Tip & How-To about Computers & Internet

Removing Sysinternals Trojan

Please follow these steps carefully.
There will be 2 executable files which are Sysinternals Antivirus.exe and svchost.exe. Svchost is invoked by the other executable. There may be another one named alggui.exe
You have to kill these two processes.

  1. Start the Task manager by right clicking on the Taskbar.
  2. Go to Processes.
  3. Observe the processes.
  4. Right Click on processes and select End process for Sysinternals Antivirus.exe and alggui.exe. You will not be able to kill the svchost.exe however since there will be more than one and each represents a Valid system process. To find the exact process run by the file which resides in the "Program Files", I recommend you to use the Security Task manager for Windows.Here is the Link
  5. Use the tool and kill the exact process.
Locating malicious files. The list of files I have already mentioned. But there are more.
  • C:Program Filesskynet.dat
  • C:Program Filessvchost.exe
  • C:Program Filesalggui.exe
  • %UserProfile%DesktopSysinternals Antivirus.lnk
  • %UserProfile%Start MenuProgramsSysinternals AntivirusSysinternals Antivirus.lnk
  • C:Program Filesadc_w32.dll. You must unregister this. Otherwise it will run again.
  • C:Program FilesSysinternals AntivirusSysinternals Antivirus.exe
  • %UserProfile%Start MenuProgramsSysinternals Antivirus
  • C:Program FilesSysinternals Antivirus
  • In variants there will be additional files (Sysinternals Antivirus.exe adc_w32.dll alggui.exe extra1.dat extra2.dat nuar.old skynet.dat svchost.exe wp3.dat wp4.dat dbsinit.exe wispex.html ccsmn.exe ccsmn151.acf csmn151.ltd ccsmn151.lti ccsmn151_0.acb ccsmn151_0.aci ccsmn151_0.mt ccsrr.exe wmharun.log wmrun.log Sysinternals Antivirus.lnk)
You have to search and delete each and every file.
We have to set some additional things in order to see the Hidden and System files which are protected.
  1. Open My Computer.
  2. Go to Tools and then Folder Options.
  3. Click on View tab.
  4. Under the Option "Hidden Files and Folders", set it to "Show ..."
  5. Untick the "Hide Protected Operating System Files (Recommended)" as well.
  6. Now go to C partition and check whether you can see .sys and other hidden files including the System Volume Information folder. If so the procedure was successful. Otherwise you have to edit the registry or have to use the DOS command window to locate and delete these files.
  7. Use Windows search tool to search the files. Before searching set the More Advanced Options. Check for "All files and Folders". Drop down "More advanced options" and tick the Search System Folders, Search Hidden files and folders, Search Sub-folders options. Then do the search. If you find any file or folder you have to delete it. Before deleting, there is one more thing to do.
  • You have to stop the Startup Processes.
  • Click on the Start menu and hit on Run. Or type in Run if you have Vista.
  • Type in the Run box this. msconfig
  • Hit Enter.
  • Go to "Startup" tab. Examine the processes and remove the unwanted ones. You can browse for the valid ones.Specially note the Autorun.inf files. You must remove them if exist.Remember the path to each malicious file. Then uncheck the boxes. Hit Apply button. Then OK button.
  • Do not Restart the System when you have been asked.
Stopping the System Restore services
  1. Go to Properties of My Computer.
  2. Go to System Restore.
  3. Turn off.
Now you are ready to delete the files. Click on each file and Click SHIFT+DEL. Do not Right Click and Delete.
Alternative way if Hidden files and folders are now shown
  • Get the Run box again and type in cmd and press Enter.
  • Type cd and hit Enter.
  • Now you will be in the System drive (C: most probably)
  • You have to use: cd foldername to move within folders.
  • Example: Type cd program files and hit Enter to go in to Program Files.CD denotes Change Directory.
  • To change the Partition you have to type Partition: and hit enter.
  • Example: D:
  • Locate each file and delete Except the adc_w32.dll because we have to Unregister it.
  • Go to each location which I have included here as well as shown in the msconfig tool.
  • Then use DIR /a /q to get the list of files.
  • Type DIR /a /q and hit enter.
  • Note: Note the spaces.
  • Now if you see the files type this and hit enter.
  • attrib -s -h -a -r
  • Then type Del with the file name.
  • Example: Del alggui.exe
  • What the attribute command does is changing the File attributes to normal ( - is used to remove the attributes. S is for System, H is for Hidden, A is for Archive, R is for Read Only).
  • Make sure you go to Root of each partition and check for Autorun.inf files (There may be batch files as well - .bat files, exe files etc. Check whether they are valid executables using the browser)
  • Now that part is done!
  • Contd...
Unregistering the DLL file before Deleting:
  • Get the Command Windows again using cmd.
  • Type in Regsvr32 /? and hit enter. If you get a Dialog Box that means its functioning.
  • If you do not have it obtain from here. Place the file in Windows/System32.
  • Type in Regsrv32 /u C:Pathadc_w32.dll and hit enter.
  • Path is the path to the file. It may be in the Program Files or Windows or WindowsSystem32. Use Search or Command Windows to find it. (Might be in the Startup in msconfig as well).
  • You can run this command without the Command Windows as well. Just enter it in the Run box and hit Enter. If you do properly it will show you a dialog box containing the Success message.
  • Removing Registry Values: You have to delete these Keys: Delete registry values: HKEY_CURRENT_USERSoftwareSysinternals Antivirus HKEY_CLASSES_ROOTCLSID{149256D5-E103-4523-BB43-2CFB066839D6} HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{149256D5-E103-4523-BB43-2CFB066839D6} HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAdbUpd HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "novavapp" HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "novavappr"
  • There is a good tutorial of how to do that: Browse here. Hope you will be able to navigate to this site. Backup the Registry: Tutorial Remove each Value and Key (Delete). Now you can Delete the .dll file safely I Recommend you to perform this Operation in Safemode. Because then you do not have to Kill processes since Safemode does not invoke each and every Service and Program. It runs specific and limited number of Services.
  • If your Hidden files and Folders are not shown after following the Tip you have to Modify some Registry Entries.
  • Click on Start -> Run -> Type in regedit and hit Enter.
  • For Vista or windows 7 users, please type Run in the Search Bar at the Bottom of the Start Menu.
  • You have to go to HKEY_LOCAL_MCHINESoftwareMicrosoftWindowsCurrent VersionExplorerAdvancedFolderHidden
  • Click on NOHIDDEN.
  • Set the CheckedValue and DefaultValue to 2 (Double click and type 2)
  • Click on SHOWALL
  • Set the CheckedValue to 1
  • Set the Default Value to 2
  • Then Click on SupperHidden under "Folder" (Upper Level)
  • Set CheckedValue and DefaultValue to 0
  • Set UncheckedValue to 1

