How to Remove the SCVHOST.exe Virus

How to Remove the SCVHOST.exe Virus

Scvhost.exe is virus that runs from the DLL files or the dynamic link libraries on your computer.  This Virus will block users from using the Task manager, Registry editor and the command prompt. Removing the scvhost.exe virus is a bit difficult and task a good amount of computer knowledge.

Before we start to remove this virus you will need to turn off the system restore on your computer. For all windows operating systems before vista, Right click “My Computer” and select “Properties” from the shortcut menu. Check the “Turn off System Restore” option for each drive on the System Restore tab. Left click “Apply” and “Yes” to confirm when prompted. For Vista or later, click “Start.” Type “System Restore” in the search box. When System Restore appears in the list double click on it and select “Turn Off Restore.”

Restart your computer in Safe Mode. Press “F8” while the computer is starting up to open Safe Mode. When the computer boots up, open the command prompt. You can do this by typing “cmd” in the run or search box in the “Start” menu. The command prompt will open as a black window that says “C:\”. Enter either “C:\Windows\System” or “C:\Windows\System 32.” Depending on where your computer system files are.

Now you need to Type the following and press enter after each line.

“attrib -h -r -s scvhost.exe”

“attrib -h -r -s blastclnnn.exe”
“attrib -h -r -s autorun.inf”

This will set the files so they can be removed. With that done now you need to delete the files by typing the lines bellow and clicking enter after each line.

“del scvhost.exe”
“del blastclnnn.exe”
“del autorun.inf”

Type in “CD/”. This will return you to the main Windows directory.  Type in “regedit” and press “enter”, this will open the Registry Editor. Find the following entries from the list of registry items.  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the incorrectly spelled Yahoo! Messenger entry with the value “c:\windows\system32\scvhost.exe.”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Within this entry, there is a “shell” entry with the value of “explorer.exe, scvhost.exe”. Edit the entry to remove the reference to Scvhost.exe, leaving Explorer.exe.

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
Delete the following subkeys from the left:
RpcPatch
RpcTftpd

Exit the command prompt and return to the desktop. Reboot your computer and check to make sure all the Scvhost.exe has been removed. If you are still having troubles try to do the above steps in the normal mode not safe mode.

Sometimes the virus may relocate files to other locations. If this occurs do a search for those files and delete them do not double click on any file folders containing the virus files.