Life of a Blogger

Bleuken.i.ph is my first ever blog and give me opportunity to post different topics that can help other people to make money online and go through cyberspace. This started at Roxas City, Capiz, Philippines. This blog is intend to post different advice on programming, web design, search engine optimization (SEO Challenges, SEO Contests), information about viruses and how to remove it, making money online and contain some of my experiences online.

If you wish to suggest or send feedbacks, you can contact me at fbaguyo[at]hotmail[dot]com

Home » Post Item » Removing SCVHOST.exe or W32/YahLover.Worm.gen

Removing SCVHOST.exe or W32/YahLover.Worm.gen

November 5, 2007

There’s a strain of computer virus/worm that hide itself using the name SCVHOST.EXE or SCVHOSTS.EXE, (don’t mistaken it as SVCHOST.EXE, it’s one of the vital programs of Windows, see the difference in spelling). It was detected as W32/YahLover.Worm.gen of McAfee Antivirus and as Win32/Autorun.R.worm by NOD32. This virus infects your computer by different means.

  • One is it install itself in autorun.inf in Open option of the AUTORUN. Once you double click it will run and start spreading itself to your system.
  • The other event that I observed is it copy itself through all the shared files of the computers on your network and install itself in the registry entries remotely using a GUEST account (through System:Remote).

Characteristic of the Virus 

  •  This virus/worm when blocks the task manager when you press Ctrl+Alt+Del to invoke the task manager
  • It blocks the registry  (The worm change the registry to prevent running task manager and registry for harder detection).
  • It also restarts the computer when you try to go to the command prompt. (This is based on my experience on this worm/virus when I try to disinfect it manually)
  • It copy itself to different folders of drives and uses the name of the folder where it belongs. The copied virus/worm uses a FOLDER icon
  • According to McAfee it changes the configuration of your Yahoo Messenger (see McAfee info)
  • It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe

 To remove the virus manually, (try this it works with my computer but if you can’t try using an ANTI-VIRUS like McAfee or NOD32):

  1.  Boot your system in Safe Mode Command Prompt Only (Press F8 when your computer restarts, a menu will be shown and select the option)
  2.  After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).
  3. Type CD C:\WINDOWS\SYSTEM32 (assuming that your Windows System files are located at Drive C)
  4. Type DIR /AH, this will display all hidden files of this folder. You will see the following file which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
  5. Type ATTRIB -H -R -S SCVHOST.EXE
  6. Type ATTRIB -H -R -S BLASTCLNNN.EXE
  7. Type ATTRIB -H -R -S AUTORUN.INI
  8. Type DEL SCVHOST.EXE
  9. Type DEL BLASTCLNNNN.EXE
  10. Type DEL AUTORUN.INI
  11. Type CD\
  12. Type ATTRIB -H -R -S AUTORUN.INF
  13. Type DEL AUTORUN.INF

After removing the virus/worm files, it should be removed from the registry of your system.

  1. From the command prompt type REGEDIT.EXE this will run the Registry Editor
  2. From the registry, look for the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
  3. Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , don’t delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that will remain from this registry entry.

I’ve tried this steps and this works. You should try this if you’re only know how to edit registry entries. (try it at your own risk) Hope this will help you.

 Technorati Tags: ,

Posted by bleuken at 8:28 pm | permalink

Previous Comments

Hi! Thanks for this. I’ve tried it several times, unfortunately I can’t seem to get rid of the virus. First, the virus in my computer is called SSCVHOSTII.EXE. It behaves exactly as you describe, but as you can see the name is different. Second, I can’t seem to do the REGEDIT part of the procedure. The files you mention there don’t exist on my comp. Finally, after I’ve followed the steps, I don’t know how to get out! Do I just do a hard reboot? I get this safe mode blank desktop, with nothing to click or type. Hope you can give me extra instructions. Thanks! RTW, my dad was born in Capiz.

Posted by Immanuel Magalit at February 14, 2008, 9:16 am

Hi,
thanks for your solution… but I’m also a filipino whose USB (with my PhD thesis work) has been affected by this WORM. Im not sure if my laptop got infected too. Though our anti-virus here said laptop files are not infected.

Can you help me please.

VA

Posted by VA at February 15, 2008, 3:09 pm

immanuel,

REGEDIT is usually located @ c:\windows so when you started on Safemode Command Prompt (the “Black Desktop”), type C:\WINDOWS\REGEDIT.EXE on the prompt then ENTER key. This will invoke REGISTRY EDITOR.

To restart your computer, type SHUTDOWN -R

Posted by bleuken at February 15, 2008, 6:24 pm

VA, is your laptop connected to the internet, if not your anti-virus s not updated. What’s your antivirus?

you’ll know if ur infected if some of your programs will start then terminates / ends immediately. Another symptom is when u press CTRL+ALT+DEL combination the task manager closes or an error message displays.

Posted by bleuken at February 15, 2008, 6:28 pm

Thanks, Bleuken. Will try it again.

Posted by Immanuel Magalit at February 19, 2008, 9:01 am

Thanks a million for these instructions. I had a hard time getting rid of this virus on my wife’s laptop until I found these instructions.

I had to modify your approach somewhat - including following the steps you outline above when logged in as my wife as well as as Admininstrator, but your instructions gave me enough to go on.

In my case file scvhost.exe had also copied itself to the C:\windows directoy (as well as \System32). It was a hidden file there too.

