As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.
For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this.
They may also change a registry value so that you cannot run the Registry Editor at all.
The most common type of viruses we encounter daily is sscvihost.exe and autorun.ini. I am going to explain how to remove these viruses if anti-viruses are not doing so.
sscvihost.exe may have many names, the popular are W32/Sohana-AO(Sophos) and W32.Imaut.AY (Symantec/Norton). Basically this is a type of worm virus that spreads via USB thumb drives and/or Yahoo! Messenger. A worm virus, technically, doesn’t destroy your files, it just add tons of of useless files in order to fill up your hard drive or slowdown your system resources. We don’t like that do we?
Symptoms:
CLTR+ALT+DEL is not working
Folder Options is missing from your TOOLS menu
Registry Editor (RegEdit) is not working
Your system is slowing down gradually
There seems to be a lot of hard drive activity even if you are doing nothing
You have a New Folder.exe in every folder and in each sub folder
Follow these steps:
Download the file UnHookExec.inf and save it to your Windows desktop. (Link is given at last of the post)
(If you cannot connect to the Internet from the infected computer, download to an uninfected computer then save it to a floppy disk. Then take the floppy disk and insert it in the floppy disk drive of the infected computer.)
Note: The tool has a .inf file extension.
Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)
Removing the virus:
FIRST: You have to stop the virus from running in the first place. If your system is already infected, it is already running in the background. You must restart your computer then run it in safe mode.
Restart your PC
Press F8 as soon after the BIOS boots. If you don’t know what that is, just keep pressing F8 until a menu appears.
Select Safe Mode from the menu
On your desktop, right click on the file UnHookExec.inf then select install. You won’t see any prompt or confirmation so don’t worry about it.
By now, CTRL+ALT+DEL is already working so open up your Task Manager. End task the following programs/processes:
SSCVIHOST.exe
blastclnnn.exe
New Folder.exe
SECOND: Delete the virus files from your PC. There are two ways to do this, via windows shell or command prompt (DOS) shell. Since Folder Options has been disabled by the virus, you cannot switch to show hidden files and system files. Well you can edit it in your Registry, but let’s just do it the DOS-way. Follow this carefully.
Select Run from your start menu, then type cmd. Press enter. The paths differ depending on your operating system, but in this procedure let’s assume you are using Windows XP
At the command prompt go to your system32 folder (this may differ if you are using NT/2000 or XP). For the sake of this procedure lets assume you are using XP. Type cdwindowssystem32
On this path (c:windowssystem32>) type the following commands in order:
- attrib -h -r -s SSCVIHOST.exe
- del SSCVIHOST.exe
- attrib -h -r -s blastclnnn.exe
- del blastclnnn.exe
- attrib -h -r -s autorun.ini
- del autorun.ini
- attrib -h -r -s svchosl.exe
- del svchosl.exe
- cdwindows (this will move you to the windows prompt c:windows)
- attrib -h -r -s SSCVIHOST.exe
- del SSCVIHOST.exe
THIRD: Clean up the registry. Your RegEdit is already running because of the file we’ve downloaded from Symantec. On your run box (from the Start menu) type regedit. WARNING: Be careful on what you edit here, because a single mistake may screw up your system. Just follow the paths that are mentioned here so you won’t get lost. Make sure you edit only what mentioned in this procedure.
Navigate to the following registry entries:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
“Shell” = “Explorer.exe SSCVIHOST.exe”
(edit and remove the word SSCVIHOST.exe leaving only Explorer.exe, if you screw this up windows shell won’t show on your next boot)
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
“Yahoo Messengger” = “%System%SSCVIHOST.exe”
(delete this entry)
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares
“shared” = “[SHARE NAME]New Folder.exe”
(delete this entry)
Restore the following registry entries to their original values, if required:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
“DisableTaskMgr” = “1?
(set to zero (0) to enable)
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
“DisableRegistryTools = “1?
(set to zero (0) to enable)
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
“NofolderOptions” = “1?
(set to zero (0) to enable)
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSchedule”AtTaskMaxHour”
(Remove an entry here that has a name with blastclnnn.exe, or just remove all entries here)
FOURTH: Clean again after cleaning. Restart your PC, again in Safe Mode (remember to press F8). This time we will remove all other files that have been created by the virus. Folder options in your Tools menu is already working so open that up. Then select “Show Hidden files and folders” and uncheck “Hide protected operating system files.” Then search your whole hard disk (using windows search from the start menu) and SHIFT+DEL all these files. Also cleanup your recycle bin after this.
FIFTH: Check your autoruns. On your run box at the start menu, type msconfig. Look at the startup tab for any suspicious files that are related to the virus and disable (you can also remove it in the registry) it.
That’s it. Reboot your system normally and check your Task Manager (CLTR+ALT+DEL) if there are running processes that aren’t supposed to be running.
Download UnHookExec.inf From
HERE
Hey! My friends, If you like my post you can save it using "Save Page as PDF" button below and you can even share them to your friends with social networking buttons provided below this post.