Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SVCHOST.EXE and EXPLORER.EXE Virus


  • Please log in to reply
2 replies to this topic

#1 jamesharden

jamesharden

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 29 November 2013 - 03:24 AM

Hi,

Im New Here.

 

 

Can Anyone Help Me To REMOVE PERMENANTLY the two virus ?

 

SVCHOST.EXE            AND                EXPLORER.EXE

 

And When I Use Antivirus program to remove it , it sucessfully removed , but then It still occur in another scan


Edited by hamluis, 30 November 2013 - 12:11 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Ben151

Ben151

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 29 November 2013 - 03:44 AM

This are the following tips on how to remove the SCVHOST.EXEvirus/worm. Firstly we must know what is SCVHOST.EXE is.

What is SCVHOST.EXE?

In some antivirus they are detected as W32/YahLover.Worm.genfrom McAfee Antivirus and Win32/Autorun.R.worm from NOD32.

This virus will installs itself into your PC by using its INF file autorun.inf. The Autorun.inf file has an scripts that will trigger to execute the SCVHOST.EXE. Mostly in a removable disk is this occurred as you noticed that there is an Autoplay instead of Open. Once you double click the drive or removable disk, the autorun.inf run its scripts that this will trigger to execute the SCVHOST.EXE and spreading itself unto your system. It also copies itself through all your shared folders directories and on your computers throughout the network and run itself in the registry entries remotely using a GUEST account (through System:Remote).

Symptoms:

  • When pressing Ctrl+Alt+Del it blocks to launch the Task Manager
  • It blocks the Registry Editor.
  • When you try to go to the command prompt CMD, it will restarts the computer.
  • The shared folders will duplicates itself to different locations of. The duplicated virus uses a FOLDER icon with an .exe file extension. The configuration of your Yahoo Messenger has been changed.

How to Remove It

OK here we go, you must follow this step on how to remove this virus in manually method:

  • Restart your PC and press F8 and select the option Safe Mode Command Prompt Only
  • And after you log-in the command prompt you must log-in as Administrator.
  • Type cd C:\windows\system32
  • Type dir /ah, to display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INIBLASTCLNNN.EXE, andSCVHOST.EXE
  • Type ATTRIB -H -R -S SCVHOST.EXE
  • Type ATTRIB -H -R -S BLASTCLNNN.EXE
  • Type ATTRIB -H -R -S AUTORUN.INI
  • Type DEL SCVHOST.EXE
  • Type DEL BLASTCLNNNN.EXE
  • Type DEL AUTORUN.INI
  • Type CD\
  • Type ATTRIB -H -R -S AUTORUN.INF
  • Type DEL AUTORUN.INF

You are almost done, reboot your PC you may seat back and relax.. :) while loading...

Go Start Menu and click the Run and type the REGEDIT command. Take note guys before make any changes into your Registry Editor you must make a full back-up to your registry to avoid system errors. :)

Look the location entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, if you see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.

Look the location entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, in the entry named: SHELL, a value = Explorer.exe,SCVHOST.EXE. Edit this value, delete the SCVHOST.EXE only and the value must be Explorer.exe. Once you delete all this value, your computer will not login anymore.

OK we are now done.. Please Restart your PC now and Enjoy!!! 



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:13 AM

Posted 29 November 2013 - 03:44 AM

Hello -

I would not start to remove any of these programs without further investigation -

 

Can I ask you what makes you think that either of these are infections on your system ?

Do you have any specific problems related to either program ??

 

Thank You -


Edited by noknojon, 29 November 2013 - 03:48 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users