatically detect and clean this virus. Also i hope Avast finds a way to solve this issues.
As a side note i have found a little back dog( winpatrol ) that used to work perfectly on my old system. It was not their in my new PC, I have installed it again , as I want to stay ahead by forever closing the supply line of these virus. You can download it form Winpatrol website.
UPDATE : Avast Boot Time Scheduling

Check out How to stop regedit, task manager and msconfig  from closing automatically if your regedit or msconfig closes automatically.

Manually remove it (new folder.exe Fix)

Delete File named svichossst.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“@”=[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Yahoo Messengger”=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”Explorer.exe “

Intro

The type of RAM doesn't matter nearly as much as how much of it you've got, but using plain old SDRAM memory today will slow you down. There are three main types of RAM: SDRAM, DDR and Rambus DRAM.

SDRAM (Synchronous DRAM)
Almost all systems used to ship with 3.3 volt, 168-pin SDRAM DIMMs. SDRAM is not an extension of older EDO DRAM but a new type of DRAM altogether. SDRAM started out running at 66 MHz, while older fast page mode DRAM and EDO max out at 50 MHz. SDRAM is able to scale to 133 MHz (PC133) officially, and unofficially up to 180MHz or higher. As processors get faster, new generations of memory such as DDR and RDRAM are required to get proper performance.

DDR (Double Data Rate SDRAM)
DDR basically doubles the rate of data transfer of standard SDRAM by transferring data on the up and down tick of a clock cycle. DDR memory operating at 333MHz actually operates at 166MHz * 2 (aka PC333 / PC2700) or 133MHz*2 (PC266 / PC2100). DDR is a 2.5 volt technology that uses 184 pins in its DIMMs. It is incompatible with SDRAM physically, but uses a similar parallel bus, making it easier to implement than RDRAM, which is a different technology.

Check this site for  information about DDR SDRAM memory and DDR Memory recommendations.

Rambus DRAM (RDRAM)
Despite it's higher price, Intel has given RDRAM it's blessing for the consumer market, and it will be the sole choice of memory for Intel's Pentium 4. RDRAM is a serial memory technology that arrived in three flavors, PC600, PC700, and PC800. PC800 RDRAM has double the maximum throughput of old PC100 SDRAM, but a higher latency. RDRAM designs with multiple channels, such as those in Pentium 4 motherboards, are currently at the top of the heap in memory throughput, especially when paired with PC1066 RDRAM memory.

DIMMs vs. RIMMs
DRAM comes in two major form factors: DIMMs and RIMMS.

DIMMs are 64-bit components, but if used in a motherboard with a dual-channel configuration (like with an Nvidia nForce chipset) you must pair them to get maximum performance. So far there aren't many DDR chipset that use dual-channels. Typically, if you want to add 512 MB of DIMM memory to your machine, you just pop in a 512 MB DIMM if you've got an available slot. DIMMs for SDRAM and DDR are different, and not physically compatible. SDRAM DIMMs have 168-pins and run at 3.3 volts, while DDR DIMMs have 184-pins and run at 2.5 volts.

RIMMs use only a 16-bit interface but run at higher speeds than DDR. To get maximum performance, Intel RDRAM chipsets require the use of RIMMs in pairs over a dual-channel 32-bit interface. You have to plan more when upgrading and purchasing RDRAM.