slvhost.exe Removal
Quickheal: Backdoor.SdBot.fwc:
Avira: TR/Dropper.Gen:
Discovered in November of 2008, this one was registered as a Trojan. The reason why I'm posting its removal instructions now is that an update of this Trojan was recently detected and the other reason would be that there was no virusdadddy in November 2008. This Trojan enters the target's system with the help of other Trojan-dropping programs. As soon as the virus is executed, it creates a copy of itself in the "C:\WINDOWS\System" directory and also registers several DLLs. It modifies the registry such that the process is run at every startup and when this one is working, it doesn't allow the user to get access to several anti-virus sites or to download the Windows updates. This program can also inject itself into the crucial processes of Windows. The process IEXPLORE.exe is usually used in order to connect to the Internet and hence the virus doesn't forget to inject itself into this one. So, when you open the Internet Explorer and type a keyword like "symantec.com", the "page cannot be displayed" error is shown. Hence, in such cases, if you actually want to access such sites, you can do it by installing a proxy just in case thus browsing from a different IP location and fooling the program. Now lets take a peek at its removal instructions.
Manual removal instructions to remove slvhost.exe:
Avira: TR/Dropper.Gen:
Discovered in November of 2008, this one was registered as a Trojan. The reason why I'm posting its removal instructions now is that an update of this Trojan was recently detected and the other reason would be that there was no virusdadddy in November 2008. This Trojan enters the target's system with the help of other Trojan-dropping programs. As soon as the virus is executed, it creates a copy of itself in the "C:\WINDOWS\System" directory and also registers several DLLs. It modifies the registry such that the process is run at every startup and when this one is working, it doesn't allow the user to get access to several anti-virus sites or to download the Windows updates. This program can also inject itself into the crucial processes of Windows. The process IEXPLORE.exe is usually used in order to connect to the Internet and hence the virus doesn't forget to inject itself into this one. So, when you open the Internet Explorer and type a keyword like "symantec.com", the "page cannot be displayed" error is shown. Hence, in such cases, if you actually want to access such sites, you can do it by installing a proxy just in case thus browsing from a different IP location and fooling the program. Now lets take a peek at its removal instructions.
Manual removal instructions to remove slvhost.exe:
- Lets begin by disabling the System restore option since the virus may return from the recycling folders. To know how to do this, click here.
- Reboot your system in the Safe mode.
- Open the registry (Start --> Run and type "regedit") and navigate to the following path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesHKEY_CURRENT_USER\Software\Microsoft\OLE
When you open the above mentioned paths, look for the "Logical Volume = "slvhost.exe"" on the right-hand side and delete the entry. This will prevent the virus from launching itself at the system Startup. - You're not done with editing the registry yet. Use the Ctrl+F option and enter the value "slvhost.exe" in the box and search for any registry entry associated with the file. For example, if you find an entry which has the value {%System%someprocess.exe; %System%\slvhost.exe}, just remove the value "%System%\slvhost.exe" and go for the next entry consisting this value. Close your registry and reboot your system(in safe mode again) for the changes to take place.
- As mentioned above, the Trojan blocks several sites. In order to undo this, you'll need to edit the hosts file. Goto Start-->Run and type "cmd". When the command Prompt opens, type "cd C:\WINDOWS\system32\drivers\etc && ren hosts hosts.disable"(for Windows XP and Vista). Type "cd C:\winnt\system32\drivers\etc && ren hosts hosts.disable"(for Windows NT and 2000). This means that you're renaming your hosts file into hosts.disable. This will disable the hosts file. Restart your computer again for the changes to take effect.
- Don't get much irritated, you're almost done. Open the explorer and unregister the following DLLs(click here to know how to unregister a DLL)
C:\WINDOWS\System\packet.dllC:\WINDOWS\System\wpcap.dll - Now delete the following files
C:\WINDOWS\System\slvhost.exeC:\WINDOWS\System\drivers\npf.sys
You'll need to remove the attributes of these files in order to delete them. To do so, type "attrib -r -a -s -h {path of the file}" and "del {the same path once again}". Now reboot your system again for the new changes to take effect. - You are finally free from this Trojan.
Posts that might help you here:
Enabling/Disabling System restore, Enabling Safe mode booting, Enabling Registry,Enabling Command Prompt, Unregistering a DLL.