  • Check your host file to make sure that no entries have been written to your Host file to Redirect your Browser.
  • Its located in C:WINDOWS.XPsystem32driversetc. (C: or Root)
  • Open the host file using Wordpad.
  • Examine it and remove if such entries exist.
  • Browse for help if you do not know. Google it...

  • Next: Enabling Registry Editor, Taskmanager and CMD back, if have been Disabled by the Virus...

Posted by on

Computers & Internet Logo

Related Topics:

Related Questions:

1 Answer

Svchost.exe: 50 - 70% CPU load The SVCHOST.exe is started from C:\windows\system32


Unless you have a program to identify it, you won't be able to tell just what program this is associated with. You can actually have 2-3 instances of this running.
Here's what you do: Go to this link: http://technet.microsoft.com/en-us/sysinternals
Download the process monitor. It will show you what files are associated with which process and allow you to see if you can safely kill the process.

Jun 13, 2011 | Microsoft Windows XP Professional w/SP1...

1 Answer

When i start my Computer after displaying Welcome Screen the Message appears " The Apllication failed to Initialise properly ( 0xc0000017). Click OK to terminate the Application". So Pls send to me a solution


Option 1.

Restart the computer in safe mode, and then remove Aventail Connect. To start Windows in safe mode, press F8 during startup, and then select the safe mode option from the extended boot menu.

Option 2.

Add the Svchost.exe executable file to the Aventail Connect exclusion list. The Svchost.exe file is stored in the %Systemroot%\System32 folder. For example, this file may be in the following location:
C:\Windows\System32

