Recently, I noticed in the Windows Task Manager that a spurious svchost.exe appears and always uses about 50% of the CPU resources. I 'End the process', but it will appear later. If I don't initiate a new activity the greedy svchost does not appear. One thing for sure that will bring up this svchost is using Windows Explorer to access some file or folder. Also, perhaps at other times when a program needs to access something in the file structure it will appear gobbling its 50% CPU time.
I'm using XP Pro SP2. I've been using this same system for over 3 years. Just recently I hooked up a 1Tb, WD 10EAVS External USB (My Book) hard drive within the general time frame of noticing the rogue svchost. Otherwise, no recent additions.
svchost must be in your system32 folder of windows otherwise it might be a virus copycat
When pressing Ctrl+Alt+Del it blocks to launch the Task Manager
It blocks the Registry Editor.
When you try to go to the command prompt CMD, it will restarts the computer.
The shared folders will duplicates itself to different locations of. The duplicated virus uses a FOLDER icon with an .exe file extension. The configuration of your Yahoo Messenger has been changed.
How to Remove It
OK here we go, you must follow this step on how to remove this virus in manually method:
Restart your PC and press F8 and select the option Safe Mode Command Prompt Only
And after you log-in the command prompt you must log-in as Administrator.
Type cd C:\windows\system32
Type dir /ah, to display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
Type ATTRIB -H -R -S SCVHOST.EXE
Type ATTRIB -H -R -S BLASTCLNNN.EXE
Type ATTRIB -H -R -S AUTORUN.INI
Type DEL SCVHOST.EXE
Type DEL BLASTCLNNNN.EXE
Type DEL AUTORUN.INI
Type ATTRIB -H -R -S AUTORUN.INF
Type DEL AUTORUN.INF
You are almost done, reboot your PC you may seat back and relax.. :) while loading...
Go Start Menu and click the Run and type the REGEDIT command. Take note guys before make any changes into your Registry Editor you must make a full back-up to your registry to avoid system errors. :)
Look the location entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, if you see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
Look the location entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, in the entry named: SHELL, a value = Explorer.exe,SCVHOST.EXE. Edit this value, delete the SCVHOST.EXE only and the value must be Explorer.exe. Once you delete all this value, your computer will not login anymore.
OK we are now done.. Please Restart your PC now and Enjoy!!!
above is a method from the internet