nhatquanglan Virus

nhatquanglan / SCVHSOT / new folder virus / scvshosts

Virus File Name
~~~~~~~~~~~~

New Folder.exe
Size: 192/196KB
virus file version 1,1,1,1
Icon: Folder
SCVHSOT.exe
Size: 192/196KB
Attributes: Hidden+System
virus file version 1,1,1,1
Icon: Folder

scvshosts.exe
Size: 247/248KB
Attributes: Hidden+System
virus file version 2,2,2,2
Icon: Folder

(added on 5Dec,2007)

File Name :SCVVHSOT
Icon :Folder
Type of file :Application
Size :283KB/288KB
Modified :June 10,2007
Attributes :ReadOnly,Hidden,System,Archive
File version :3.2.2.0
CompiledScript :AutoIt v3 Script : 3, 2, 2, 0
File Version :3, 2, 2, 0

etc.

Symptoms
~~~~~~~~

You will find these files in your Windows folder, Shared Documents, etc.
Tools>Folder Option is disabled.
You are unable to see hidden files.
Task Manager is disabled.
Regedit is disabled.
If you are having a LAN connection you will be unknowingly spamming the chat box.
e.g.:
http://nhatquanglan.xlphp.net/
”C:WINDOWShinhem.scr”

Behind the Screen
~~~~~~~~~~~~~~~~~

The following files are created:
C:WINDOWSSCVHSOT.exe

C:WINDOWSSCVVHSOT.exe
C:WINDOWShinhem.scr
C:WINDOWSsystem32SCVHSOT.exe
C:WINDOWSsystem32blastclnnn.exe
C:WINDOWSsystem32autorun.ini
C:Documents and SettingsAll UsersDocumentsSCVHSOT.exe

The virus is copied to other comps on the network in the Shared Docs.
\ABCSharedDocsNew Folder.exe
\ABCSharedDocsscvshosts.exe
\ABCSharedDocsautorun.inf
Modifies some files in the “Documents and settings” folder.
C:Documents and SettingsPiyush ChandraLocal SettingsTemporary Internet FilesContent.IE5index.dat
C:Documents and SettingsPiyush ChandraCookiesindex.dat
C:Documents and SettingsPiyush ChandraLocal SettingsHistoryHistory.IE5index.dat

Modifies some registries at:
SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2{4c4da22e-f800-11db-8de6-806d6172696f}BaseClass ,etc.
REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
SoftwareMicrosoftWindowsCurrentVersionRunYahoo Messengger
SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNofolderOptions
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools
REGISTRYMACHINESYSTEMControlSet001ServicesScheduleAtTaskMaxHours
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCache
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCachePaths ,etc.
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCookies
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersHistory
SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap ,etc.
SoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShell FoldersCommon AppData
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData
SoftwareMicrosoftWindowsCurrentVersionInternet Settings , etc.
REGISTRYMACHINESYSTEMControlSet001Hardware Profiles001SoftwareMicrosoftwindowsCurrentVersionInternet SettingsProxyEnable
Modifies some system files:
C:Documents and SettingsPiyush ChandraLocal SettingsTemporary Internet FilesContent.IE5index.dat
C:Documents and SettingsPiyush ChandraCookiesindex.dat
C:Documents and SettingsPiyush ChandraLocal SettingsHistoryHistory.IE5index.dat
Runs the following commands under DOS (only by the virus version 1,1,1,1):
C:WINDOWSsystem32cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:WINDOWSsystem32blastclnnn.exe
C:WINDOWSsystem32cmd.exe /C AT /delete /yes

Solution
~~~~~~

End Task(updated on 27/11/2007)
————————
Start> run

taskkill /f /t /im “New Folder.exe”
taskkill /f /t /im “SCVVHSOT.exe”
taskkill /f /t /im “SCVHSOT.exe”
taskkill /f /t /im “scvshosts.exe”
taskkill /f /t /im “hinhem.scr”
taskkill /f /t /im “blastclnnn.exe”

 

Enable Task Manager
——————-
1. Start> run
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f

Enable Regedit
————–
1. Start> run
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

Folder Option & Hidden Files
—————————-
1. Start> run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoFolderOptions /t REG_DWORD /d 0 /f
2. Start> run
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoFolderOptions /t REG_DWORD /d 0 /f
3. Start> run
reg add HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced /v Hidden /t REG_DWORD /d 1 /f
4. Start>run
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL /v CheckedValue /t REG_DWORD /d 1 /f

reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f

reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f

Other steps
——————

Delete the files

C:WINDOWSSCVVHSOT.exe
C:WINDOWSSCVHSOT.exe
C:WINDOWShinhem.scr
C:WINDOWSsystem32SCVHSOT.exe
C:WINDOWSsystem32blastclnnn.exe
C:WINDOWSsystem32autorun.ini
C:Documents and SettingsAll UsersDocumentsSCVHSOT.exe

Modify some registries
REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Shell REG_SZ –> explorer.exe
SoftwareMicrosoftWindowsCurrentVersionRun Yahoo Messengger –>delete

