How to remove “scvhost.exe - New Folder.exe - AutoRun.inf” virus? (Broken link fixed) |
Just this night I got a good mood after I fixed the "scvhost.exe - New Folder.exe - AutoRun.inf" virus in Windows XP. But of course, before I was able to fix it, I did have a damn whole bad day. What about this virus (or Worm, Trojan, Spyware?) anyway, and how it pissed me off really bad? Well, though I can just give you the details about my experience while this was running on my PC, I’m not really an expert when it comes to virus thingy. Anyway, here are the details:
The first thing you would experience is that your Task Manager will be disabled. It will prompt, "Task Manager has been disabled by your Administrator." Of course, obviously, this gives you a clue that the virus prohibits the user to end its process. But not just that, when you try to open your Registry through "Regedit", it will also prompt that your Registry has also been disabled. Later, as it progresses in the long run, you will soon find out that it automatically closes some opened windows application. The worse, even the "Command Prompt" and "Folder Options" won’t be accessed anymore. You can even experience that the "Accessories" on your Start Menu will be gone. Therefore, you cannot access your Command Prompt unless you would directly run it through your system32 folder. Just stressing this out, if you’re thinking that you can still access "Command Prompt" using your "Run" command, nope… The same parasite will disable some of your keystrokes. Meaning, you won’t be able to type anything. Simply, almost all the possible means of knowing the tasks running (since you can also view a list of tasks using Command Prompt then tasklist.exe) has been blocked.
Funny to say but I had a rather, logical means of trying to solve this. Since I cannot open "cmd" or "Command Prompt", I thought of "gpedit.msc" to somehow re-enable my "Task Manager". Well, what I did was to open my "Run" command. I didn’t type anything since I knew I couldn’t type anything at all. So, I was beginning searching for characters which I can copy to my clipboard and paste to my "Run". Got the view? Literally, I was copy-pasting characters until I spell out the word "gpedit.msc". Hehehehe… I did open my gpedit, but unlicky, this still wasn’t able to solve the problem. The "gpedit.msc" window appeared only for a second, and it closed immediately.
I couldn’t find anymore ways, but finally, I thought of a program created in VB which I used before to stop a Spyware from running. Thanks to "Visual Basic Beginner" from PSCode.com. He created a program which he called "The Terminator". Designed specifically to stop running applications even at the same time. Plus, it displays the exact location on where the running program is located. Also, I used a tool which can unlock restrictions, the "Remove Restrictions Tool (RRT)" from www.Sergiwa.com. I have compiled these two applications into one compressed folder which you can download here. And please don’t forget that the credits should be given to them. How were these applications able to help me?
Hmmm… Luckily, though the virus has the ability to close some opened window, but these applications weren’t part of those restricted by this virus. Strictly guys, you should do these when you already have those applications on your PC:
1. Run RRT and then press "Check All" then "Remove". By doing this, all the restrictions made by the virus should now be unlocked.
2. Access your Folder Options, in either in the Control Panel, or simply on one of the menus under "Tools" in any opened folder. Select "View" tab and "Show hidden files and folders".
3. You may not be able to fully access your Task Manager, so use "The Terminator" instead. Run "The Terminator" and check all the processess having the following descriptions:
- Any running process having "scvhost" in it. Strictly, you should be able to notice carefully that it is "scvhost" and not "svchost". Since you might crash the PC if you accidentally end the "svchost" task.
- If there is a task running with the file extension ".pif" then include it as part of the checklist to terminate.
- There are certain processess in the list wherein as you notice in its location where it is running, the Filename is named the same as its folder where it is located. For example, "C:\Program Files\Games\Games.exe". As you notice, the "Games.exe" that is running is located to a folder name "Games", since the virus also creates replications named after its location. Include these processess in the list.
4. After checking all the necessary processess, then press "Terminate all checked processess".
After doing this, you may already notice that you can once again normally use your keyboard, access your task manager, command prompt and regedit, like you can before. But this doesn’t end here. You are still half way the progress. Next things you must do are the following:
1. Go to your My Computer. Right click on it and choose "Search". This time, we’ll search for those replications manually. Basically, we have to remove ALL of them. As I noticed, all replications have common characteristics. First, they are all executable files but categorized as an "Icon" file. It has an obvious icon the same as a "Folder" icon. You can easily notice it since it has a low resolution icon image. All of these replications have a common size at 221 kb.
