Sunday, July 22, 2012

How To Remove ‘SVCHOST.exe’ Compter Virus

SICHOST.exe is a virus and it is installed and used by TrojanPSW.OnLineGames.  The virus can easily be mistaken for the genuine Windows file named SVCHOST.exe.

What it does?
SICHOST.exe tries to connect to several remote hosts and download files from the internet and it disables the Registry Editor (regedit), Task Manager and the Microsoft System Configuration Utility (msconfig).
Almost all the popular antiviruses can remove it with ease.  If your antivirus is not detecting the virus, try the following method to manually remove the virus.
1.  Boot in safe mode.
2.  You will be getting access to the Registry Editor now.  Type “regedit” (without quotes) in the Run dialog box to open it up.
3.  Go the following locations and delete them.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explore\Control Panel
4.  Now go the following locations, again in the Registry.
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Delete the following entries which will be displayed in the right hand pane at the above location:-
Yahoo Messengger =”C:\Windows\System32\SICHOST.exe
Google=http://advgoogle.blogspot.com
5.  Now browse to the following location and change the values as per your wish:-
HKEY_LOCAL_MACHINE\Software\Microst\Internet Explorer\Main
Default_Page_URL = “http://www.techmarena.blogspot.com”
Default_Search_URL = “http://www.techmarena.blogspot.com”
Search Page = “http://www.techmarena.blogspot.com”
6.  Now that we have made all amendments in the registry, we should be cleaning up the files.  The virus creates the following files in your hard disk.
(a)  SICHOST.exe in C:\Windows, C:\Windows\System32 (If your Windows is installed in other drives, substitute the drive letter).
(b)  At1.job and at times At2.job under C:\Windows\Tasks.
(c)  Autorun.ini and Setting.ini in C:\Windows\System32.
Delete all the above files.  If you are unable delete them, use Unlocker to unlock them and delete them.
7.  Now the system is pretty much clean.  To re-enable the Registry Editor when you boot normally, while still in safe mode,type “gpedit.msc” (without quotes) in the Run dialog box.
Click on Administrative Templates under User Configuration.  Then click on System.  On the right hand side you can see the entry – “Prevent access to Registry editing tools”.  Right click it and select Properties and select Disabled.
8.  Search your computer for SVCHOST.exe again and if you find any links to it.  Delete it.  If it does not get deleted, delete it with Unlocker.

No comments:

Post a Comment