Virus and Virus Removal
- 9/03/2007 06:17:00 AM - 3 comments
Remove SCVHOST.EXE from PC
At last, I have something new to share. This is after being infected by some sort of a malware (probably a Trojan or a worm - of which I don't know how to classify because I'm not an expert). Here is the scenario, I had a friend who has a problem of opening/accessing her USB drive. I tried to help her by placing the USB drive on my PC and viola, I was infected. The first thing I noticed was in some way, the malware sent a message to my friend who is online in Y! Messenger. Checking the system, I found out that my registry has been edited because I am unable to access my Task Manager, Registry Editor, Folder Options, and Command (DOS). After 5 hours of non-stop PC tinkering, I think I might have the solution.. So here it goes:
NOTE: Do not confuse SCVHOST.EXE with SVCHOST.EXE because SVCHOST.EXE is used by windows - it should be in running when you bootup your system.
Needed software and codes:
- autoruns - a tiny software very useful to stop other software from starting up with windows
- registrar lite - a registry editing tool good for searching registry entries
and my personal registry codes (technically not personal, I took it from somebody's work and added my touch)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
- first code - enable Task Manager
- second code - enable CMD in run
- third code - enable REGEDIT in run
- fourth code - enable folder option in Control Panel
Steps on how to remove SCVHOST.EXE
1. Download and install registrar lite. In the case of autoruns, it's actually in a zip file and you don't need to install it, just extract the files and from there you can run autoruns by double clicking on the application autoruns.exe.
2. You need to gain access to your task manager so that you can stop/end process scvhost.exe. Copy the first code and paste it in the run command option. To access the run command, press and hold windows key + R on your keyboard. Right click on your system tray and select Task Manager. Once Task Manager is open, look for SCVHOST.EXE and end that task. You can also copy and paste the other codes to enable registry editing, folder option, and command prompt.
3. Run autoruns and look for the following entries in the registry that calls for scvhost.exe in the Image Path column.
Try here:
- 1st: You'll find one just below Explorer.exe - uncheck the folder icon and delete.
- 2nd: It's another folder icon that says Yahoo Messenger but it calls for scvhost.exe, also delete that one.
- 3rd: In the scheduled task tab, double click on AiT.* and delete that task.
4. Run registrar lite and search for SCVHOST.EXE. Delete all entries in the registry that points to SCHVOST.EXE.
5. Fully search your PC and look for SCVHOST.EXE. Delete all files being shown in the results and you are done.
HOPE THIS HELPS.
Note: SCVHOST.EXE may take another name such as SSCVIIHOST.EXE. If this is the case, modify your searches to match the malware's new name. Do not open USB drives double-clicking its icon in my computer, I'd suggest to disable autoplay in most drives and use ExplorerXP than the built-in Windows explorer. As I was editing this blog, I changed my antivirus from Avira to NOD32, surprisingly, NOD32 recognized scvhost.exe as a worm - Win32/Hakaglan.D worm to be exact, while avira could not. Heads up to you guys using Avira as antivirus, even with the latest virus definition files (as of September 1, 2007), you can still be infected by this worm.
thanks man
thanks... the enabling part was particularly helpful... i logged in using linux deleted scvhost.exe and blastcln.exe and then rebooted.. using xp enabled the services and finally i am free of all trouble :)
Ah.. Yes, the registry tweaks are very useful. Good thing you have linux running (double OS I presume). You could have used BartPE to remove the virus. I've been doing that ever since I have successfully made a BartPE CD. I also made a little tweak on BartPE to automatic update virus definitions for me. I'm planning to make a tutorial for it as soon as I will have the time. For now, it is nice to know that I have helped. Cheers!