Tuesday, October 19, 2010

Remove exe Virus Manually

During my daily working I usually encounter many viruses but most common is sscvihost.exe and autorun.ini these viruses spread from USB drive as well, I can usually remove it without using any anti-virus software, today I am going to explain how to remove these viruses if anti-viruses are not doing so. However, be warned that the following procedure will require you to edit your Registry and thus no mistakes must be made there. Or else you may end up with a messed OS.


SSCVIHOST.exe according to my research has many names, the popular are W32/Sohana-AO(Sophos) and W32.Imaut.AY (Symantec/Norton). Basically this is a type of worm virus that spreads via USB thumb drives and/or Yahoo! Messenger. A worm virus, technically, doesn’t destroy your files, it just add tons of of useless files in order to fill up your hard drive or slowdown your system resources. We don’t like that do we?

Anti-virus softwares

Most major anti-virus products with the latest definition files installed, detect this virus so you don’t have to worry about it spreading throughout your hard drive. Sophos, Symantec Norton, TrendMicro PcCillin, already detect this. I’m not sure about McAffe, AVG, or ESET NOD 32. But I will tell you this, BitDefender, even with the latest update installed doesn’t detect this. So you have that anti-virus program, chances are, SSCVIHOST.exe will eventually reach your computer.


  1. CLTR+ALT+DEL is not working
  2. Folder Options is missing from your TOOLS menu
  3. Registry Editor (RegEdit) is not working
  4. Your system is slowing down gradually
  5. There seems to be a lot of hard drive activity even if you are doing nothing
  6. You have a New Folder.exe in every folder and in each sub folder


This is the actual procedure I did when the worm infiltrated my PC. Before you start on the procedure, you have to download the file (UnHookExec.inf ) form the end of article.

The file will enable RegEdit and other commands disabled by the virus. Save this file in your desktop. Now let’s start. Removing the virus

FIRST: You have to stop the virus from running in the first place. If your system is already infected, it is already running in the background. You must restart your computer then run it in safe mode.

  1. Restart your PC
  2. Press F8 as soon after the BIOS boots. If you don’t know what that is, just keep pressing F8 until a menu appears.
  3. Select Safe Mode from the menu
  4. On your desktop, right click on the file UnHookExec.inf then select install. You won’t see any prompt or confirmation so don’t worry about it.
  5. By now, CTRL+ALT+DEL is already working so open up your Task Manager. End task the following programs/processes:
    1. SSCVIHOST.exe
    2. blastclnnn.exe
    3. New Folder.exe

SECOND: Delete the virus files from your PC. There are two ways to do this, via windows shell or command prompt (DOS) shell. Since Folder Options has been disabled by the virus, you cannot switch to show hidden files and system files. Well you can edit it in your Registry, but let’s just do it the DOS-way. Follow this carefully.

  1. Select Run from your start menu, then type cmd. Press enter. The paths differ depending on your operating system, but in this procedure let’s assume you are using Windows XP
  2. At the command prompt go to your system32 folder (this may differ if you are using NT/2000 or XP). For the sake of this procedure lets assume you are using XP. Type cd\windows\system32
  3. On this path (c:\windows\system32>) type the following commands in order:
    1. attrib -h -r -s SSCVIHOST.exe
    2. del SSCVIHOST.exe
    3. attrib -h -r -s blastclnnn.exe
    4. del blastclnnn.exe
    5. attrib -h -r -s autorun.ini
    6. del autorun.ini
    7. attrib -h -r -s svchosl.exe
    8. del svchosl.exe
    9. cd\windows\ (this will move you to the windows prompt c:\windows)
    10. attrib -h -r -s SSCVIHOST.exe
    11. del SSCVIHOST.exe

THIRD Clean up the registry. Your RegEdit is already running because of the file we’ve downloaded from Symantec. On your run box (from the Start menu) type regedit. WARNING: Be careful on what you edit here, because a single mistake may screw up your system. Just follow the paths that are mentioned here so you won’t get lost. Make sure you edit only what mentioned in this procedure.

Navigate to the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

“Shell” = “Explorer.exe SSCVIHOST.exe”

(edit and remove the word SSCVIHOST.exe leaving only Explorer.exe, if you screw this up windows shell won’t show on your next boot)


“Yahoo Messengger” = “%System%\SSCVIHOST.exe”

(delete this entry)


“shared” = “[SHARE NAME]\New Folder.exe”

(delete this entry)

Restore the following registry entries to their original values, if required:


“DisableTaskMgr” = “1?

(set to zero (0) to enable)


“DisableRegistryTools = “1?

(set to zero (0) to enable)


“NofolderOptions” = “1?

(set to zero (0) to enable)


(Remove an entry here that has a name with blastclnnn.exe, or just remove all entries here)

FOURTH Clean again after cleaning. Restart your PC, again in Safe Mode (remember to press F8). This time we will remove all other files that have been created by the virus. Folder options in your Tools menu is already working so open that up. Then select “Show Hidden files and folders” and uncheck “Hide protected operating system files.” Then search your whole hard disk (using windows search from the start menu) and SHIFT+DEL all these files. Also cleanup your recycle bin after this.

  • blastclnnn.exe
  • New Folder.exe (these are the garbage files created by the worm it will create thousands upon thousands of these in your hard drive)

FIFTH Check your autoruns. On your run box at the start menu, type msconfig. Look at the startup tab for any suspicious files that are related to the virus and disable (you can also remove it in the registry) it.

That’s it. Reboot your system normally and check your Task Manager (CLTR+ALT+DEL) if there are running processes that aren’t supposed to be running.

Download UnHookExec.inf from hear

No comments: