Tuesday, May 3, 2011

Removing SCVHOST.exe or W32/YahLover.Worm.gen

There’s a strain of computer virus/worm that hide itself using the name SCVHOST.EXE or SCVHOSTS.EXE, (don’t mistaken it as SVCHOST.EXE, it’s one of the vital programs of Windows, see the difference in spelling). It was detected as W32/YahLover.Worm.gen of McAfee Antivirus and as Win32/Autorun.R.worm by NOD32. This virus infects your computer by different means.

* One is it install itself in autorun.inf in Open option of the AUTORUN. Once you double click it will run and start spreading itself to your system.

* The other event that I observed is it copy itself through all the shared files of the computers on your network and install itself in the registry entries remotely using a GUEST account (through System:Remote).

Characteristic of the Virus

* This virus/worm when blocks the task manager when you press Ctrl+Alt+Del to invoke the task manager
* It blocks the registry (The worm change the registry to prevent running task manager and registry for harder detection).
* It also restarts the computer when you try to go to the command prompt. (This is based on my experience on this worm/virus when I try to disinfect it manually)
* It copy itself to different folders of drives and uses the name of the folder where it belongs. The copied virus/worm uses a FOLDER icon
* According to McAfee it changes the configuration of your Yahoo Messenger (see McAfee info)
* It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe

To remove the virus manually, (try this it works with my computer but if you can’t try using an ANTI-VIRUS like McAfee or NOD32):

1. Boot your system in Safe Mode Command Prompt Only (Press F8 when your computer restarts, a menu will be shown and select the option)
2. After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).
3. Type CD C:\WINDOWS\SYSTEM32 (assuming that your Windows System files are located at Drive C)
4. Type DIR /AH, this will display all hidden files of this folder. You will see the following file which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
5. Type ATTRIB -H -R -S SCVHOST.EXE
6. Type ATTRIB -H -R -S BLASTCLNNN.EXE
7. Type ATTRIB -H -R -S AUTORUN.INI
8. Type DEL SCVHOST.EXE
9. Type DEL BLASTCLNNNN.EXE
10. Type DEL AUTORUN.INI
11. Type CD\
12. Type ATTRIB -H -R -S AUTORUN.INF
13. Type DEL AUTORUN.INF

After removing the virus/worm files, it should be removed from the registry of your system.

1. From the command prompt type REGEDIT.EXE this will run the Registry Editor
2. From the registry, look for the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
3. Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , don’t delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that will remain from this registry entry.

I’ve tried this steps and this works. You should try this if you’re only know how to edit registry entries. (try it at your own risk) Hope this will help you. __________________

No comments:

Post a Comment