I did have this problem (new folder. exe on my thumb drive) and
eventually, after several hours, managed to solve it. I therefore wanted
to share what I had found with others.
Below are the details and the solution I found:
The version of newfolder.exe worm that I had was not detected by AVG
Anti virus and only the infected files were detected by AVG anti spyware,
as Worm.VB.cb
I only found a report of this worm on the trend micro website and it seems
that there are several variants.
The new folde.exe or folder.exe that were found on my thumb/flash
drive were all 96kb
I also found:
1. in C:WindowsSystem 32 a file BttnServ.exe,
2. a registry key in HKLMSoftwareMicrosoftWindowsCurrent versionRun
EASYBTTNSERVE.EXE
3. in C:Windows a notepad file winst.log
These files were identified by AVG Antispyware as being infected with
Worm.VB.cb
Every time I deleted the folder.exe on my flash drive, and the registry
key and BttnServ.exe from WindowsSystem 32, they returned.
When I tried to delete winst.log I received the message that it was being
used by a process or application.
Search on internet mentions a file svchost.exe, but a search for this file
on my computer only returned authentic programs.
I eventually got rid of this worm doing the following.
1. I deleted the registry key and deleted BttnServ.exe
2. I created a dummy BttnServ.exe using a blank notepad file and
renaming it. I also made this dummy read only.
3. I rebooted into safe mode, and noted that winst.log was not there. From
this I assumed that the program had not started.
4. I accessed C:Windowssystem 32. In the list of programs (not files) I
found a hidden folder ( I have set my computer to show hidden files) named
svchost.exe The icon was a folder icon (not the usual Windows program
icon) and I noticed that it was also 96kb. I deleted it.
5. I then deleted my dummy BttnServ.exe
6. I ran AVG Antispyware on my flash drive and deleted all infected files.
I rescanned to make sure that the files had not been recreated.
7. I then rebooted and reran AVG Antispyware which reported no problems.
I did not see the hidden file (with folder icon) svchost.exe until I
booted into safe mode. Whether it was booting into safe mode or the dummy
file, I'm not sure. Creating the dummy file may have been unnecessary, but
it has worked for other worms to stop them loading.
Lindsay Dunseith
November 2007