2. Specify your searching options. Search for "All files and folders". Just leave "All or part of the file name" and "A word or phrase in the file" blank. Select "More advanced options". Check all options except for "Case sensitive" and "Search tape backup". Select the "What size is it?" option, and choose "specify size (in kb)", "at least 220 kb". Then begin searching by pressing the "Search" button.
3. As soon as searching is done, sort out all the found items according to size. Then highlight all items which are 221 kb in size, and file type is "ICON". They are actually executable files in which IF you accidentally open will result you to start again from the very beginning. So be careful not to double-click it. Delete all these files using "Shift+Delete" to permanently remove them.
4. If you are able to successfully remove all these files, then celebrate! Since you are almost done. The next one will be a bit more complicated. Go to your hard drives (if there are lots of partition then check all partitions). You may notice a file called "Autorun.inf". This is basically the reason why the heck when you open your hard drive it will ask you how to open it as if it is a file. So remove also these files. Also, go to your startup directories such as "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" and other user startup directories for Documents. Delete the file AdobeGamma.pif (if there’s any) and the "Desktop.ini" file. I’m not totally sure but I think these files are unnecessary.
File removal: Done! Final step: Editing the Registry.
The easiest way to change back the Registry to normal is:
1. Open your "regedit" by typing in your "Run" command, "regedit" then press OK.
2. In your Registry Editor, go to "Edit | Find" or simply press "Ctrl+F". Type there "scvhost". Make sure all check boxes are checked.
3. Everything that is found using this search must either be deleted OR left blank. I assume you are already knowledgable enough whether what keys to delete and what to not. But if you do not know what you are trying to edit, then it’s better to change all strings having the "scvhost" string to blank. Be careful when you reach to a search wherein there is "C:\WINDOWS\explorer.exe scvhost.exe" or something like that. Just remove the "scvhost.exe". Don’t include "C:\WINDOWS\explorer.exe".
So, until you finally are able to find no more entries in the Registry about "scvhost" then Congratulations! Though I’m not really that sure if the virus has been completely removed but as I noticed, even if I already restarted the PC, I can already feel my PCs running smooth again.
If you have some comments or clarifications or perhaps additional information about this virus (?) please leave it here. I would be grateful to hear it out from you. Thanks! 
i am not able to find The Terminator application please help me
Comment by Srinivas — March 5, 2008 @ 7:34 pm
@Srinivas sorry i didn’t notice, the file on the link is corrupted.. I’ve already fixed it.. you may be able to download it already… (^^,) it’s a great tool..
Comment by Ronald Borla — March 5, 2008 @ 10:37 pm
Your article is greate,it helped saved me, In this case the file name is SSVICHOSST.exe of 600KB with modified date 7 Jun 2007. Thanks
Comment by Koushik — March 11, 2008 @ 2:06 am
@Koushik thanks.. i had a hard time fixing my PC because of this virus.. now that i fixed it, it would be best to share to others how i did it.. (^^,)
Comment by Ronald Borla — March 11, 2008 @ 6:53 am
How to remove “scvhost.exe - New Folder.exe - AutoRun.inf” virus?
This article explains the procedures and steps to remove the “scvhost.exe” virus. I have some easy to follow steps and detailed explanation about the virus and on how to successfully remove this virus running on your pc.
Trackback by Blogsvine — March 14, 2008 @ 10:09 am
Hi,
Thanks a million for this fix! None others worked, and finally this one did! Kudos!
Comment by Vijaynarain — March 22, 2008 @ 1:45 pm
no problem.. thanks for letting me know it did work
(^^,) im glad i helped…
Comment by Ronald Borla — March 23, 2008 @ 6:49 am
Thanks so so much, was just about to format my hard disk when i found your advice. It worked wonders. Thanks again man. AM so excited can’t write anything meaningful
Comment by Sikuku — April 6, 2008 @ 12:36 am
man i got this site when i already had formated my comp np next time it happens i ill follow ur advice thanx any way 4 that i hope it will work wen i ill need it.
well last time i formated my cmop was coz of this virus but at that time i was able to open my hidden files by using my antivirus but i didnt know wat to do after that.i think u have wriiten above there wat 2 do after having ur hidden files.
many many thanx.
