How to Remove SCVHOST.exe or W32/YahLover.Worm.gen

The computer virus/worm that hides itself using the name SCVHOST.EXE or SCVHOSTS.EXE, (don’t get mistaken for SVCHOST.EXE. It is one of the vital programs of Windows,take a look in the spelling). One of my friends emailed me that this virus first spread out through Yahoo Messenger. So if you happen to have some invites from unknown friends please ignore.

The virus is detected as W32/YahLover.Worm.gen of McAfee Antivirus and as Win32/Autorun.R.worm by NOD32. This virus/worm infects your computer in one of these means.

• firstly it installs itself in autorun.inf in Open option of the AUTORUN. Once you happen to double click it, this will run and start spreading itself unto your system.

• Furthermore, it copies itself through all the shared folders on your computers throughout the network and installs itself in the registry entries remotely using a GUEST account (through System:Remote).

Attributes of the Virus 

•  This virus/worm blocks the task manager when ypressing Ctrl+Alt+Del to launch the task manager
• It blocks the registry  (The worm changes the registry to prevent running task manager and registry for harder detection). "Error says that Registry Editing has been blocked by an administrator".
• It also restarts the computer when you try to go to the command prompt. (This happens during my ways of disinfecting my PC Manually. See related article How to get rid of autorun.inf)
• It duplicates itself to different locations of the shared folders. The duplicated virus/worm uses a FOLDER icon with an .exe file extension. WARNING! DONOT double click these folders.
• McAfeealleged that it changes the configuration of your Yahoo Messenger (see McAfee info)
• It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe

How to remove the virus manually? (Try this it works with my PC and other systems I have deal with. But if you can’t, try using an ANTI-VIRUS like McAfee or NOD32):

1.  Boot your system in Safe Mode Command Prompt Only (Press F8 when your computer restarts, a menu will be shown and select the option)
2.  After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).
3. Type CD C:\WINDOWS\SYSTEM32 (I assume that your Windows System files are located at Drive C)
4. Type DIR /ah, this will display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
5. Type ATTRIB -H -R -S SCVHOST.EXE
6. Type ATTRIB -H -R -S BLASTCLNNN.EXE
7. Type ATTRIB -H -R -S AUTORUN.INI
8. Type DEL SCVHOST.EXE
9. Type DEL BLASTCLNNNN.EXE
10. Type DEL AUTORUN.INI
11. Type CD\
    
12. Type ATTRIB -H -R -S AUTORUN.INF
13. Type DEL AUTORUN.INF

After removing the virus/worm files, IT MUST be removed from the registry of your system.

1. In the command prompt type REGEDIT and press ENTER key. This will run the Registry Editor
2. From the registry, look for the keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
3. Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , DON’T delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that remains from this registry entry.

Thanks to my friend bleuken for some tips, the Filipino Web Designer & Computer Programmer from Roxas City, Philippines.

Disclaimer: I have tried this process and this works fine with my computer and other PCs that I have dealed with. I am a Computer Service Tecnician too. You should try this if you only know how to edit registry entries. (try it at your own risk) Hope this will help you.