Sep 01, 2010 | Computers & Internet

2 Answers

Redirct and error at 0x00000 when closeing IE or FireFox


Well it is quite obvious however. I ll include manual removal instructions. Please follow the steps carefully.
There will be 2 executable files which are Sysinternals Antivirus.exe and svchost.exe. Svchost is invoked by the other executable. There may be another one named alggui.exe
You have to kill these two processes. First of all you have to do this:
  1. Start the Task manager by right clicking on the Taskbar.
  2. Go to Processes.
  3. Observe the processes.
  4. Right Click on processes and select End process for Sysinternals Antivirus.exe and alggui.exe. You will not be able to kill the svchost.exe however since there will be more than one and each represents a Valid system process. To find the exact process run by the file which resides in the "Program Files", I recommend you to use the Security Task manager for Windows.Here is the Link
  5. Use the tool and kill the exact process.
Locating malicious files. The list of files I have already mentioned. But there are more.
  • C:Program Filesskynet.dat
  • C:Program Filessvchost.exe
  • C:Program Filesalggui.exe
  • %UserProfile%DesktopSysinternals Antivirus.lnk
  • %UserProfile%Start MenuProgramsSysinternals AntivirusSysinternals Antivirus.lnk
  • C:Program Filesadc_w32.dll. You must unregister this. Otherwise it will run again.
  • C:Program FilesSysinternals AntivirusSysinternals Antivirus.exe
  • %UserProfile%Start MenuProgramsSysinternals Antivirus
  • C:Program FilesSysinternals Antivirus
  • In variants there will be additional files (Sysinternals Antivirus.exe adc_w32.dll alggui.exe extra1.dat extra2.dat nuar.old skynet.dat svchost.exe wp3.dat wp4.dat dbsinit.exe wispex.html ccsmn.exe ccsmn151.acf csmn151.ltd ccsmn151.lti ccsmn151_0.acb ccsmn151_0.aci ccsmn151_0.mt ccsrr.exe wmharun.log wmrun.log Sysinternals Antivirus.lnk)
You have to search and delete each and every file.
We have to set some additional things in order to see the Hidden and System files which are protected.
  1. Open My Computer.
  2. Go to Tools and then Folder Options.
  3. Click on View tab.
  4. Under the Option "Hidden Files and Folders", set it to "Show ..."
  5. Untick the "Hide Protected Operating System Files (Recommended)" as well.
  6. Now go to C partition and check whether you can see .sys and other hidden files including the System Volume Information folder. If so the procedure was successful. Otherwise you have to edit the registry or have to use the DOS command window to locate and delete these files.
  7. Use Windows search tool to search the files. Before searching set the More Advanced Options. Check for "All files and Folders". Drop down "More advanced options" and tick the Search System Folders, Search Hidden files and folders, Search Sub-folders options. Then do the search. If you find any file or folder you have to delete it. Before deleting, there is one more thing to do.
  • You have to stop the Startup Processes.
  • Click on the Start menu and hit on Run. Or type in Run if you have Vista.
  • Type in the Run box this. msconfig
  • Hit Enter.
  • Go to "Startup" tab. Examine the processes and remove the unwanted ones. You can browse for the valid ones.Specially note the Autorun.inf files. You must remove them if exist.Remember the path to each malicious file. Then uncheck the boxes. Hit Apply button. Then OK button.
  • Do not Restart the System when you have been asked.
Stopping the System Restore services
  1. Go to Properties of My Computer.
  2. Go to System Restore.
  3. Turn off.
Now you are ready to delete the files. Click on each file and Click SHIFT+DEL. Do not Right Click and Delete.
Alternative way if Hidden files and folders are now shown
  • Get the Run box again and type in cmd and press Enter.
  • Type cd and hit Enter.
  • Now you will be in the System drive (C: most probably)
  • You have to use: cd foldername to move within folders.
  • Example: Type cd program files and hit Enter to go in to Program Files.CD denotes Change Directory.
  • To change the Partition you have to type Partition: and hit enter.
  • Example: D:
  • Locate each file and delete Except the adc_w32.dll because we have to Unregister it.
  • Go to each location which I have included here as well as shown in the msconfig tool.
  • Then use DIR /a /q to get the list of files.
  • Type DIR /a /q and hit enter.
  • Note: Note the spaces.
  • Now if you see the files type this and hit enter.
  • attrib -s -h -a -r
  • Then type Del with the file name.
  • Example: Del alggui.exe
  • What the attribute command does is changing the File attributes to normal ( - is used to remove the attributes. S is for System, H is for Hidden, A is for Archive, R is for Read Only).
  • Make sure you go to Root of each partition and check for Autorun.inf files (There may be batch files as well - .bat files, exe files etc. Check whether they are valid executables using the browser)
  • Now that part is done!
Unregistering the DLL file before Deleting:
  • Get the Command Windows again using cmd.
  • Type in Regsvr32 /? and hit enter. If you get a Dialog Box that means its functioning.
  • If you do not have it obtain from here. Place the file in Windows/System32.
  • Type in Regsrv32 /u C:Pathadc_w32.dll and hit enter.
  • Path is the path to the file. It may be in the Program Files or Windows or WindowsSystem32. Use Search or Command Windows to find it. (Might be in the Startup in msconfig as well).
  • You can run this command without the Command Windows as well. Just enter it in the Run box and hit Enter. If you do properly it will show you a dialog box containing the Success message.
Contd...

Jul 09, 2010 | Microsoft Windows XP Professional

1 Answer

I have deleted svchost.exe accidently from windows xp and cannot now log onto windows. I have tried expanding the file from dos however still cannot log on


this is going to be a tough one to fix. since I don't know which svchost you have deleted from the system.
usually when that happen the only solution is to reinstall the OS. even try to fix it from the registry key, the key and the pointer will be there, but not the excution file, and there is not way which svchost control what services.

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SvchostEach value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the registry key.

Dec 02, 2008 | Microsoft Windows XP Home Edition

1 Answer

svchost


"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. It manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. In normal conditions multiple instances of Svchost.exe run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging. The svchost.exe file is located in the folder C:\Windows\System32. In other cases, svchost.exe is a virus, spyware, trojan or worm! To detect if it's a virus sometimes it will add letters to the Svchost to read thus SSVCHOST or SVCCHOST or something like that, thus making multiple services to run and slow down the computer, if that is the case the current antivirus you are using is not removing the virus, this can be done in the registry, its a complicated process if you do not know how to do it, so i would suggest you purchase a registry cleaner. NOTE: remember to backup the registry before you clean it

Aug 15, 2008 | Microsoft Windows XP Professional

Not finding what you are looking for?

564 people viewed this tip

Ask a Question

Usually answered in minutes!

Top Computers & Internet Experts

Doctor PC
Doctor PC

Level 3 Expert

7733 Answers

kakima

Level 3 Expert

102366 Answers

David Payne
David Payne

Level 3 Expert

14161 Answers

Are you a Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Loading...