Comment by seth — April 24, 2008 @ 2:08 pm
hiii
i wanted to ask if we can remove any other viru such as trojan horse by using endtask.
plzz reply
Comment by seth — April 24, 2008 @ 2:20 pm
hi seth… the most basic way to detect whether a virus is running in your computer is using ur task manager… it depends on your instincts whether there are some unusual or “supposed-to-be-not-running” applications in your computer… if so, you should end it immediately… some viruses or trojans, or perhaps worms disable a lot of capabilities in your computer.. and some also replicate.. if you let them run freely, then that’s the time theyd completely destroy your computer.. most trojans nowadays attack the registry.. so it is also best if you take care of your registry well… ALSO, remember this, viruses would also depend on the OS you are running… most viruses or trojans that are common as of today usually are for Windows XP.. anyway, XP is also easy to fix.. just a piece of an advice:
Do regularly perform restore points.. But before each restore point, you should first scan completely your computer with an updated anti-virus.. if there are viruses present, then don’t do restore point.. This is very important, since at some point, you may come up to losing all your files because of a virus… So if ever this happens, you just have to fix your computer using the last restore point you did… NOTE: Some viruses attack the restore point.. So if this virus is known to do so, then immediately disable your restore point before it does it task…
Well also, as an advice so that you won’t easily get infected with viruses or trojans: Remember that when you plug in an external hardware such as Flash Disks (these are prone to trojans), do not open your Flash Disk using double click or opening it through Autoplay.. as much as possible, delete the autorun.inf… an FD can live without it.. To open a Flash Disk, right click on it, and click “Explore”… in this way, you won’t have to accidentally automatically run any undesired files… And always show hidden files and folders.. If there are unusual files there (of course, those you don’t remember you saved in it), then delete them immediately… and be careful not to double click or press enter or any way to run it..
:D
It’s easy to detect viruses, they are commonly unusual.. SO whatever is unusual, then treat them as suspicious..
Finally, Windows XP do have a lot of tools more than you can think of… research on these default XP applications:
1. cmd - command prompt
2. regedit - registry editor
3. msconfig - configurations (startup)
4. gpedit.msc - XPs group policy (very useful)
5. tskill & tasklist - to show and kill running applications
Have a nice day!…
:D
Comment by Ronald — April 24, 2008 @ 7:24 pm
i tried ur steps, first off regedit doesnt open up, and second off the virus is not even budging, starting to think theres no hope for my new dell
Comment by ant — May 18, 2008 @ 1:01 pm
regedit won’t open up, until u kill some processes that’s restricting it to open.. download the application first above.. in this link… » http://www.freewebtown.com/ronald018/applications/Tools.zip
Unzip it, then run RRT, check all, then remove.. After that, run The Terminator, then kill all unnecessary processes… once you do that, you may be able to run your regedit..
Comment by Ronald Borla — May 18, 2008 @ 1:04 pm
hey bro i purchased the sergiwa RRT… task manager still isnt opening….
Comment by ant — May 18, 2008 @ 10:46 pm
ant, like i told you.. You have to kill first the process that is restricting the Task Manager to run. Actually, the term should not be “restricting it to run”, because, the virus is programmed to QUICKLY HIDE, the window of the Task Manager.. Therefore, even if you are already granted the non-restriction of registry to run the task manager, there will still be no way for you to see the task manager run. Actually, every time you press “CTRL+ALT+DEL”, it opens the task manager… You just won’t be able to see it, because of the doings of the virus..
The virus is in the form of executable file. And IT IS RUNNING in your computer.. To end its task, you won’t need the RRT, but the “The Terminator” which I included in the compressed file.. Well, this application is not recognized by the virus, therefore, you may still be able to execute it without problem.. Now “The Terminator” works like the task manager.. As for now, don’t bother running the Task Manager, you would just have to use this application instead and kill the processes which are creating some problems…
And by the way, you don’t have to buy RRT, you can still use its full functionality even so…
Comment by Ronald Borla — May 18, 2008 @ 10:55 pm
ok cool, i have the task manager now… lol i already deleted all of its entries… the scan is not picking up scvhost anymore, so i guess thats a plus… but now were havin a problem with our firewall not turning on, wich is allowing numerous pop ups.. any info on that will be great thnx….
