How to Remove the SVCHOST.exe Virus
Svchost.exe is the name of a generic host process for services that run from dynamic link libraries (DLLs). The legitimate file--located in the C:\Windows\System folder--checks the services portion of the Windows registry to verify and list the services that must load upon system start up. Multiple sessions of the file typically run while a system is operational, each session containing a separate group of services. A variety of worm malware programs spread a similarly named file--Scvhost.exe--via Yahoo! Messenger that blocks the Task Manager and Registry Editor, as well as use of the command prompt.
Other People Are Reading
Instructions
-
Instructions
-
1
If the operating system of the infected computer is either Windows Me or Windows XP, turn off System Restore while this fix is being implemented. To turn off System Restore within Windows Me, click Start > Settings > Control Panel. Double-click "System." Select "File System" from the Performance tab. Left click the "Troubleshooting" tab and check the "Disable System Restore" box. Click "OK."
To turn off System Restore within Windows XP, log in as Administrator and click "Start." Right click "My Computer" and select "Properties" from the shortcut menu. Check the "Turn off System Restore" option for each drive on the System Restore tab. Left click "Apply" and "Yes" to confirm when prompted. Click "OK."
-
2
Restart your computer in Safe Mode and log in as Administrator. Press "F8" after the first beep occurs during start up, before the display of the Microsoft Windows logo. Select the first option, to run Windows in Safe Mode from the selection menu.
-
-
3
Access the command prompt. Click Start > Run. Type "cmd." Click OK > CD (change directory) from the command prompt, press the space bar.
Type the name of the full directory path of the folder containing your Windows system files. It will be either "C:\Windows\System" or "C:\Windows\System 32."
-
4
From the command prompt, type the following to unprotect the files for removal:
"attrib -h -r -s scvhost.exe" and press "Enter;"
"attrib -h -r -s blastclnnn.exe" and press "Enter;"
"attrib -h -r -s autorun.inf" and press "Enter."
-
5
Delete the files by typing the following from the command prompt:
"del scvhost.exe" and press "Enter;"
"del blastclnnn.exe" and press "Enter;"
"del autorun.ini" and press "Enter."
-
6
Type "cd\" to return to the main Windows directory.
Unprotect and delete the Autorun.inf file by typing the following from the Windows directory command prompt:
"attrib -h -r -s autorun.inf" and press "Enter;"
"del "autorun.inf" and press "Enter;"
Type "regedit" and press "Enter" to open the Registry Editor.
-
7
Locate the following entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the incorrectly spelled Yahoo! Messenger entry with the value
"c:\windows\system32\scvhost.exe."
-
8
Locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Within the key, there is a "shell" entry with the value of "explorer.exe, scvhost.exe". Edit the entry to remove the reference to Scvhost.exe, leaving Explorer.exe as the remaining value in the registry entry.
-
9
Locate the following key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
Delete the following subkeys from the left panel:
RpcPatch
RpcTftpd
Exit the command prompt and return to the operating system. Type "Exit," and press "Enter."
-
10
Reboot the PC.
If Scvhost.exe still resides on the computer, repeat these steps or try using an automatic removal program from McAfee or Symantec (see links in References).
-
1
Tips & Warnings
Manual removal of Scvhost.exe may be difficult as the removal process requires knowledge of the Operating System's command prompt and Registry Editor. In addition, different versions of this malware rename and relocate various file components. If not performed properly, your computer system might experience permanent damage. Consequently, manual removal might be best for experienced users. Less experienced users might want to consider using an automatic spyware removal application, such as that offered by Trend Micro.
This worm duplicates itself to different locations of shared folders. The duplicated program uses a folder icon that has an .exe file extension. DO NOT double click on any of these folders.
References
Resources
- Photo Credit Ryan McVay/Photodisc/Getty Images
More Like This
Comments
View all 11 Comments-
the same on widows 7?
-
Peace) I`ve got a problem. this "thing" deleted my Norton Internet Security & simulated it like "Enhanced Protection Mode" of the same NIS. Tried to remove it, don`t really know what`s happened, but now I got only "safe-mode". & it`s loading as normal-mode, but it`s not. Any ideas?
-
I'm getting "file Not Found".
-
Follow the below to get the fully access control. Click Start >. Run > Type "regedit" (with out " "). > go to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services and look for BITS and Wuauserv. When you find BITS and Wuauserv click on it and check the key ImagePath to make sure it says "%SystemRoot%\System32\svchost.exe -k netsvcs" (with out " "). If it's something different right click the key and click "Modify" copy and paste. %SystemRoot%\system32\svchost.exe -k netsvcs. If you get an Error saying "Cannot edit ImagePath: Error writing value's new contents." Right click the folder BITS or Wuaserv (You will most likely have to do both) and select "Permissions..." Select full control. Go back to the ImagePath key and click Modify again and paste in. "%SystemRoot%\System32\svchost.exe -k netsvcs" (without the " "). Check these as well. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services (BITS and Wuauserv). HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services (BITS and Wuauserv). HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services (BITS and Wuauserv). Dimuthu Dharshana, Sri Lanka.
-
Hi! First I doing: attrib -h -r -s svchost.exe, but when I doing the "del svchost.exe" it said:" Access is denied." How to allow access?
