I have a trojan called scvhost.exe and when I go to msconfig and disable it from starting up, when I restart it re-enables itself again. What can I do to get rid of it? I have scanned my computer with Norton, Spybot S & D, and Ad-Aware SE Personal. Nothign works, can I get some advice please? Do not mistake this for the Norton process of svchost.exe, that is just the process this trojan has TRIED to disguise itself as, luckily I spotted it, and looked it up, but I can't get rid of it. Also, now when I start up my PC, Norton tries to come on but then something turns it off and I have to turn it back on again. Suggestions welcome

-Casheti

scvhost.exe is a process which is registered as W32/Agobot-S virus. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

1.Start your computer in safe mode.

2.Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)

3.Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'

4.In the right pane, delete the value called 'Config Loader', if it exists.

5.Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServices'

6.In the right pane, delete the value called 'Config Loader', if it exists.

7.Exit the registry editor.

8.Restart your computer.

9.Start Windows Explorer and delete:
%SystemDir%\scvhost.exe
%WinDir%\scvhost.exe
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Note: %WinDir% is a variable (?). By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).

Lol btw if virus is so easily disabled by turning them off in msconfig, there wouldn't be anymore anti-virus software already.

Thanks dude

Its just your OS. Since you've already removed the config loader, the virus wouldn't be loaded at startup. Thus you can delete it without having a prompt saying its being in used. And DONT REMOVE THE WRONG SCVHOST.EXE or else god can help you only. lolz.

How do I find:

%SystemDir%\scvhost.exe
%WinDir%\scvhost.exe

???

Its just your directory.

1. C:\Windows\System\Scvhost.exe Check for scvhost.exe

2. C:\Windows\scvhost.exe check the same.

It should be there if you have the virus. For normal users scvhost.exe doesn't appear at those two directory. I've checked mine.

Didn't work. Still comes on at startup and Norton turns off...permission to say SHIT!

It's hiding somewhere....:(

Does the scvhost.exe have the same eg.year,version, blah blah and stuff as the REAL scvhost.exe? If it doesn't do a search yourself Start-->Search. Search for scvhost.exe and see where else are they. Remember thier location and start the step 1 to 9 (whereby 9 would be a the scvhost.exe hiding at the place you found with search.)

Norton = svchost

Trojan = scvhost

They're slightly different.

It also put itself BACK in the registry. It won't give up :( I'll try whatcha said. A format is looming over my PC

norton sucks, nod32 or f-prot from windows recovery consol should remove it.

try unlocker(google it) it should let you delete the file even if its in use :D

I can delete it but it just comes back. And I've looked everywhere and can't find it. Wherever it is it's hiding really well.

http://www.google.com/search?client=opera&rls=en&q=scvhost.exe+remover&sourceid=opera&ie=utf-8&oe=utf-8

try that,

if that dosnt work get ahold of f-prot antivirus , put the av in a folder easy to get to with command line, restart with windows cd in drive, boot from disk and get to recover console, run f-prot dos version with settings to check all files and use huristics, see if it can remove it, if not, you can try running other antiviruses from WindowsPE :/

That sounds too complicted for me...I can end the trojans process when I start up by going into task manager, easily, but I'd prefer for it to not be on my computer at all. I thought it would all be easier than this to remove :(

oh dissable system restore(if enabled) and go into the windows/system32/dllcache folder and look for that file, you can delete all the files in that folder if you like they are backups of files already on your system(and on the windows disk for that matter)

you may have to type in the addy as windows has that folder hidden by default :)

Cash my advice is learn to do this now (command prompt stuff) because its very usefull when windows buggers up or gets infected like it is

www.f-prot.com has the dos ver free last i checked, just get it and the latest virus sig files, its not that hard

extract/insall f-prot to c:\fprot then restart with the cd as i said get into recovery console, then type cd\ <enter> then cd fprot <enter> then type fprot and it should lost the av, from there its not hard to figuar out, one of the best antiviri apps around

best is nod32 you can get it from the makers site as well, may want to try it.

u can try this as well
http://housecall.trendmicro.com/

i would if i where you get ahold of a copy of nod32 as its far more reliable then any of the free av apps and norton/symantic/mcafee :)

Right, I'll get Nod32 and try Housecall, I've used that before :D

Its just your OS. Since you've already removed the config loader, the virus wouldn't be loaded at startup. Thus you can delete it without having a prompt saying its being in used. And DONT REMOVE THE WRONG SCVHOST.EXE or else god can help you only. lolz.


