http://www.nhanhlen.com/ -- is it infected by virus.

  • Thread starter Thread starter 2Sweet
  • Start date Start date
2

2Sweet

When double-click 'C' or 'D' drive in "My Computer", it goes to the link
http://www.nhanhlen.com/ intead of showing the content of the drive.
Could it be the workstation infected by virus? Symantec antivirus did not
detect virus after performed a full scan.
 
This can be an adware, which is represented as BHO (Browser Helper Object)
which hooks DocumentComplete & BeforeNavigate events, since when you go to
some folder location, these events are fired, adware takes control,
retrieves the path of a folder, and makes popup.

Try to change the AV, or try to remove the registered BHO extension.

--
Volodymyr

"2Sweet" wrote in message
news:e38NlN1VIHA.1208@TK2MSFTNGP03.phx.gbl...
> When double-click 'C' or 'D' drive in "My Computer", it goes to the link
> http://www.nhanhlen.com/ intead of showing the content of the drive.
> Could it be the workstation infected by virus? Symantec antivirus did not
> detect virus after performed a full scan.
>
 
Thanks for the response!
Can guide me how to remove the registered BHO extension?


"Volodymyr Shcherbyna" wrote in message
news:O$wvQR1VIHA.3400@TK2MSFTNGP03.phx.gbl...
> This can be an adware, which is represented as BHO (Browser Helper Object)
> which hooks DocumentComplete & BeforeNavigate events, since when you go to
> some folder location, these events are fired, adware takes control,
> retrieves the path of a folder, and makes popup.
>
> Try to change the AV, or try to remove the registered BHO extension.
>
> --
> Volodymyr
>
> "2Sweet" wrote in message
> news:e38NlN1VIHA.1208@TK2MSFTNGP03.phx.gbl...
>> When double-click 'C' or 'D' drive in "My Computer", it goes to the link
>> http://www.nhanhlen.com/ intead of showing the content of the drive.
>> Could it be the workstation infected by virus? Symantec antivirus did
>> not detect virus after performed a full scan.
>>
>
>
 
http://www.microsoft.com/windowsxp/using/w...donmanager.mspx

But usually, I open regedit and look at the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects

It contains list of GUIDS - these are class ids of COM extensions (in a
simple words, GUID is some long and strange number). Basically, edit the
GUID, for example, my first GUID is: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

I just edit it by changing the first elements,
{BLA49E9F-C8D7-4D59-B87D-784B7D6BE0B3}and then you can try to check, whether
the bug disappeared or not. If not, restore the original value of GUID and
play with second GUID.

Also, remember, that adwares and other crap tryies to restore it's GUIDs in
BHO registry keys. So, if you delete the entry from registry, it appears
there again within second. This also can be checked.

--
Volodymyr

"2Sweet" wrote in message
news:uXHaxg1VIHA.5596@TK2MSFTNGP05.phx.gbl...
> Thanks for the response!
> Can guide me how to remove the registered BHO extension?
>
>
> "Volodymyr Shcherbyna" wrote in message
> news:O$wvQR1VIHA.3400@TK2MSFTNGP03.phx.gbl...
>> This can be an adware, which is represented as BHO (Browser Helper
>> Object) which hooks DocumentComplete & BeforeNavigate events, since when
>> you go to some folder location, these events are fired, adware takes
>> control, retrieves the path of a folder, and makes popup.
>>
>> Try to change the AV, or try to remove the registered BHO extension.
>>
>> --
>> Volodymyr
>>
>> "2Sweet" wrote in message
>> news:e38NlN1VIHA.1208@TK2MSFTNGP03.phx.gbl...
>>> When double-click 'C' or 'D' drive in "My Computer", it goes to the link
>>> http://www.nhanhlen.com/ intead of showing the content of the drive.
>>> Could it be the workstation infected by virus? Symantec antivirus did
>>> not detect virus after performed a full scan.
>>>
>>
>>
>
>
 
Also, this tool:
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx will help you
to manage explorer's BHO's.

