The Stubborn Folder

[wissamyoussif]

Hi all, I have this Image.exe icon that looks like a regular folder-- a little more opened, that pops back everytime I delete it (some kinda virus, right?) in my USB thumb drive. I have a Norton Antivirus 2008 installed and regularly updated (just updated it a few minutes earlier), and all other details may be found in the attached Hijack This report (renmed it to That One just in case a malware recognizes it) what should I do to get rid of it?
Thanks

[attachment deleted by admin]

[evilfantasy]

This is a pretty nasty form of malware that will take special tools to remove.

Flash Drive Cleanup

If you use any flash drives please clean them now.

Download Flash Disinfector by sUBs and save it to your Desktop.
 

• Double-click Flash_Disinfector.exe to run it.
• Your desktop and icons may disappear. This is normal.
• It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
  
• Follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• There will be no GUI interface or log file produced.
• Reboot your computer when done.

.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
- O4 - HKLM\..\Run: [My App] C:\WINDOWS\system32\Image.exe
- O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
- O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Alcmtr"=-
"My App"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[wissamyoussif]

Hi evilfantasy, you replied me a few hours later but it took me all those days to have a connection and see your post Sorry for that, and thanks a lot for your interest.
I've done all you said except for:
1- It took forever (well, 30 minutes) for Flash_Disinfector.exe and my desktop didn't reappear so I pressed ctrl+alt+del and run explorer.exe
2- Didn't have - O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present in my Hijack This log.
That's all and the Stubborn Folder seems to be no more-- at least for now, and here's my Hijack This and ComboFix reports along with a picture of how the Stubborn Folder looked like.
P.S. I think we've met before (of course you've helped me before) thanks again.
Is it clean now?


[attachment deleted by admin]

[evilfantasy]

Time to clean up.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
----------

Download

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.