Sit along with me as you discover what this “folder” is and how you can protect yourself from a possible threat to your personal security.The “folder” I am talking about is a Nhatquanglan Virus - a really annoying virus that takes away your power over your PC by blocking important programs from running.
It disguises itself as a folder but is actually a program that sends out your personal information over the internet for everyone to see. You may or may not have a Nhatquanglan virus on your PC yet, but to be safe, it would be wise for you to discover how it can affect you and ways on how to protect yourself.
When you forgot to take care, below are just some of the ways this virus can affect you.
Nhatquanglan Virus blocks Device Manager
Device Manager is the page where you manage everything that is connected to your PC. This includes hard disk drives, modems, printers, monitors - you name it, it’s there. You use this to replace old software that makes a particular computer part work, or to change hardware settings, add a new piece of hardware, or to stop it from working completely and more.
Aside from this, Device Manager is usually the place where tech support tells their clients to go when dealing with problems with their PC’s. When you are infected by a Nhatquanglan virus, all your power to change the settings of the peripherals on your PC is gone. Now, when a modem does not work, you cannot check what is wrong with it - and you can’t connect to the internet either.
Nhatquanglan Virus and Task Manager
Aside from not letting you use your PC’s Device Manager, there are other ways that this virus can give you a hard day. When your PC is infected with a Nhatquanglan virus, and a program that you are using has crashed or hanged, you no longer have the power to “kill” the offending program because the Nhatquanglan will not let you use Task Manager - one of the useful tools included with your Windows installation.
Because you cannot use Windows Task Manager, you cannot lock your PC everytime you take a break - making it possible for everyone to look at what you are doing. There are other ways that a Nhatquanglan virus can give you a bad day and some of it, you might not want to know.
Let’s not talk about how annoying a Nhatquanglan virus is anymore - I think you already have an idea. If you want more, here is a list of annoyances it can give you.
* It does not allow you to run Regedit to change Windows XP registry settings.
* It will not allow you to run the Command Prompt, where some of the more important Windows * XP commands can only be used.
* It will not allow you to change File Type Extensions. Too bad, you can use this tweak to make Microsoft Excel 2007 start faster.
* It can infect other PCs as well - annoying if you are on a network. It can also transfer itself to thumb drives (Ipods, Flash disks, etc).
Time to protect yourself from a possible headache because of a Nhatquanglan virus infection.
You’ll now discover how this virus works…
The Nhatquanglan disguises itself as a folder inside the folder that it has infected. Too confusing? Let me put it this way: Suppose you have a folder named CLEAN. The virus will make copies of itself on the CLEAN folder using CLEAN as its name. Now, you have a program named CLEAN on the CLEAN folder.
Here’s a tip: To tell if it’s a program and not a real folder, hover your mouse over it and look at the tool tip that pops up. If it’s a real folder, it must not show the word “File Version:” If it does, do not open or double click it!! That might be a Nhatquanglan virus!
Behind the Screen~~~~~~~~~~~~~~~~~
The following files are created:C:\WINDOWS\SCVHSOT.exe
C:\WINDOWS\SCVVHSOT.exeC:\WINDOWS\hinhem.scrC:\WINDOWS\system32\SCVHSOT.exeC:\WINDOWS\system32\blastclnnn.exeC:\WINDOWS\system32\autorun.iniC:\Documents and Settings\All Users\Documents\SCVHSOT.exe
The virus is copied to other comps on the network in the Shared Docs.\\ABC\SharedDocs\New Folder.exe\\ABC\SharedDocs\scvshosts.exe\\ABC\SharedDocs\autorun.infModifies some files in the “Documents and settings” folder.C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.datC:\Documents and Settings\Piyush Chandra\Cookies\index.datC:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.dat
Modifies some registries at:\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4c4da22e-f800-11db-8de6-806d6172696f}\BaseClass ,etc.\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ ,etc.\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ,etc.\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ , etc.\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnableModifies some system files:C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.datC:\Documents and Settings\Piyush Chandra\Cookies\index.datC:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.datRuns the following commands under DOS (only by the virus version 1,1,1,1):C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\WINDOWS\system32\blastclnnn.exeC:\WINDOWS\system32\cmd.exe /C AT /delete /yes
Nhatquanglan Virus Removal Instructions
What I am about to reveal to you is how I got rid of a Nhatquanglan infection using only one free tool that you can download over the Internet. This fix worked for me but yours may vary - use the guide I am about to give at your own risk. Or, avail of those software that scans your PC for viruses and have it scanned for you.
To start, you need to have a copy of ComboFix saved on your PC. ComboFix scans your drive for possible infections and tries to delete the three hidden files that the Nhatquanglan uses to make copies of itself.ComboFix is a free tool.
I am assuming that you have saved it on the C:\ drive.
Restart your PC in Safe Mode and run combofix by installing it and running it.
ComboFix will now do its job - scanning your PC for Nhatquanglan infections. Just follow what ComboFix says. After it finishes, the file which shows you what ComboFix had done will open up. Hopefully, Combofix has cleaned your PC of a Nhatquanglan virus infection
But to be sure you need to do some last minute cleaning.
Go to the Command Prompt and do the following (without the quotes), hitting the Enter key after each command:
“cd \”
“del c:\windows\system32\scvshosts.exe”
“del c:\windows\system32\blastclnnn.exe”
“del c:\windows\hinhem.scr”
What you just did is deleted the three Nhatquanglan files. Take note of the spelling specially scvshosts.exe. This is different from svchost.exe which is an important Windows XP file!
You also need to remove a task that is scheduled by the Nhatquanglan virus. This virus adds one task to the Task Scheduler - so everytime you open up your PC, it executes this task, which is to make copies of itself. This is how it manages to appear again and again even if you managed to delete the three nhatquanglan files: scvshosts.exe, blastclnnn.exe and hinhem.scr. To remove the scheduled task, you need to take a peek at the lists. You do this by going to the Command Prompt and typing the following command (without the quotes):
“cd \”
“cd windows\tasks”
“del *.job”
The last command above deletes everything in the Windows\Tasks folder. If you have tasks scheduled and you do not want them to be deleted, you need to manually check each one. A scheduled task that has scvshosts.exe as the program to be performed, needs to be deleted.
FOR COMPLETE REMOVAL RUN THESE COMMANDS ALSO -
End Task(updated on 27/11/2007)————————Start> run
taskkill /f /t /im “New Folder.exe”
taskkill /f /t /im “SCVVHSOT.exe”
taskkill /f /t /im “SCVHSOT.exe”
taskkill /f /t /im “scvshosts.exe”
taskkill /f /t /im “hinhem.scr”
taskkill /f /t /im “blastclnnn.exe”
Enable Task Manager——————-1. Start> runreg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f2. Start> runreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Enable Regedit————–1. Start> runreg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f2. Start> runreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Folder Option & Hidden Files—————————-1. Start> runreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f2. Start> runreg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f3. Start> runreg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 1 /f4. Start>runreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /freg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f
Other steps——————
Delete the files
C:\WINDOWS\SCVVHSOT.exeC:\WINDOWS\SCVHSOT.exeC:\WINDOWS\hinhem.scrC:\WINDOWS\system32\SCVHSOT.exeC:\WINDOWS\system32\blastclnnn.exeC:\WINDOWS\system32\autorun.iniC:\Documents and Settings\All Users\Documents\SCVHSOT.exe
Modify some registries\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell REG_SZ –> explorer.exe\Software\Microsoft\Windows\CurrentVersion\Run\ Yahoo Messengger –>delete
