Instructions

1. Step 1

If the operating system of the infected computer is either Windows Me or

Windows XP, turn off System Restore while this fix is being implemented. To
turn off System Restore within Windows Me, click Start > Settings > Control
Panel. Double-click "System." Select "File System" from the Performance tab.
Left click the "Troubleshooting" tab and check the "Disable System Restore" box.
Click "OK."
To turn off System Restore within Windows XP, log in as Administrator and click
"Start." Right click "My Computer" and select "Properties" from the shortcut
menu. Check the "Turn off System Restore" option for each drive on the System
Restore tab. Left click "Apply" and "Yes" to confirm when prompted. Click
"OK."

2. Step 2

Restart your computer in Safe Mode and log in as Administrator. Press "F8" after
the first beep occurs during start up, before the display of the Microsoft Windows
logo. Select the first option, to run Windows in Safe Mode from the selection
menu.

3. Step 3

Access the command prompt. Click Start > Run. Type "cmd." Click OK > CD
(change directory) from the command prompt, press the space bar.
Type the name of the full directory path of the folder containing your Windows
system files. It will be either "C:\Windows\System" or "C:\Windows\System 32."

4. Step 4

From the command prompt, type the following to unprotect the files for removal:
"attrib -h -r -s scvhost.exe" and press "Enter;"
"attrib -h -r -s blastclnnn.exe" and press "Enter;"
"attrib -h -r -s autorun.inf" and press "Enter."

5. Step 5

Delete the files by typing the following from the command prompt:
"del scvhost.exe" and press "Enter;"
"del blastclnnn.exe" and press "Enter;"
"del autorun.ini" and press "Enter."

6. Step 6
 Type "cd\" to return to the main Windows directory.
Unprotect and delete the Autorun.inf file by typing the following from the
Windows directory command prompt:
"attrib -h -r -s autorun.inf" and press "Enter;"
"del "autorun.inf" and press "Enter;"
Type "regedit" and press "Enter" to open the Registry Editor.

7. Step 7

Locate the following entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the incorrectly spelled Yahoo! Messenger entry with the value
"c:\windows\system32\scvhost.exe."

8. Step 8

Locate the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon.
Within the key, there is a "shell" entry with the value of "explorer.exe,
scvhost.exe". Edit the entry to remove the reference to Scvhost.exe, leaving
Explorer.exe as the remaining value in the registry entry.

9. Step 9

Locate the following key:

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
Delete the following subkeys from the left panel:
RpcPatch
RpcTftpd
Exit the command prompt and return to the operating system. Type "Exit," and
press "Enter."

10. Step 10

Reboot the PC.

If Scvhost.exe still resides on the computer, repeat these steps or try using an
automatic removal program from McAfee or Symantec (see links in References).