SCVHOST.exe Removal
Bitdefender: Win32.Worm.Hakaglan.B
Call it a slightly modified version of the old and classic newfolder.exe. The difference is just that this one multiplies slower than the former one. The SCVHOST.exe generally enters the computer either from the removable disks or shared drives. Once it is executed in the system, it immediately creates several copies of its malicious code in WINDOWS and [drive]\WINDOWS\System32 folder from where it launches its own processes. It adds registry entries in order to disable several windows services like Task manager, Registry editing tools and also disables the "show hidden files" option. In addition to these, it also decreases the performance of the computer and assigns schedule such that it is launched everyday at a particular time. A few more registry entries are added to all the users for launching the program at every startup. In order to hide its actual form, the worm adds the entry as "Yahoo messenger" to fool the user. Its not done with the registry editing yet. It adds another registry entry to make sure that a copy of the malicious code is pasted in every shared drive or removable drive connected to the computer. The worm is also capable of disabling the Internet Explorer and may also spread when IMs are exchanged between a normal computer and the infected computer.
Manual instructions to remove SCVHOST.exe:
Enabling Safe Mode booting, enabling the Registry, Enable Windows Task manager , Enable Hidden files and folders option and enabling the Command Prompt.
Call it a slightly modified version of the old and classic newfolder.exe. The difference is just that this one multiplies slower than the former one. The SCVHOST.exe generally enters the computer either from the removable disks or shared drives. Once it is executed in the system, it immediately creates several copies of its malicious code in WINDOWS and [drive]\WINDOWS\System32 folder from where it launches its own processes. It adds registry entries in order to disable several windows services like Task manager, Registry editing tools and also disables the "show hidden files" option. In addition to these, it also decreases the performance of the computer and assigns schedule such that it is launched everyday at a particular time. A few more registry entries are added to all the users for launching the program at every startup. In order to hide its actual form, the worm adds the entry as "Yahoo messenger" to fool the user. Its not done with the registry editing yet. It adds another registry entry to make sure that a copy of the malicious code is pasted in every shared drive or removable drive connected to the computer. The worm is also capable of disabling the Internet Explorer and may also spread when IMs are exchanged between a normal computer and the infected computer.
Manual instructions to remove SCVHOST.exe:
- Reboot your system in safe mode.
- Now its time to undo the damage that the worm has done to your registry. Mostly, the worm disables your registry before you know it. So you'll need an application that is used to access the registry such as the Regisrty mechanic. Google search for the name and you'll get the trial version very easily(you don't need to look for full versions, the trial version is more than enough for deleting the worm).
- Once you've opened the registry, navigate to the following entries and delete them
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run : “Yahoo Messsenger” -> “c:\Windows\System32\SCVHOST.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell -> “SCVHOST.exe”
This will prevent the worm from launching at the startups. - Also go to these entries
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
Here, set "DisableTaskMgr" to "0",
DisableRegistryTools to "0"
and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:
NofolderOptions to "0"
These entries relate to the disabling of Task Manager, Registry editing tools and Folder options. - In addition to the above, delete these entries
HKLM\SYSTEM\CurrentControlSet\Services\Schedule:
"AtTaskMaxHours"->"0".
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares: "shared"->"\New folder.exe"
The first entry here modifies the maximum scheduled task activity and the second one is responsible for creating copies of the worm in the connected drives. - Now that the registry is repaired, its time to remove the worm completely from the system. As mentioned above, the worm creates two main copies of itself in the WINDOWS and System32 directories respectively. Go to these drives and delete the file with the name SCVHOST.exe either directly or with the help of the command prompt.
- Now reboot your system. All the changed have been undone and your computer is now free from SCVHOST.exe.
Posts that might help you here:
Enabling Safe Mode booting, enabling the Registry, Enable Windows Task manager , Enable Hidden files and folders option and enabling the Command Prompt.