Saturday, April 3, 2010
How to Remove the SVCHOST.exe Virus
How to Remove the SVCHOST.exe Virus
By Colette Larson, eHow Contributing Writer
Svchost.exe is the name of a generic host process for services that run from dynamic link libraries (DLLs). The legitimate file--located in the C:\Windows\System folder--checks the services portion of the Windows registry to verify and list the services that must load upon system start up. Multiple sessions of the file typically run while a system is operational, each session containing a separate group of services. A variety of worm malware programs spread a similarly named file--Scvhost.exe--via Yahoo! Messenger that blocks the Task Manager and Registry Editor, as well as use of the command prompt.
Difficulty: Challenging
Instructions
Instructions
Step 1
If the operating system of the infected computer is either Windows Me or Windows XP, turn off System Restore while this fix is being implemented. To turn off System Restore within Windows Me, click Start > Settings > Control Panel. Double-click "System." Select "File System" from the Performance tab. Left click the "Troubleshooting" tab and check the "Disable System Restore" box. Click "OK."
To turn off System Restore within Windows XP, log in as Administrator and click "Start." Right click "My Computer" and select "Properties" from the shortcut menu. Check the "Turn off System Restore" option for each drive on the System Restore tab. Left click "Apply" and "Yes" to confirm when prompted. Click "OK."
Step 2
Restart your computer in Safe Mode and log in as Administrator. Press "F8" after the first beep occurs during start up, before the display of the Microsoft Windows logo. Select the first option, to run Windows in Safe Mode from the selection menu.
Step 3
Access the command prompt. Click Start > Run. Type "cmd." Click OK > CD (change directory) from the command prompt, press the space bar.
Type the name of the full directory path of the folder containing your Windows system files. It will be either "C:\Windows\System" or "C:\Windows\System 32."
Step 4
From the command prompt, type the following to unprotect the files for removal:
"attrib -h -r -s scvhost.exe" and press "Enter;"
"attrib -h -r -s blastclnnn.exe" and press "Enter;"
"attrib -h -r -s autorun.inf" and press "Enter."
Step 5
Delete the files by typing the following from the command prompt:
"del scvhost.exe" and press "Enter;"
"del blastclnnn.exe" and press "Enter;"
"del autorun.ini" and press "Enter."
Step 6
Type "cd\" to return to the main Windows directory.
Unprotect and delete the Autorun.inf file by typing the following from the Windows directory command prompt:
"attrib -h -r -s autorun.inf" and press "Enter;"
"del "autorun.inf" and press "Enter;"
Type "regedit" and press "Enter" to open the Registry Editor.
Step 7
Locate the following entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the incorrectly spelled Yahoo! Messenger entry with the value
"c:\windows\system32\scvhost.exe."
Step 8
Locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Within the key, there is a "shell" entry with the value of "explorer.exe, scvhost.exe". Edit the entry to remove the reference to Scvhost.exe, leaving Explorer.exe as the remaining value in the registry entry.
Step 9
Locate the following key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
Delete the following subkeys from the left panel:
RpcPatch
RpcTftpd
Exit the command prompt and return to the operating system. Type "Exit," and press "Enter."
Step 10
Reboot the PC.
If Scvhost.exe still resides on the computer, repeat these steps or try using an automatic removal program from McAfee or Symantec
Source: How to Remove the SVCHOST.exe Virus
By Colette Larson, eHow Contributing Writer
Svchost.exe is the name of a generic host process for services that run from dynamic link libraries (DLLs). The legitimate file--located in the C:\Windows\System folder--checks the services portion of the Windows registry to verify and list the services that must load upon system start up. Multiple sessions of the file typically run while a system is operational, each session containing a separate group of services. A variety of worm malware programs spread a similarly named file--Scvhost.exe--via Yahoo! Messenger that blocks the Task Manager and Registry Editor, as well as use of the command prompt.
