SCVHSOT.exe
We are using Symantec Corporate Edition Version 10.1
In one of the Windows 2003 Server Machine, Registry editing, Task Manager, Folder options are said to be disabled by Administrator. A new user with Administrative rights has been added. It is not possible to edit this user.
Symantec Scan done in normal and safe modes says there are no virus threats
This virus has possibly entered through a pen drive used a few days back. We found that auto protect is often disabled by this virus and had to be manually re-enabled
Since registry, task manager and folder options are blocked there is no way of using the regular manual clean up processes.
The error message " Registry Editing has been disabled by Administrator appears as soon as the machine is booted or rebooted
We have also run FixSflog.exe tool. The result says that this computer is not infected
From whatever little research we could do this virus is using 'AutoIt' script and uses a file called SCVHSOT.exe in windows\system32 folder which is not visible. We came to know about it because of an error message thrown up by 'AutoIt'
This virus has entered by disabling autoprotect after acquiring administrative rights of an 'Owner'
We have also identified another machine using WidowsXP machine having the same problem
Any help will be appreciated
SCVHSOT.exe
We are using Symantec Corporate Edition Version 10.1
In one of the Windows 2003 Server Machine, Registry editing, Task Manager, Folder options are said to be disabled by Administrator. A new user with Administrative rights has been added. It is not possible to edit this user.
Symantec Scan done in normal and safe modes says there are no virus threats
This virus has possibly entered through a pen drive used a few days back. We found that auto protect is often disabled by this virus and had to be manually re-enabled
Since registry, task manager and folder options are blocked there is no way of using the regular manual clean up processes.
The error message " Registry Editing has been disabled by Administrator appears as soon as the machine is booted or rebooted
We have also run FixSflog.exe tool. The result says that this computer is not infected
From whatever little research we could do this virus is using 'AutoIt' script and uses a file called SCVHSOT.exe in windows\system32 folder which is not visible. We came to know about it because of an error message thrown up by 'AutoIt'
This virus has entered by disabling autoprotect after acquiring administrative rights of an 'Owner'
We have also identified another machine using WidowsXP machine having the same problem
Any help will be appreciated
Re: SCVHSOT.exe
I think you should really be leveraging support to deal with this issue; it is going to be highly likely they have seen this issue.
Re: SCVHSOT.exe
I had over 40 machines infected with this "virus". Since it disables everything, including the antivirus, here's a workaround.
First do this: run unhookexec.inf to enable the registry (can be dled from symantec)
1. Boot in Safe mode with command prompt.
2. go to your windows folder and enter this command. ATTRIB
you will usually find two files; autorun.ini -shr and scvhsot.exe shr
modify the attributes and remove the system, hidden and read only attribs [attrib scvhsot.exe -s -h -r]
3. now go to the windows/system32 and do the same as step2
4. these files are also located on all root partitions/drives; repeat step2
5. enter this command: regedit
6. remove all related keys/strings
hklm>software>microsoft>windows>currentversion>run -----> remove items running scvhsot
hkcu>software>microsoft>windows>currentversion>run------> remove items running scvhsot
hklm>software>microsoft>windowsnt>currentversion>winlogon -----> modify key shell (it must be Explorer.exe only)
7. Restart
Your registry editor, taskmanager, msconfig, and other administration tools should be working. Update your antivirus and run a full scan.
how to remove auto run optionin pen drive
open notepadsave empty content with file name "autorun.inf" and change save as type to "All files"copy auutorun.inf file to ur thumdrive.if it ask to overwrite, then overwrite.
No comments:
Post a Comment