How to Remove the SVCHOST.exe Virus

By Colette Larson

Svchost.exe is the name of a generic host process for services that run from dynamic link libraries (DLLs). The legitimate file--located in the C:\Windows\System folder--checks the services portion of the Windows registry to verify and list the services that must load upon system start up. Multiple sessions of the file typically run while a system is operational, each session containing a separate group of services. A variety of worm malware programs spread a similarly named file--Scvhost.exe--via Yahoo! Messenger that blocks the Task Manager and Registry Editor, as well as use of the command prompt.

Instructions

Step 1

If the operating system of the infected computer is either Windows Me or Windows XP, turn off System Restore while this fix is being implemented. To turn off System Restore within Windows Me, click Start > Settings > Control Panel. Double-click "System." Select "File System" from the Performance tab. Left click the "Troubleshooting" tab and check the "Disable System Restore" box. Click "OK." To turn off System Restore within Windows XP, log in as Administrator and click "Start." Right click "My Computer" and select "Properties" from the shortcut menu. Check the "Turn off System Restore" option for each drive on the System Restore tab. Left click "Apply" and "Yes" to confirm when prompted. Click "OK."

Step 2

Restart your computer in Safe Mode and log in as Administrator. Press "F8" after the first beep occurs during start up, before the display of the Microsoft Windows logo. Select the first option, to run Windows in Safe Mode from the selection menu.

Step 3

Access the command prompt. Click Start > Run. Type "cmd." Click OK > CD (change directory) from the command prompt, press the space bar. Type the name of the full directory path of the folder containing your Windows system files. It will be either "C:\Windows\System" or "C:\Windows\System 32."

Step 4

From the command prompt, type the following to unprotect the files for removal:"attrib -h -r -s scvhost.exe" and press "Enter;""attrib -h -r -s blastclnnn.exe" and press "Enter;""attrib -h -r -s autorun.inf" and press "Enter."

Step 5

Delete the files by typing the following from the command prompt:"del scvhost.exe" and press "Enter;""del blastclnnn.exe" and press "Enter;""del autorun.ini" and press "Enter."

Step 6

Type "cd\" to return to the main Windows directory.Unprotect and delete the Autorun.inf file by typing the following from the Windows directory command prompt:"attrib -h -r -s autorun.inf" and press "Enter;""del "autorun.inf" and press "Enter;"Type "regedit" and press "Enter" to open the Registry Editor.

Step 7

Locate the following entry:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.Delete the incorrectly spelled Yahoo! Messenger entry with the value"c:\windows\system32\scvhost.exe."

Step 8

Locate the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.Within the key, there is a "shell" entry with the value of "explorer.exe, scvhost.exe". Edit the entry to remove the reference to Scvhost.exe, leaving Explorer.exe as the remaining value in the registry entry.

Step 9

Locate the following key:HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Delete the following subkeys from the left panel:RpcPatchRpcTftpd Exit the command prompt and return to the operating system. Type "Exit," and press "Enter."

Step 10

Reboot the PC.If Scvhost.exe still resides on the computer, repeat these steps or try using an automatic removal program from McAfee or Symantec (see links in References).

Tips & Warnings

  • Manual removal of Scvhost.exe may be difficult as the removal process requires knowledge of the Operating System's command prompt and Registry Editor. In addition, different versions of this malware rename and relocate various file components. If not performed properly, your computer system might experience permanent damage. Consequently, manual removal might be best for experienced users. Less experienced users might want to consider using an automatic spyware removal application, such as that offered by Trend Micro.
  • This worm duplicates itself to different locations of shared folders. The duplicated program uses a folder icon that has an .exe file extension. DO NOT double click on any of these folders.