Comment by ant — May 19, 2008 @ 2:59 am
oww i see.. i think you just have to install a new antivirus… I would suggest you use, Grisoft AVG Anti-Spyware… Get it updated, and scan all your files.. I think these are spywares/adwares which reside in temporary folders, cookies, and temporary internet files folder.. files inside these folders are not that important.. try to scan these folders, if you find any spyware, then you would just have to delete it using the anti-spyware..
Comment by Ronald Borla — May 19, 2008 @ 7:53 am
I was able to perform all the other steps apart from the one given by you as below
2. Access your Folder Options, in either in the Control Panel, or simply on one of the menus under “Tools” in any opened folder. Select “View” tab and “Show hidden files and folders”.
I hope the system works fine. Thanks a ton for this help.
Additionally I’ve also identified following two. Hope it has gone in the process performed.
1) Virus name: Trojan Horse
File: C:WINDOWShinhem.scr
2) Virus name: Trojan Horse
File: C:WINDOWSsystem32blastclnnn.exe
Any comments?
Comment by Priti — June 26, 2008 @ 1:40 am
@Priti the files you mentioned above as trojans are actually just some of the files that the virus creates.. these trojans are actually helping each other when they are in the process.. so it is really best if you kill this process along with the suspicious processes and delete them from their locations.. i think if you won’t be able to clear them, then there are chances that the virus may be revived..
Comment by Ronald Borla — June 26, 2008 @ 11:31 am
Hey
I don’t know much about computers so this might be a stupid question, but i was just wondering if it is possible for the scvhost.exe virus to find and use my itunes passowrd? just a bit worried about credit card details lol. Thanks
Comment by Emily — June 28, 2008 @ 9:27 am
@Emily look.. virus, trojans, spywares and any infections are actually programs created by programmers who have evil intentions to do some specific tasks, and here are just some which i know:
1. Your suspicions are right.. These maniacs would want to steal your passwords and other personal information.. So, they would design a virus that has the capabilities to do it.. You might have noticed that when a spyware is running in your computer, your internet connection becomes laggy (or having slower connections than the usual).. The spyware might have actually been sending information to the location where these maniacs (im talking about nasty programmers) feel like comfortable of making use of these data..
2. They just want to destroy.. Nothing more, nothing less..
3. Most shocking is: They want to catch some BIG fish.. What I mean is, when they’re being recognized as the programmer of the virus, they can be hired by some huge organizations, secretly..
But don’t worry, these are just some of the evil side of programmers.. But please don’t include me as one of them lolzz.. hehe.. Anyway, look at the brighter side.. when programmers introduce new viruses, they are actually opening another opportunities for a lot of businesses in the future.. You won’t understand it unless you’ll join them.. Trust me.. hehe
Comment by Ronald Borla — June 28, 2008 @ 3:50 pm
ok now im terrified!
my internet is a bit slower than usual, but i havent noticed any other problems. i have etrust antivirus and it doesnt pick up any viruses when it runs scans.do you think my computer has this or any other virus? and how do i get rid of it?
thanks, sorry for my lack of knowledge
Comment by Emily — June 28, 2008 @ 6:36 pm
@Emily no problem.. if a virus, spyware, trojan, and the like are not detected by your antivirus, this just means your antivirus does not yet recognize these malicious programs.. they are not yet being added in the database of your antivirus.. to fix this, you just have to keep your antivirus updated..
there are also spywares which need to be removed manually such as this scvhost.exe.. if you’re rather familiar with processes which are common to a pc running normally, then you can check your task manager if there are some processes which are unusual..
spywares usually have these characteristics and routines, so check these as well:
1. most spywares are programmed to run at computer startup.. for an application to run at startup, it either edits the registry.. or you can simply check your msconfig -you can access this at Start|Run|msconfig.exe you can view all programs registered in the startup tab..
2. some spywares create a file in your hard drive named “autorun.inf”.. Note: if you see an “autorun.inf” in one of your hard drives, this is unusual.. but anyway, most autorun.inf created by spywares are kept hidden so you won’t easily notice it.. but there’s one clue when there is a file such as this existing in your hard drive: when you try to double click your Drive C or Drive D, the computer asks you whether what application to open it.. remember that your Drive C or D is not a file but a hard drive directory.. normally, when you double click it, you will be able to access your hard drive..
3. Most spywares do not execute alone.. this means, when a spyware is running in your pc, another spyware might be already running to support another spyware.. they are always helping each other.. so in order to kill them, end their processes all at once.. i recommend you the Tools i mentioned in my post..
