How to remove “scvhost.exe - New Folder.exe - AutoRun.inf” virus?

How to remove “scvhost.exe - New Folder.exe - AutoRun.inf” virus? (Broken link fixed)

Category: Personal Blogs » Troubleshooting your PC

Just this night I got a good mood after I fixed the "scvhost.exe - New Folder.exe - AutoRun.inf" virus in Windows XP. But of course, before I was able to fix it, I did have a damn whole bad day. What about this virus (or Worm, Trojan, Spyware?) anyway, and how it pissed me off really bad? Well, though I can just give you the details about my experience while this was running on my PC, I’m not really an expert when it comes to virus thingy. Anyway, here are the details:

The first thing you would experience is that your Task Manager will be disabled. It will prompt, "Task Manager has been disabled by your Administrator." Of course, obviously, this gives you a clue that the virus prohibits the user to end its process. But not just that, when you try to open your Registry through "Regedit", it will also prompt that your Registry has also been disabled. Later, as it progresses in the long run, you will soon find out that it automatically closes some opened windows application. The worse, even the "Command Prompt" and "Folder Options" won’t be accessed anymore. You can even experience that the "Accessories" on your Start Menu will be gone. Therefore, you cannot access your Command Prompt unless you would directly run it through your system32 folder. Just stressing this out, if you’re thinking that you can still access "Command Prompt" using your "Run" command, nope… The same parasite will disable some of your keystrokes. Meaning, you won’t be able to type anything. Simply, almost all the possible means of knowing the tasks running (since you can also view a list of tasks using Command Prompt then tasklist.exe) has been blocked.

Funny to say but I had a rather, logical means of trying to solve this. Since I cannot open "cmd" or "Command Prompt", I thought of "gpedit.msc" to somehow re-enable my "Task Manager". Well, what I did was to open my "Run" command. I didn’t type anything since I knew I couldn’t type anything at all. So, I was beginning searching for characters which I can copy to my clipboard and paste to my "Run". Got the view? Literally, I was copy-pasting characters until I spell out the word "gpedit.msc". Hehehehe… I did open my gpedit, but unlicky, this still wasn’t able to solve the problem. The "gpedit.msc" window appeared only for a second, and it closed immediately.

I couldn’t find anymore ways, but finally, I thought of a program created in VB which I used before to stop a Spyware from running. Thanks to "Visual Basic Beginner" from PSCode.com. He created a program which he called "The Terminator". Designed specifically to stop running applications even at the same time. Plus, it displays the exact location on where the running program is located. Also, I used a tool which can unlock restrictions, the "Remove Restrictions Tool (RRT)" from www.Sergiwa.com. I have compiled these two applications into one compressed folder which you can download here. And please don’t forget that the credits should be given to them. How were these applications able to help me?

Hmmm… Luckily, though the virus has the ability to close some opened window, but these applications weren’t part of those restricted by this virus. Strictly guys, you should do these when you already have those applications on your PC:

1. Run RRT and then press "Check All" then "Remove". By doing this, all the restrictions made by the virus should now be unlocked.

2. Access your Folder Options, in either in the Control Panel, or simply on one of the menus under "Tools" in any opened folder. Select "View" tab and "Show hidden files and folders".

3. You may not be able to fully access your Task Manager, so use "The Terminator" instead. Run "The Terminator" and check all the processess having the following descriptions:

• Any running process having "scvhost" in it. Strictly, you should be able to notice carefully that it is "scvhost" and not "svchost". Since you might crash the PC if you accidentally end the "svchost" task.
• If there is a task running with the file extension ".pif" then include it as part of the checklist to terminate.
• There are certain processess in the list wherein as you notice in its location where it is running, the Filename is named the same as its folder where it is located. For example, "C:\Program Files\Games\Games.exe". As you notice, the "Games.exe" that is running is located to a folder name "Games", since the virus also creates replications named after its location. Include these processess in the list.

4. After checking all the necessary processess, then press "Terminate all checked processess".

After doing this, you may already notice that you can once again normally use your keyboard, access your task manager, command prompt and regedit, like you can before. But this doesn’t end here. You are still half way the progress. Next things you must do are the following:

1. Go to your My Computer. Right click on it and choose "Search". This time, we’ll search for those replications manually. Basically, we have to remove ALL of them. As I noticed, all replications have common characteristics. First, they are all executable files but categorized as an "Icon" file. It has an obvious icon the same as a "Folder" icon. You can easily notice it since it has a low resolution icon image. All of these replications have a common size at 221 kb.

2. Specify your searching options. Search for "All files and folders". Just leave "All or part of the file name" and "A word or phrase in the file" blank. Select "More advanced options". Check all options except for "Case sensitive" and "Search tape backup". Select the "What size is it?" option, and choose "specify size (in kb)", "at least 220 kb". Then begin searching by pressing the "Search" button.

3. As soon as searching is done, sort out all the found items according to size. Then highlight all items which are 221 kb in size, and file type is "ICON". They are actually executable files in which IF you accidentally open will result you to start again from the very beginning. So be careful not to double-click it. Delete all these files using "Shift+Delete" to permanently remove them.

4. If you are able to successfully remove all these files, then celebrate! Since you are almost done. The next one will be a bit more complicated. Go to your hard drives (if there are lots of partition then check all partitions). You may notice a file called "Autorun.inf". This is basically the reason why the heck when you open your hard drive it will ask you how to open it as if it is a file. So remove also these files. Also, go to your startup directories such as "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" and other user startup directories for Documents. Delete the file AdobeGamma.pif (if there’s any) and the "Desktop.ini" file. I’m not totally sure but I think these files are unnecessary.

File removal: Done! Final step: Editing the Registry.

The easiest way to change back the Registry to normal is:

1. Open your "regedit" by typing in your "Run" command, "regedit" then press OK.

2. In your Registry Editor, go to "Edit | Find" or simply press "Ctrl+F". Type there "scvhost". Make sure all check boxes are checked.

3. Everything that is found using this search must either be deleted OR left blank. I assume you are already knowledgable enough whether what keys to delete and what to not. But if you do not know what you are trying to edit, then it’s better to change all strings having the "scvhost" string to blank. Be careful when you reach to a search wherein there is "C:\WINDOWS\explorer.exe scvhost.exe" or something like that. Just remove the "scvhost.exe". Don’t include "C:\WINDOWS\explorer.exe".

So, until you finally are able to find no more entries in the Registry about "scvhost" then Congratulations! Though I’m not really that sure if the virus has been completely removed but as I noticed, even if I already restarted the PC, I can already feel my PCs running smooth again.

If you have some comments or clarifications or perhaps additional information about this virus (?) please leave it here. I would be grateful to hear it out from you. Thanks!

all content by http://ronaldborla.blogsome.com/