Tip & How-To about Computers & Internet

How to remove the scvhost.exe Virus.

Svchost.exe is the name of a generic host process for services that run from dynamic link libraries (DLLs). A variety of worm malware programs spread a similarly named file Scvhost.exe via Yahoo! Messenger that blocks the Task Manager and Registry Editor, as well as use of the command prompt.

Warning
Manual removal of Scvhost.exe may be very difficult as the removal process requires knowledge of the Operating System's command prompt and Registry Editor. If not performed properly, your computer system might experience permanent damage. Consequently, manual removal might be best for experienced users. Less experienced users might want to consider using an automatic spyware removal application, such as that offered by Trend Micro. This worm duplicates itself to different locations of shared folders. The duplicated program uses a folder icon that has an .exe file extension. DO NOT double click on any of these folders.

Follow these step by step instructions to remove the scvhost.exe virus.

Step 1 (Turning off System Restore)
This is so that if you ever need to use System Restore after you have removed the virus, it doesn't restore the virus aswell.

If the operating system of the infected computer is either Windows Me or Windows XP, turn off System Restore while this fix is being implemented. To turn off System Restore within Windows Me, click Start > Settings > Control Panel. Double-click System. Select File System from the Performance tab. Left click the Troubleshooting tab and check the Disable System Restore box. Click OK.
To turn off System Restore within Windows XP, log in as Administrator and click Start. Right click My Computer" and select Properties from the shortcut menu. Check the Turn off System Restore option for each drive on the System Restore tab. Left click Apply and Yes to confirm when prompted. Click OK.

Step 2 (Run in safe mode)
Restart your computer in Safe Mode and log in as Administrator. Press F8 after the first beep occurs during start up, before the display of the Microsoft Windows logo. Select the first option, to run Windows in Safe Mode from the selection menu.

Step 3 (Accessing Command prompt)
Access the command prompt. Click Start > Run. Type cmd. Click OK. Then in the command prompt type cd to change directory then press the space bar.
Type the name of the full directory path of the folder containing your Windows system files. It will be either C:\Windows\System or C:\Windows\System 32

Step 4
From the command prompt, type the following to unprotect the files for removal:
attrib -h -r -s scvhost.exe and press Enter;
attrib -h -r -s blastclnnn.exe and press "Enter;
attrib -h -r -s autorun.inf and press Enter.

Step 5
Delete the files by typing the following from the command prompt:
del scvhost.exe and press Enter;
del blastclnnn.exe and press Enter;
del autorun.ini and press Enter.

Step 6
Type "cd\" to return to the main Windows directory.
Unprotect and delete the Autorun.inf file by typing the following from the Windows directory command prompt:
attrib -h -r -s autorun.inf and press Enter;
del autorun.inf and press Enter;
Type regedit and press Enter to open the Registry Editor.

Step 7
Locate the following entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the incorrectly spelled Yahoo! Messenger entry with the value
c:\windows\system32\scvhost.exe.

Step 8
Locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Within the key, there is a shell entry with the value of explorer.exe, scvhost.exe. Edit the entry to remove the reference to Scvhost.exe, leaving Explorer.exe as the remaining value in the registry entry.

Step 9
Locate the following key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
Delete the following subkeys from the left panel:
RpcPatch
RpcTftpd
Exit the command prompt and return to the operating system. Type Exit, and press Enter.

Step 10
Reboot the PC.
If Scvhost.exe still resides on the computer, repeat these steps or try using an automatic removal program from McAfee or Symantec.



Posted by on

Computers & Internet Logo

Related Topics:

Related Questions:

1 Answer

Generic host process for win32 services has encountered problem and need to close we are sorry for the inconvience -- can u plz gimme a solution for this. This pop is very disturbing. Plz help


Read the Thread here.

Note:-
Generic Host Process for Win32 Services or svchost.exe is a legal and essential component of Windows which is used to host services which run from dynamic-link libraries (DLLs).

Please note that legal svchost.exe should reside in Windows\System32 folder and should not appear in startup list.

If it does appear, do a Malware/spyware/virus scan on your PC.

May 19, 2010 | Microsoft Windows XP Media Center Edition...

2 Answers

svchost.exe problem


Hi,
i think its a virus or a worm problem to get rid of this go to my blog and download quickheal two months full verion scan it will clear your problem
dont forget to turn off system restore before installing and upto completing the complete scan of your pc

bye bye
http://xviruslab.blogspot.com

Feb 28, 2009 | Microsoft Windows XP Professional

2 Answers

I have compaq cq60 104u. I have windows xp pro with sp2 installed on it..Howvere the inbuilt mic is not working and i keep getting svchost.exe application error..when i connect to internet. Does this sytem support windows xp?


svchost.exe is a generic host process name for services that run from dynamic-link libraries.

Sounds like a driver or application problem you have. As you get this when you connect to the internet, sounds like your web browser. Try reinstalling it

Nov 29, 2008 | Computers & Internet

1 Answer

Unknown file


In software Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs) within the Microsoft Windows operating system.
At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging, but it also causes some difficulty for end users wishing to see the memory usage or vendor legitimacy of individual services and processes. End users in Windows XP Professional (and derivatives, such as Windows Server 2003 and Windows XP Media Center Edition) can run the following command at the system prompt to get a breakdown:
tasklist /svc /fi "imagename eq svchost.exe" (NB: This command does not work in Windows XP Home.)
Due to being widespread among running processes, svchost.exe has long been a common disguise used by malware to hide its presence from the user. (One of the common trojan horses deceptively uses scvhost.exe). Users may then run tasklist with no arguments and match the reported PIDs with the previously shown Svchost instances. If memory usage appears abnormal, the user can look up the service names shown by their command on the internet to see if it is a known service or malware.
The Svchost.exe file is located in the %SystemRoot%\System32 folder. The main registry key involved at bootup is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost (values in this key will show the user at least a partial list of the actual processes behind instances of svchost).
The 30 April, 2007 release of WSUS 3.0 led to reports of svchost.exe issues, including 100% CPU usage, memory hogging, and excessive laptop fan/power usage.[1]

[edit] See also

Oct 29, 2008 | Microsoft Windows Server Standard 2003 for...

1 Answer

svchost


"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. It manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. In normal conditions multiple instances of Svchost.exe run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging. The svchost.exe file is located in the folder C:\Windows\System32. In other cases, svchost.exe is a virus, spyware, trojan or worm! To detect if it's a virus sometimes it will add letters to the Svchost to read thus SSVCHOST or SVCCHOST or something like that, thus making multiple services to run and slow down the computer, if that is the case the current antivirus you are using is not removing the virus, this can be done in the registry, its a complicated process if you do not know how to do it, so i would suggest you purchase a registry cleaner. NOTE: remember to backup the registry before you clean it

Aug 15, 2008 | Microsoft Windows XP Professional

Not finding what you are looking for?

175 people viewed this tip

Ask a Question

Usually answered in minutes!

Top Computers & Internet Experts

Doctor PC
Doctor PC

Level 3 Expert

7733 Answers

kakima

Level 3 Expert

102366 Answers

David Payne
David Payne

Level 3 Expert

14161 Answers

Are you a Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Loading...