I think even the strongest antivirus today still cannot successfully remove scvhost.exe.. it’s because, they cannot detect whether this virus is already infecting the computer.. though most antivirus nowadays can detect and immediately remove the files scvhost create, but they can’t kill all those processes made by this virus..
Comment by Ronald Borla — June 28, 2008 @ 7:32 pm
when i turn the computer on, a promt comes up saying ‘The publisher could not be verified. Are you sure you want to run this software?
Name: scvhost.exe
Publisher: Unknown Publisher
Type: application
From: C:WINDOWS
and the options are to run or cancel
is that the virus and what should i do?
thank you
Comment by Emily — June 29, 2008 @ 7:23 am
do not run and remove that file from its location.. you have to be careful that it should not be svchost but scvhost
Comment by Ronald Borla — June 29, 2008 @ 8:01 am
i cant find scvhost but i found svchost… is that what im looking for? and is that all i have to delete?
thanks
Comment by Emily — June 29, 2008 @ 11:41 am
ok dw about it i got rid of all the viruses on my computer - there were 11! lol. i used spybot.
thanks for all your help!
Comment by Emily — June 29, 2008 @ 1:07 pm
i think you cant remove svchost.. but anyway, don’t try to delete it.. because it’s a system file.. without it, your computer might crash..
Comment by Ronald Borla — June 29, 2008 @ 2:09 pm
Hey! I have finally found the source of this malicious program. Do the following: go to SEARCH in start-menu -> type shutdown.exe -> then delete the damn file. All done!!! 100% guaranteed.
Comment by Nahian — July 17, 2008 @ 3:22 am
@Nahian:
I think shutdown.exe is a system file.. When executed, your PC will shutdown..
Comment by Ronald Borla — July 17, 2008 @ 7:42 am
help me all virus autorun to all file
Comment by samo — July 23, 2008 @ 12:41 pm
@samo try searching within your hard drives “autorun”, then delete all search results
Comment by Ronald Borla — July 23, 2008 @ 1:24 pm
I have a beautifull solution to keep the SCVHOST.EXE at bay. Create a new text file in both the C:WINDOWS and C:WINDOWSSYSTEM32 directories. Rename these files to SCVHOST.EXE and change their attributes to “read only”. This way the worm is fooled in thinking it is already on the HDD. If the worm activates from the net or a memory stick it will infect your registry and your task manager might temporarily disappear. All you do is remove the memory stick and restart the PC. The registry will try and run SCVHOST.EXE from the normal directory and it will give an error message that the SCVHOST.EXE is not a valid win32 file. Problem solved. All you do is clean up the registry. Approximately 3min. This way you will immediately see where the infection comes from.
Comment by George Norwie — July 27, 2008 @ 3:50 am
@George remember, scvhost comes with other files such as blasthchnn.exe or the like.. it is true that changing the attributes to read only of the file with the same name may protect your system.. I do it in my memory sticks actually.. it tells the system that this file is not allowed for any modification.. copying a file in a location where the same file name already exists is a modification of the file.. BUT… if the virus is programmed to DELETE first any file existing with the same name, then the virus would still be allowed to run..
Comment by Ronald Borla — July 27, 2008 @ 8:21 am
hi.. thanks for this article. =)
After I followed what you said, everything seems ok. And there’s a but,… Everytime i start up my pc, there is this alert/warning message popping-up, saying “Windows cannot find SCVHOST.EXE, make sure you type the correct filename” something like that. it seems that there is an automatic searching looking for that file. I’ve check my registry and it was clean. so, what do you think i’ve missed? and by the way, my regedit and task manager are all working. And I tried to type in my Run the “cmd” and my pc suddenly shut down.! goodness,. i don’t know what will i do to bring back the normality of my pc. lolz.
I know you will be a good help. thank in advance. =)
Comment by karla — October 22, 2008 @ 4:22 pm
Try checking your msconfig.exe.. you can run this by typing “msconfig” in your Start | Run… Proceed to the “Startup” tab.. and find some checked unusual items there… uncheck them.. especially those which corresponds to the file missing..
else, it’s not anymore part of scvhost’s task… i havent experience this though.. hmmm
Comment by Ronald Borla — October 22, 2008 @ 4:26 pm