Tuesday, August 12, 2008

VIRUS SOLUTION: Nhatquanglan.exe, New Folder.exe

Virus Details

Names:

Nhatquanglan.exe
New Folder.exe
SCVHSOT.exe
SCVSHOSTS.exe
SVCCHSOT.exe
SVCCHOST.exe

Size: Around 194 KB - 196 KB depending on each version

Processes commonly running:

Nhatquanglan.exe
Nhatquanglan.exe
SVCHSOT.exe
SCVHSOT.exe
New Folder.exe

Icon: Folder (actually an exe)

You have the Virus if you have any one of the below symptoms

  • There is a folder X inside every folder X.
  • There is a folder called New Folder.exe
  • Nhatquanglan.exe shows up on task-manager (before it gets blocked)
  • Task-Manager is Blocked
  • Regedit is blocked
  • Folder options is blocked
  • msconfig is blocked
  • A startup item called "Yahoo Messengger" is present (note the two 'g' s)

Virus Removal Steps:

Enable Task-Manager, Regedit access by the first post, else run these registry entries to get them back temporarily.
Download TuneUp Utilities and follow the standard three steps:

1. Kill Process (Use Tune-up task-manager if Task-Manager is disabled)
2. Remove from File System (You can use unlocker, if necessary)
3. Remove registry Entries (Use Tune-up Registry editor if regedit is disabled)


Technicalities:

The Following .BAT code is again a repetition of what's said above, the three steps


You can either copy this code, save it as virusRemover.BAT or download it from here
Run this (Double-Click) this in safe-mode. The steps are:
  1. Restart computer
  2. Keep pressing F8
  3. Choose one of the three Safe Mode options
  4. Login to your Account
  5. Double-Click on this file
  6. Once it is done, restart back normally
______________________________________________________

title Nhatquanglan.exe Removal
echo off
cls
echo MicrosoftPowerPoint.exe Removal
echo Killing Virus Processes...
pause
taskkill /IM "NewFolder.exe" /t /f
taskkill /IM "nhatquanglan.exe" /t /f
taskkill /IM "SVCHSOT.exe" /t /f
taskkill /IM "SCVHSOT.exe" /t /f
taskkill /IM "SVCSHOSTS.exe" /t /f
taskkill /IM "SVCCHOST.exe" /t /f
pause
echo Deleting Virus files from file-System...
pause
del "%windir%\SVCHSOT.exe" /f /a
del "%windir%\SCVHSOT.exe" /f /a
del "%windir%\system32\SVCHSOT.exe" /f /a
del "%windir%\system32\SCVHSOT.exe" /f /a
del "%windir%\system32\blastclnnn.exe" /f /a
del "C:\heap41a\*.*" /f /a
del "D:\heap41a\*.*" /f /a
del "E:\heap41a\*.*" /f /a
del "F:\heap41a\*.*" /f /a
del "C:\autorun.inf" /f /a
del "C:\MicrosoftPowerPoint.exe" /f /a
del "D:\autorun.inf" /f /a
del "D:\MicrosoftPowerPoint.exe" /f /a
del "E:\autorun.inf" /f /a
del "E:\MicrosoftPowerPoint.exe" /f /a
del "F:\autorun.inf" /f /a
del "F:\MicrosoftPowerPoint.exe" /f /a
echo Reverting Registry Entries...
echo Enabling Registry...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
echo Enabling TaskManager...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
echo Enabling Run...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRun /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 0 /f
echo Enabling Control Panel...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 0 /f
echo Enabling Folder Options...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
echo Enabling Hidden Files...
pause
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
echo Removing Autoruns...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce /f
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce /f
echo Fixing Explorer Handles...
pause
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d Explorer.exe /f
echo Finishing...
echo MicrosoftPowerPoint.exe Remover terminated successfully
pause
exit
______________________________________________________
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)