Remove Nhatquanglan i.e. New Folder.exe Virus

New Folder.exe Virus also known as Nhatquanglan is a very common virus with high multiply rate. This virus hides itself as scvhsot.exe though the actual actaul windows process is Scvhost.exe. The virus drops a copy of itself everytime you attach a removable media to your computer. Besides this it disables registry, task manager and removes the option of task manager.

SOFTWARES REQUIRED
As your task manager, registry editor and folder options are disabled we will need a couple of tiny but very helpful softwares.
Click on them to download
Security Task Manager
RRT

ATTACH YOUR INFECTED FLASH DRIVE(if any) TO YOUR COMPUTER AND MAKE A BACKUP OF DATA ON IT

REMOVAL STEPS
1. Install security task manager and start it. You will see one,two or more processes named Nhatquanglan. Select all of them by pressing Ctrl key and remove them
(right click->remove ->end process-> yes)

2. Next run the RRT software and remove all the restrictions. Now you will be able to open task manager and registry editor. It will say you need a system restart but you dont need it.

3. Go to Control panel->scheduled task and delete the At1 task

4. Next C:\windows\system32 folder and click tools->folder options->view tab
Find the Hide protected operating system.... and untick it.
Click YES on the a warning-> click Apply and OK.

FORMAT YOU REMOVABLE DISK WITHOUT OPENING IT OTHERWISE YOU WILL HAVE TO REPEAT ALL THE STEPS

5. Next we need to delete some files.
Also you need to be a bit careful as if you double click any of these files you will have to start all over again from step 1

In the C:\windows\system32 folder delete the following files.
(The last two files will have the icon of a folder as in the picture)
setting.ini
autorun.ini
SCVHSOT.exe (225792 bytes)
blastclnnn.exe (225792 bytes)

In the C:\windows folder delete the following files.
(The files will have icon of a folder)
SVCHSOT.exe (225792 bytes)
hinhem.scr (225792 bytes)

6. Empty Recycle bin

Now we need to do some registry editing
Please follow these steps very carefully as improper registry editing could lead to system crash.

7. Go to start->run->type regedit and press enter

8. Navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and delete the string Yahoo Messengger with data pointing to SCVHSOT.exe

9. Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Find the string named shell on the right side with data as Explorer.exe SCVHSOT.exe
Double click it and Change its value to Explorer.exe
You dont have to delete anything here


10 Now if your themes, appearance and settings are missing you can download small tool from here

Now your pc is clean from this nasty virus.

WORD OF CAUTION
Well as a word of caution, whenever you see a file with an icon of a folder, BE CAREFUL. In 99.99% cases it will be a virus ready to infect as soon as you double click it.

For any comments, suggestions or queries please use the comments section or click the contact me picture above.