--
Volodymyr
"Volodymyr Shcherbyna" wrote in message
news:%235cBjp1VIHA.4196@TK2MSFTNGP04.phx.gbl...
> http://www.microsoft.com/windowsxp/using/w...donmanager.mspx
>
> But usually, I open regedit and look at the following key:
> HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
> Helper Objects
>
> It contains list of GUIDS - these are class ids of COM extensions (in a
> simple words, GUID is some long and strange number). Basically, edit the
> GUID, for example, my first GUID is:
> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
>
> I just edit it by changing the first elements,
> {BLA49E9F-C8D7-4D59-B87D-784B7D6BE0B3}and then you can try to check,
> whether the bug disappeared or not. If not, restore the original value of
> GUID and play with second GUID.
>
> Also, remember, that adwares and other crap tryies to restore it's GUIDs
> in BHO registry keys. So, if you delete the entry from registry, it
> appears there again within second. This also can be checked.
>
> --
> Volodymyr
>
> "2Sweet" wrote in message
> news:uXHaxg1VIHA.5596@TK2MSFTNGP05.phx.gbl...
>> Thanks for the response!
>> Can guide me how to remove the registered BHO extension?
>>
>>
>> "Volodymyr Shcherbyna" wrote in message
>> news:O$wvQR1VIHA.3400@TK2MSFTNGP03.phx.gbl...
>>> This can be an adware, which is represented as BHO (Browser Helper
>>> Object) which hooks DocumentComplete & BeforeNavigate events, since when
>>> you go to some folder location, these events are fired, adware takes
>>> control, retrieves the path of a folder, and makes popup.
>>>
>>> Try to change the AV, or try to remove the registered BHO extension.
>>>
>>> --
>>> Volodymyr
>>>
>>> "2Sweet" wrote in message
>>> news:e38NlN1VIHA.1208@TK2MSFTNGP03.phx.gbl...
>>>> When double-click 'C' or 'D' drive in "My Computer", it goes to the
>>>> link http://www.nhanhlen.com/ intead of showing the content of the
>>>> drive.
>>>> Could it be the workstation infected by virus? Symantec antivirus did
>>>> not detect virus after performed a full scan.
>>>>
>>>
>>>
>>
>>
>
>
 
From: "Volodymyr Shcherbyna"

| This can be an adware, which is represented as BHO (Browser Helper Object)
| which hooks DocumentComplete & BeforeNavigate events, since when you go to
| some folder location, these events are fired, adware takes control,
| retrieves the path of a folder, and makes popup.

| Try to change the AV, or try to remove the registered BHO extension.

| --
| Volodymyr


If it was a BHO was is it affecting Explorer and NOT Internet Explorer ?


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
From: "2Sweet"

| When double-click 'C' or 'D' drive in "My Computer", it goes to the link
| http://www.nhanhlen.com/ intead of showing the content of the drive.
| Could it be the workstation infected by virus? Symantec antivirus did not
| detect virus after performed a full scan.





For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE 2007
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantis...efreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper
Objects
that may be on the PC.

* BHODemon
http://www.majorgeeks.com/downloadget.php?...04332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose Unzip
Choose Close

Execute C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Events from Windows Explorer also fires DocumentComplete and BeforeNavigate,
and the path is the path from address bar of Windows Explorer.

--
Volodymyr

"David H. Lipman" wrote in message
news:%23TtfVw2VIHA.3556@TK2MSFTNGP02.phx.gbl...
> From: "Volodymyr Shcherbyna"
>
> | This can be an adware, which is represented as BHO (Browser Helper
> Object)
> | which hooks DocumentComplete & BeforeNavigate events, since when you go
> to
> | some folder location, these events are fired, adware takes control,
> | retrieves the path of a folder, and makes popup.
>
> | Try to change the AV, or try to remove the registered BHO extension.
>
> | --
> | Volodymyr
>
>
> If it was a BHO was is it affecting Explorer and NOT Internet Explorer ?
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
I just fixed this problem from my computer a few minutes ago and have
restarted my system, so this is a verified solution. The problem began when I
plugged in a USB drive that has been in contact with a public PC.

Treatment:
* Run the file 'autoruns' available from the zip file downloadable from
. Go to the
second tab ('Logon'), untick the entry 'shell.dll.exe' and then right-click
it to select delete. If warned, give your affirmative to delete. (You may
want to try deleting it straightaway instead of unticking first, I am just
retelling how I did it.)