Difficulty: Challenging
Instructions
Instructions
Step 1
If the operating system of the infected computer is either Windows Me or Windows XP, turn off System Restore while this fix is being implemented. To turn off System Restore within Windows Me, click Start > Settings > Control Panel. Double-click "System." Select "File System" from the Performance tab. Left click the "Troubleshooting" tab and check the "Disable System Restore" box. Click "OK."
To turn off System Restore within Windows XP, log in as Administrator and click "Start." Right click "My Computer" and select "Properties" from the shortcut menu. Check the "Turn off System Restore" option for each drive on the System Restore tab. Left click "Apply" and "Yes" to confirm when prompted. Click "OK."
Step 2
Restart your computer in Safe Mode and log in as Administrator. Press "F8" after the first beep occurs during start up, before the display of the Microsoft Windows logo. Select the first option, to run Windows in Safe Mode from the selection menu.
Step 3
Access the command prompt. Click Start > Run. Type "cmd." Click OK > CD (change directory) from the command prompt, press the space bar.
Type the name of the full directory path of the folder containing your Windows system files. It will be either "C:\Windows\System" or "C:\Windows\System 32."
Step 4
From the command prompt, type the following to unprotect the files for removal:
"attrib -h -r -s scvhost.exe" and press "Enter;"
"attrib -h -r -s blastclnnn.exe" and press "Enter;"
"attrib -h -r -s autorun.inf" and press "Enter."
Step 5
Delete the files by typing the following from the command prompt:
"del scvhost.exe" and press "Enter;"
"del blastclnnn.exe" and press "Enter;"
"del autorun.ini" and press "Enter."
Step 6
Type "cd\" to return to the main Windows directory.
Unprotect and delete the Autorun.inf file by typing the following from the Windows directory command prompt:
"attrib -h -r -s autorun.inf" and press "Enter;"
"del "autorun.inf" and press "Enter;"
Type "regedit" and press "Enter" to open the Registry Editor.
Step 7
Locate the following entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the incorrectly spelled Yahoo! Messenger entry with the value
"c:\windows\system32\scvhost.exe."
Step 8
Locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Within the key, there is a "shell" entry with the value of "explorer.exe, scvhost.exe". Edit the entry to remove the reference to Scvhost.exe, leaving Explorer.exe as the remaining value in the registry entry.
Step 9
Locate the following key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
Delete the following subkeys from the left panel:
RpcPatch
RpcTftpd
Exit the command prompt and return to the operating system. Type "Exit," and press "Enter."
Step 10
Reboot the PC.
If Scvhost.exe still resides on the computer, repeat these steps or try using an automatic removal program from McAfee or Symantec
Source: How to Remove the SVCHOST.exe Virus
Labels: How to, Remove SVCHOST.exe
What is svchost.exe?
What is svchost.exe And Why Is It Running?
You are no doubt reading this article because you are wondering why on earth there are nearly a dozen processes running with the name svchost.exe. You can’t kill them, and you don’t remember starting them… so what are they?
So What Is It?
According to Microsoft: “svchost.exe is a generic host process name for services that run from dynamic-link libraries”. Could we have that in english please?
Some time ago, Microsoft started moving all of the functionality from internal Windows services into .dll files instead of .exe files. From a programming perspective this makes more sense for reusability… but the problem is that you can’t launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born.
Why Are There So Many svchost.exes Running?
If you’ve ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.
Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.
Source: What is svchost.exe And Why Is It Running?
You are no doubt reading this article because you are wondering why on earth there are nearly a dozen processes running with the name svchost.exe. You can’t kill them, and you don’t remember starting them… so what are they?
So What Is It?
According to Microsoft: “svchost.exe is a generic host process name for services that run from dynamic-link libraries”. Could we have that in english please?
Some time ago, Microsoft started moving all of the functionality from internal Windows services into .dll files instead of .exe files. From a programming perspective this makes more sense for reusability… but the problem is that you can’t launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born.
Why Are There So Many svchost.exes Running?
If you’ve ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.
Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.
Source: What is svchost.exe And Why Is It Running?
Labels: What is svchost.exe?
Subscribe to Posts [Atom]