The real name of this virus is Iddono. This threat copies its file(s) to your hard disk. Its typical file name is Iddono. Then it creates new startup key with name Iddono and value newfolder.exe. You can also find it in your processes list with name newfolder.exe or Iddono.


NewFolder.exe File Behaviour

NEW FOLDER.EXE has been seen to perform the following behavior:
  • The Process is packed and/or encrypted using a software packing process
    •
  • Found on infected systems and resists interrogation by security products
  • Executes a Process
  • Registers a Dynamic Link Library File
  • This process creates other processes on disk
  • Changes the Internet Explorer Home Page Settings
  • Looks at the contents of the autoexec.bat file
  • Reads email address and phone book details
  • Adds products to the system registry
  • Modifies Windows Security Policies to restrict/expand User Privileges on the machine
  • Disables the built in Windows File Protection System
  • This Process Deletes Other Processes From Disk
  • Can communicate with other computer systems using HTTP protocols
  • Changes of IE options including home page, security tab, colour, font, advanced, menu
  • Disables Access to the Windows Registry Editior
  • Disables Access to the Task Manager built into Windows
  • Adds a Link in the Start Menu
NEW FOLDER.EXE has been the subject of the following behavior:
  • Added as a Registry auto start to load Program on Boot up
    •
  • Deleted as a process from disk
  • Executed as a Process
  • Created as a process on disk
  • Registered as a Dynamic Link Library File
  • Has code inserted into its Virtual Memory space by other programs
  • Added as a Link in the Start Menu

NewFolder.exe Manual Detection

Below are manual removal instructions for newfolder.exe so you can remove the unwanted file from your PC. Always be sure to back up your PC before you modify anything.


Step 1:End Task

Start> run

taskkill /f /t /im “New Folder.exe”

taskkill /f /t /im “SCVVHSOT.exe”

taskkill /f /t /im “SCVHSOT.exe”

taskkill /f /t /im “scvshosts.exe”

taskkill /f /t /im “hinhem.scr”

taskkill /f /t /im “blastclnnn.exe”

 Step 2:Enable Task Manager

1. Start> run

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

2. Start> run

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

 Step 3:Enable Regedit

1. Start> run

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

2. Start> run

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

 Step 4:Folder Option & Hidden Files

1. Start> run

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f

2. Start> run

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f

3. Start> run

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 1 /f

4. Start>run

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f

 Other steps

Delete the files

 C:\WINDOWS\SCVVHSOT.exe

C:\WINDOWS\SCVHSOT.exe

C:\WINDOWS\hinhem.scr

C:\WINDOWS\system32\SCVHSOT.exe

C:\WINDOWS\system32\blastclnnn.exe

C:\WINDOWS\system32\autorun.ini

C:\Documents and Settings\All Users\Documents\SCVHSOT.exe

 Modify some registries

 \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell REG_SZ –> explorer.exe

\Software\Microsoft\Windows\CurrentVersion\Run\ Yahoo Messengger –>delete

 Precaution

Never double click on such files which look like folders, instead use folder view for navigation. You may like to disable “Shared Documents”.