Friday, June 24, 2011

How to remove Virus ?

How to remove the scvhost.exe Virus

Svchost.exe is the name of a generic host process for services that run from dynamic link libraries (DLLs). A variety of worm malware programs spread a similarly named file Scvhost.exe via Yahoo! Messenger that blocks the Task Manager and Registry Editor, as well as use of the command prompt.

Warning
Manual removal of Scvhost.exe may be very difficult as the removal process requires knowledge of the Operating System's command prompt and Registry Editor. If not performed properly, your computer system might experience permanent damage. Consequently, manual removal might be best for experienced users. Less experienced users might want to consider using an automatic spyware removal application, such as that offered by Trend Micro. This worm duplicates itself to different locations of shared folders. The duplicated program uses a folder icon that has an .exe file extension. DO NOT double click on any of these folders.

Follow these step by step instructions to remove the scvhost.exe virus.

Step 1 (Turning off System Restore)
This is so that if you ever need to use System Restore after you have removed the virus, it doesn't restore the virus aswell.

If the operating system of the infected computer is either Windows Me or Windows XP, turn off System Restore while this fix is being implemented. To turn off System Restore within Windows Me, click Start > Settings > Control Panel. Double-click System. Select File System from the Performance tab. Left click the Troubleshooting tab and check the Disable System Restore box. Click OK.
To turn off System Restore within Windows XP, log in as Administrator and click Start. Right click My Computer" and select Properties from the shortcut menu. Check the Turn off System Restore option for each drive on the System Restore tab. Left click Apply and Yes to confirm when prompted. Click OK.

Step 2 (Run in safe mode)
Restart your computer in Safe Mode and log in as Administrator. Press F8 after the first beep occurs during start up, before the display of the Microsoft Windows logo. Select the first option, to run Windows in Safe Mode from the selection menu.

Step 3 (Accessing Command prompt)
Access the command prompt. Click Start > Run. Type cmd. Click OK. Then in the command prompt type cd to change directory then press the space bar.
Type the name of the full directory path of the folder containing your Windows system files. It will be eitherC:\Windows\System or C:\Windows\System 32

Step 4
From the command prompt, type the following to unprotect the files for removal:
attrib -h -r -s scvhost.exe and press Enter;
attrib -h -r -s blastclnnn.exe and press "Enter;
attrib -h -r -s autorun.inf and press Enter.

Step 5
Delete the files by typing the following from the command prompt:
del scvhost.exe and press Enter;
del blastclnnn.exe and press Enter;
del autorun.ini and press Enter.

Step 6
Type "cd\" to return to the main Windows directory.
Unprotect and delete the Autorun.inf file by typing the following from the Windows directory command prompt:
attrib -h -r -s autorun.inf and press Enter;
del autorun.inf and press Enter;
Type regedit and press Enter to open the Registry Editor.

Step 7
Locate the following entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the incorrectly spelled Yahoo! Messenger entry with the value
c:\windows\system32\scvhost.exe.

Step 8
Locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Within the key, there is a shell entry with the value of explorer.exe, scvhost.exe. Edit the entry to remove the reference to Scvhost.exe, leaving Explorer.exe as the remaining value in the registry entry.

Step 9
Locate the following key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
Delete the following subkeys from the left panel:
RpcPatch
RpcTftpd
Exit the command prompt and return to the operating system. Type Exit, and press Enter.

Step 10
Reboot the PC.
If Scvhost.exe still resides on the computer, repeat these steps or try using an automatic removal program from McAfee or Symantec.

No comments:

Post a Comment