I am glad you said that because I thought SCVhost.exe was a legit file, how do you tell which has the nasties?

Housecall crashes again and again. Firefox just closes, so stuff that idea. Onto Nod32.

I got the Nod32 XP 30 day trial. Right?

I am glad you said that because I thought SCVhost.exe was a legit file, how do you tell which has the nasties?

SVCHOST.EXE is a legit file, it brokers various services running...

SCVHOST.EXE (never heard of it before this actually) obviously is not (note the spellings & in particular, the order of the "C" & "V" in them both).

I looked up the one I never heard of, in SCVHOST.EXE, & it is a variant of the W32/Agobot-S virus apparently.

The man is bugged, assuming he spelled this right...

:(

* I found a removal procedure for it, as follows from this website (SOPHOS ANTIVIRUS):

http://www.sophos.com/security/analyses/w32agobots.html

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Config Loader = scvhost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Config Loader = scvhost.exe

and delete them if they exist.

Close the registry editor.

It is also recommended to install these patches:

http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

&

http://www.microsoft.com/technet/security/bulletin/MS03-001.mspx

APK

P.S.=> Good luck, this seems fairly simple to remove, unlike one I ran into 5 years ago on my nephew's PC called "W32Pinfi"... it was IMPOSSIBLE to pull off his machine afaik! apk

Housecall crashes again and again. Firefox just closes, so stuff that idea. Onto Nod32.

firefaux dosnt get along well with housecall, would need to use IE, there are reasions to keep it around, and this is one,

Done what you said Alexstar. Don't know if it works. I'll restart.

SVCHOST.EXE is a legit file, it brokers various services running...

SCVHOST.EXE (never heard of it before this actually) obviously is not (note the spellings & in particular, the order of the "C" & "V" in them both).

I looked up the one I never heard of, in SCVHOST.EXE, & it is a variant of the W32/Agobot-S virus apparently.

The man is bugged, assuming he spelled this right...

:(

* I found a removal procedure for it, as follows from this website (SOPHOS ANTIVIRUS):

http://www.sophos.com/security/analyses/w32agobots.html

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Config Loader = scvhost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Config Loader = scvhost.exe

and delete them if they exist.

Close the registry editor.

It is also recommended to install these patches:

http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

&

http://www.microsoft.com/technet/security/bulletin/MS03-001.mspx

APK

P.S.=> Good luck, this seems fairly simple to remove, unlike one I ran into 5 years ago on my nephew's PC called "W32Pinfi"... it was IMPOSSIBLE to pull off his machine afaik! apk
common now nothings impossable, just very very harrd ;)

want fun, try the crap my fathers school dist got on most of their systems, it was funny, i had to teach a LARGE school districts techs how to cd boot into recovery consol, run av, restart into safe mode, run reg cleanup tools(had 2 apps that helped with this), then secure the systems against this, one of them just wanted to reformat every system in the dist , he did his system first and by the time he started patching it, it was infected again(haha)

Done what you said Alexstar. Don't know if it works. I'll restart.

Well, I hope so... it's not MY words, but the procedures outlined @ the SOPHOS AntiVirus website!

Good luck!

APK

I've had this one before. I went to Regedit and scanned the whole registry for "scvhost" there were many entries with that name. Try using Hijackthis, and removing anything with the word "scvhost" (explorer.exe might be infected. I removed it with hijackthis, but the taskbar and icons disappeared for about a minute)

Sorry, i know this topic is old. I suggest you get a firewall ASAP. Use spybot to clean up any leftovers.

http://www.stevengould.org/software/cleanup/

It's very good and fast