If you have this virus you need to complete the unhide and file deletion steps before it’ll let you near the registry. It looks like the files may have variant names - you need to substitute the particular file name that’s appearing on your system into the instructions .

Thanks again for this - it was a big help to me.

Posted by Strombone at February 20, 2008, 9:02 am

Thanks much! I was able to remove the Virus using the steps you provided. Although I had to use a program called RRT because the virus prevented me from performing a registry edit. Thanks again!

Posted by kenny_cebu at March 12, 2008, 6:10 pm

I will try this. happy to see this. on My laptop this virus does not allow me install any antivirus also. so can not clean it using the antivirus. let me try your way.

Posted by SP at March 13, 2008, 5:25 pm

Thanks Bleuken, but even after trying all the steps, I still find the scvhosts.exe running in the taskmgr.

Please help.

Posted by Mona at March 14, 2008, 7:16 pm

maybe you see svchost.exe instead, make sure w/ the spelling, svchost.exe is a window system file and not a virus.

Posted by bleuken at March 14, 2008, 8:51 pm

tol!
Ano po ang meaning ng mga letran ito?

-H -R -S?

I’m pretty sure there is a meaning of each letter. :D

Just wondering, coz maybe one day someone will ask me about this H R & S thingy, lalo na kung chix, baka ndi ko masagot…hehehe..
Rubbish talk I have. :twisted:

Anyways, thanks in advance :)

Posted by clarence at March 19, 2008, 4:53 am

H R S stands for Hidden, Read-Only, System. they are attributes of file. -H -R -S parameter on attrib resets this attributes of a file. Type ATTRIB/? for detail of the command ATTRIB and the option -H -R -S.

Posted by bleuken at March 19, 2008, 7:39 am

how 2 use registry entries

Posted by mjwafu at March 27, 2008, 3:58 pm

i am using xp sp2 , i had the problem in showing the hidden files and folder i have tried nod32 and antivir antivirus but none of them are working. whenever i go to folder option and check the show hidden files button, the check mark rolls back to donot show hidden files option due to which i am unable to see the hidden files and remove the virus by knowing the name of the virus.can u help me out of this?
thanks

Posted by akash at March 28, 2008, 5:08 am

try reading my post about autorun.inf virus, there’s an instruction there how to remove this kind of virus. To enable show folder options, Try this:

1. save this txt below as a reg file (ex… folder.reg) in your desktop
2. double click it to execute…

—–COPY BELOW———————————
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoFolderOptions”=dword:0000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoFolderOptions”=dword:0000000
———COPY ABOVE——————————
note:

you can’t enabled folder options if your registry is disabled! try to enable the registry by using REGISTRY TOOLS, read my post on it. Good luck

Posted by bleuken at March 28, 2008, 8:28 am

hi..i wanted to know some steps on how can I get rid of the virus of my computer..it says that my running module contains Trojan program ‘SpamTool.Win32.Agent.ib’ and cannot be disinfected…I wanted to reformat my computer but i cant bcoz evrytime i boot my computer to cd it wont boot to cd..what should i do!!…

Posted by gary at April 19, 2008, 8:35 pm

Hi thanks bleuken you are the life saver as all other options failed i had this virus both in my PC and Laptop as i was using memory card to transfer data from one to another. As per your virus removal procedure i am able to remove this virus from my PC. In my case only SCVHOST.EXE file and no BLASTCNN.EXE, or AUTORUN.INI file was there and there was no registry entry in the H Key Current user——–/yahoo messenger as you mentioned but in the H KeyLocal machine——-/ Shell explorer.exe Scvhost.exe was there which i edited as per your instruction. In my PC I am able to open REGEDIT& Task Manager IN SAFE mode but in normal mode it still gives a dialog box that the registry edit has been disabled by the administrator. In case of Laptop there is no SCVHOST.EXE Blastclnnn.exe or Autorun.ini fil in system32. In SAFE MODE I am not able to open regedit & Task manager but in normal mode i can open Regedit and Task Manager. Any Advice ? Thanks again

Posted by i.s.gambhir at April 22, 2008, 12:21 pm

i.s.gambhir, try this post http://bleuken.i.ph/blogs/bleuken/2007/12/18/enabling-or-disabling-the-registry-regeditexe/

Posted by bleuken at April 22, 2008, 12:53 pm

Thanks bleuken

I update my mcafee AV which helped in removing the SSCVHOST.EXE
but now im not able to access taskmanager, regedit also ‘folder option’ is missing.

Posted by mahen at May 19, 2008, 5:33 pm

I am realy surprised to have such detailed information about stated virus, and thank you very much for helping me.

Regards
Atta Jilani

Posted by Atta Jilani at June 6, 2008, 3:45 pm

i will surely try this.
thanx anyway.

Posted by rohan at June 28, 2008, 3:50 pm

Search

Business Software

For online storing of receipts, organizing and managing your expenses, use an Expense Management Software with their system to help you quickly prepare your expense report, what you could ask for?

    

Blog Directories

Subscribe rss feed!

Blog Directory - photarium Software blogs Top Blogs Computers blogs Add to Technorati Favorites Free Blog Directory Blog Search, Blog DirectoryGoogle PageRank Checker - Page Rank Calculator Top BlogsBRDTracker Internet Blogs - Blog Top SitesBlog Directory & Search engine Technology & Computers - Top Blogs PhilippinesWebloogle Blog Directory Bloglisting.net - The internets fastest growing blog directory Blog Directory - Blogged blog search directory

website stats Web Design Blogs
Filipino web designer & programmer add page

Recent Viewers