How To: Remove SCVHOST.exe (W32/YahLover.Worm.gen or Win32/Autorun.R.worm) Safely From Windows Vista/XP
This type of worm hides itself as SCVHOST.EXE or SCVHOSTS.EXE so it will look like the legitimate Windows program SVCHOST.EXE. This type of virus usually spread through Yahoo Messenger. This virus is also known as W32/YahLover.Worm.gen and Win32/Autorun.R.worm. One way to avoid infection from this virus is to ignore any invites from unknown friends.
This virus/worm installs to Windows Vista/XP itself in autorun.inf and once double click it will spread itself unto your system. Furthermore, it copies itself through all the shared folders on your computers throughout the network and installs itself in the Windows Vista/XP registry entries remotely.
Here are indication that your computer is infected with this virus.
- This virus/worm blocks the Windows Vista/XP task manager.(way to fix your task manager)
- The worm changes the Windows registry to prevent running task manager and editing registry for harder detection. (way to enable registry editor)
- It automatically restarts the computer when you try to go to the command prompt.
- It duplicates itself to different locations of the shared folders. The duplicated virus/worm uses a FOLDER icon with an .exe file extension. WARNING! DO NOT double click these folders.
- It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe
How to remove the virus from Windows Vista/XP
You can use NOD32 or any strong antovirus programs to remove this virus but if you don’t have a anti-virus or your antivirus can’t remove this virus try following the steps below to remove it manually.
- Boot your system in Safe Mode Command Prompt Only
- After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).
- Type CD C:\WINDOWS\SYSTEM32 (I assume that your Windows System files are located at Drive C)
- Type DIR /ah, this will display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
Type ATTRIB -H -R -S SCVHOST.EXE
Type ATTRIB -H -R -S BLASTCLNNN.EXE
Type ATTRIB -H -R -S AUTORUN.INI
Type DEL SCVHOST.EXE
Type DEL BLASTCLNNNN.EXE
Type DEL AUTORUN.INI
Type ATTRIB -H -R -S AUTORUN.INF
Type DEL AUTORUN.INF
- After following the steps on removing the virus/worm files, the virus should now be removed from the registry of your system.
- At the Windows Vista/XP command prompt type REGEDIT and press ENTER key. This will run the Windows Registry Editor
- From the registry, look for the keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
- Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , DON’T delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that remains from this registry entry.
After carefully following all the steps restart your Windows Vista/XP computer on normal mode and the virus should now be gone.