Apache (6)
File Types (33)
Internet Explorer (6)
Network (11)
Passwords (6)
Printing
Processes (13)
Programming (318)
Exchange Links
About this site
bla.exe / Scvhost.exe trojan horse keeps coming back!
8 comments. Current rating: 
(4 votes). Leave comments and/ or rate it.
Question:
I cannot get rid of this trojan horse bla.exe. I first found it after I kept getting error messages from WinAmp ('Illegal Operation' on drive C:) even though I was not running WinAmp and I have WinAmp installed on drive E:.I started the computer in safe mode, twice, and removed both of them and they just keep coming back.
Answer:
bla.exe belongs to the W32.HLLW.Gaobot worm. This worm attempts to spread to network shares with weak passwords. W32.HLLW.Gaobot also provides a hacker access to the infected computer through IRC. It uses the DCOM RPC vulnerability (tcp port 135, Windows XP) and the RPC locator vulnerability (tcp port 445).There is a upx compressed version of this worm, the compressed version is classified as W32.HLLW.Gaobot.AE
It affects computers with Windows NT, Windows 2000 and Windows XP.
Besides running as bla.exe, it may also arrive on your computer as Scvhost.exe, WincfgM32.exe or Winhlpp32.exe.
To remove this trojan horse, you need to follow these steps:
- Disable System Restore (Windows XP only)
- Restart the computer in Safe mode or VGA mode.
- Run an updated virus scanner and run a full system scan and delete all the files detected as W32.HLLW.Gaobot.
- Delete the value that was added to the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
There delete "Config Loader"="scvhost.exe"
and in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
delete "Config Loader"="scvhost.exe"
- Now boot again in normal mode
|
||||||||
Comments:
| ||
|
Thanks for the breifing - the scvhost.exe, everytime I'd reboot. I get this pop-up screen. After 50 clicks it would finally go away. Going to try what you suggest, if this doesn't work the next step is reformating.
Again Thanks | ||
| ||
|
i'm confused, just now i went onto another web page and it said that scvhost was a program that u need to run XP and that if i delete it my computeer wont run, now ur saying it is a virus and i should delete it!!!! what should i do?
| ||
| ||
|
scvhost is a system file used for networking. XP will run without it but your network won't work properly including your internet connection. This is why worm and virus writers target this exe and infect it, because you really can't do without it.
You will need to extract an original copy of scvhost.exe from your WindowsXP CD after you have removed the infected one. Then you will need to reapply SP2, to get the updated version. You may be able to extract it straight from SP2, though I've never tried. | ||
| ||
|
CAREFUL: the virus is scvhost.exe; the Windows file that should be allowed to run is svchost.exe
| ||
| ||
|
SCVHOST.exe is a left over of a virus infection,i had this message(windows could not find scvhost.exe) pop up everytime i start the computer.This happened immedietly after i ran a full AVG scan on the system and it did clean the system-but for this message-it appears like a trojan infection.Also the trojan block several administrative privelages like disabling your task manager,disabling regedit and removing the folder options from the tools menu in the explorer window.it just makes sure that you would not be able to see those infected files....And Oh...it also blocks the different partitions of the harddrive=you get a open with window-it makes the computer believe that the drive is an application/program, by creating a autorun file in every drive/partition...which is hidden by the way and there is no way you can locate those files.but you can delete those files from the command prompt window.
These are the steps which i suggest you do... 1)clean the system by running a full system scan using the latest AVG anti virus 2)in case of task manager being disabled,follow these steps  http://support.micr..kb/555480
3)in case of regedit being disabled follow these-locate this registkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerVersio >n\Policies\System] >'DisableRegistryTools'=dword:00000000 4)in case the partitions/drives are blocked/dont open-then follow these steps goto command prompt and type in del c:\autorun.* /f /s /q /a and enter del d:\autorun.* /f /s /q /a enter del e:\autorun.* /f /s /q /a enter here c,d and e could be your partitions/drives on your computer This applies to all the partitions that you have and also to any thumbdrives which may have been infected by the trojan And as for the scvhost.exe pop up,the registry tweak mentioned in the first blog should do the trick Good Luck... | ||
| ||
|
be for u try to delete SCVHOST.exe from system32 i ues to stop system restore then reboot
into safemode then delete SCVHOST.exe then ues registry editor to find all entres of SCVHOST and delete them then boot as norm and no mater wot i do sumway sum how it allways gets back on my computer sumtimes after 6m or 12 and that cus the net is loaded wae it but after lots of looking n submiting dif verints to Eset NOD32 now stops it be for it starts :D oh and if u get the 60s shutdown popup goto start>run then cmd then enter shutdown -r and that will abort the shutdown that SCVHOST.exe started to stop it from being removed off ur pc | ||
| ||
|
you might want to try this site for detailed repair
http://borgetech.bl..om-pc.html | ||
| ||
|
You've mentioned we should disable system restore to get rid of scvhost.exe, so after we're done, shall we not enable system restore again? Sorry im a newbie in thie system restore thing...
|