Precaution
~~~~~~~~~

Never double click on such files which look like folders, instead use folder view for navigation.
You may like to disable “Shared Documents”.

DOWNLOAD

Heal for nhatquanglan virus

Download Page for other heals

144 Responses to “nhatquanglan Virus”

  1. manickam Says:
    20 May, 2008 at 1:04 pm

    my task manager, regedit, msconfig are disappearing within fraction of seconds what can i do

  2. manickam Says:
    20 May, 2008 at 7:49 pm

    my task manager, regedit, msconfig again in diabled condtion after the restarting the system please help me

  3. Atul Says:
    23 May, 2008 at 12:00 pm

    Hello Piyush…

    Thanx a lot…. and HATS OFF for ur work…

  4. RodMhaR Says:
    28 May, 2008 at 4:14 pm

    hello, just w/ a problemafter I opened this this site there was something that apeared in our screen, it says Registry Editor has been disabled by you administrator. Is it something serious??
    and also about the messenger my status message was changing and and my messenger is also sending a message in a different language w/ a link is it a virus and is it dangerous to click on the link?? we have installed and uninstalled tha yahoo messengaer for many times now and about the Autoit V3 Svchost is appearing w/ amessage that says there is no disk in somewhere in the pc what is it?? how to remove those virus can you please give me a link for those websites. thank you!

  5. venky Says:
    28 May, 2008 at 4:46 pm

    Thanks for supporting and solution to this virus problem , it worked very well for

    Great job

    thanks
    venky

  6. kamesh Says:
    3 June, 2008 at 11:20 am

    it is fine

  7. piyushlabs Says:
    13 June, 2008 at 2:59 pm

    ISHAAN
    search for files *.exe and mention the size limts between what n what

    DEANN
    sad
    follow the manual steps or
    follow the “Self Troubleshooting”

    MANICKAM
    follow the “Self Troubleshooting”

    RODMHAR
    after opening this site !!!
    follow the “Self Troubleshooting”

  8. Akash Says:
    16 June, 2008 at 1:27 pm

    Thank your very much
    it helps me a lot

  9. Sunny Says:
    23 June, 2008 at 2:53 pm

    In my system, folders named cool stuff,secrets,songs etc are created automaticall,can u please tell the remedy for this virus

  10. obyndjd Says:
    29 June, 2008 at 5:00 pm

    why i cant delete this files….

  11. joel delos santos Says:
    30 June, 2008 at 8:13 am

    Trang Web nay coi cung hay, vao coi thu di http://www.freewebtown.com/gaigoisaigon/

    how can i cure this please help tahnks a lot

  12. Prakhar Says:
    1 July, 2008 at 7:59 am

    Dear Piyush,

    I don’t have words to thank you.I was dealing with this virus.I used heals as well as the long process(It seems that heals need some more fine tuning).The regedit is working so is folder options, msconfig, yah.oo messenger and task manager.However a peculiar problem that i am facing is that whenever i boot my computer it shows ‘windows/system32.newvirusremoval.vbs’ not found.Could you kindly help me with this.I have only one OS and that is XP.

  13. Pat Says:
    3 July, 2008 at 10:50 pm

    Hey thanks mann for your help :)
    MY PC is working jst fine..god bless u :D

  14. abdul Says:
    9 July, 2008 at 7:51 pm

    hi.. pls tell me if i run any antivirus to remove nhatquanglan,it will lead to loss any data??
    pls reply me

  15. Somsubhro Says:
    10 July, 2008 at 5:05 pm

    I have the same Newvirusremoval.vbs problem. I suppose thats in addition to the XPC infosystems error. Prakhar, are you facing the XPC infosystems problem as well?

  16. Kalpit Says:
    17 July, 2008 at 8:17 pm

    Hi,

    I used the ‘Heal” provided on your website but don’t know whether the virus is gone or not. The folders still have the sub-folders with same names.

    Please help.

  17. niraj Says:
    21 July, 2008 at 10:17 pm

    am suffer problem the virus named C:\WINDOWS\hinhem.scr
    . My yahoo messanger is infected and sent msg automattically to all senders.please help me.
    C:\WINDOWS\hinhem.scr

  18. piyushlabs Says:
    22 July, 2008 at 4:39 pm

    follow manual steps for self troubleshooting at
    http://piyushlabs.wordpress.com/self-troubleshooting-manual-steps-to-kick-out-any-virus/

    PRABHAKAR
    use Autoruns.exe form sysinternals.com

    ABDUL
    u will loose some virus files

    SOM
    follow manual steps for self troubleshooting at
    http://piyushlabs.wordpress.com/self-troubleshooting-manual-steps-to-kick-out-any-virus/

    KALPIT
    search for files *.exe with file size accordingly

    NIRAJ
    please use Heal_nhatquanglan or
    follow manual steps for self troubleshooting at
    http://piyushlabs.wordpress.com/self-troubleshooting-manual-steps-to-kick-out-any-virus/

  19. Radhika Says:
    5 August, 2008 at 5:22 pm

    hey Piyush,
    I have problem with my yahoo messenger….some weird sites gets automatically forwarded and hinhem.src also gets automatically forwarded in chat window…………whichever syptoms u have stated…all r there with my P.C…….but I dont know how to tackle it……m not really computer wizard….have tried the steps above but doesnt work!!!!!!!!!

  20. m0nciar Says:
    20 August, 2008 at 7:21 am

    i still cant remove the nhatquanlan virus, i followed the steps though…
    i cant find some folders or .exe to delete…

    but thanks for the info, i used SpyBot SD to block registry changes and execution of application…

    i still need some help, can u email me a very step to step process to remove it?

    monciarrosima@yahoo.com

« Older Comments
Newer Comments »

Comments are closed.