* in WINDOWS directory (e.g. C:\WINDOWS), remove the file 'shell.dll.exe'
Note that the file 'shell.dll' - without the .exe extension - should be in
\WINDOWS\SYSTEM32, \WINDOWS\SYSTEM and \WINDOWS\SYSTEM32\dllcache folders
[http://icrontic.com/forum/showpost.php?p=167042&postcount=4].

* go to Task Manager (i.e. press CTRL-ALT-DEL), go to the Process tab, click
on 'web.exe' and then click the button End Process. Do the same to
'shell.dll.exe' i.e. End Process the 'shell.dll.exe'.

* then go to My Computer, RIGHT-CLICK (do not double-click!!) on your fixed
drives (e.g. C and D), click EXPLORE. Delete the files 'autorun.inf' and
'web.exe' in each drive. Then delete these files from the Recycle Bin too. At
this stage, left-clicking your fixed drives will still go to the autoplay. It
will prompt that 'web.exe' cannot be found. Right-clicking the drives will,
on the other hand, show a bolded autoplay i.e. the default action for
double-clicking the drive.

* Restart the system and the above-mentioned autoplay on the fixed drives
won't be there anymore.


"2Sweet" wrote:

> When double-click 'C' or 'D' drive in "My Computer", it goes to the link
> http://www.nhanhlen.com/ intead of showing the content of the drive.
> Could it be the workstation infected by virus? Symantec antivirus did not
> detect virus after performed a full scan.
>
>
>
 
I forgot to add that you will need to change the files-view settings in the
windows explorer to see the relevant files.

Go to windows explorer (e.g. by going to My Computer), go the menu Tools
(ALT-T), click Folder Options..., choose the tab View, activate Show Hidden
Files And Folders and UNtick the Hide Protected Operating System Files
(Recommended) and, for the latter, click Yes when they ask whether you are
sure. Click OK at the Folder Options dialog box.

Do the opposite after you restart your computer doing the steps in the
previous post. I.e. DEactivae Show Hidden Files And Folders and retick the
Hide Protected Operating System Files (Recommended). Click OK at the Folder
Options dialog box.

"fjsalim" wrote:

> I just fixed this problem from my computer a few minutes ago and have
> restarted my system, so this is a verified solution. The problem began when I
> plugged in a USB drive that has been in contact with a public PC.
>
> Treatment:
> * Run the file 'autoruns' available from the zip file downloadable from
> . Go to the
> second tab ('Logon'), untick the entry 'shell.dll.exe' and then right-click
> it to select delete. If warned, give your affirmative to delete. (You may
> want to try deleting it straightaway instead of unticking first, I am just
> retelling how I did it.)
>
> * in WINDOWS directory (e.g. C:WINDOWS), remove the file 'shell.dll.exe'
> Note that the file 'shell.dll' - without the .exe extension - should be in
> WINDOWSSYSTEM32, WINDOWSSYSTEM and WINDOWSSYSTEM32dllcache folders
> [http://icrontic.com/forum/showpost.php?p=167042&postcount=4].
>
> * go to Task Manager (i.e. press CTRL-ALT-DEL), go to the Process tab, click
> on 'web.exe' and then click the button End Process. Do the same to
> 'shell.dll.exe' i.e. End Process the 'shell.dll.exe'.
>
> * then go to My Computer, RIGHT-CLICK (do not double-click!!) on your fixed
> drives (e.g. C and D), click EXPLORE. Delete the files 'autorun.inf' and
> 'web.exe' in each drive. Then delete these files from the Recycle Bin too. At
> this stage, left-clicking your fixed drives will still go to the autoplay. It
> will prompt that 'web.exe' cannot be found. Right-clicking the drives will,
> on the other hand, show a bolded autoplay i.e. the default action for
> double-clicking the drive.
>
> * Restart the system and the above-mentioned autoplay on the fixed drives
> won't be there anymore.
>
>
> "2Sweet" wrote:
>
> > When double-click 'C' or 'D' drive in "My Computer", it goes to the link
> > http://www.nhanhlen.com/ intead of showing the content of the drive.
> > Could it be the workstation infected by virus? Symantec antivirus did not
> > detect virus after performed a full scan.
> >
> >
> >
 
Back
Top