Endpoint Protection

 View Only

  • 1.  SCVHSOT.exe

    Posted Oct 23, 2007 11:11 PM
    We are using Symantec Corporate Edition Version 10.1

    In one of the Windows 2003 Server Machine, Registry editing, Task Manager, Folder options are said to be disabled by Administrator. A new user with Administrative rights has been added. It is not possible to edit this user.

    Symantec Scan done in normal and safe modes says there are no virus threats

    This virus has possibly entered through a pen drive used a few days back. We found that auto protect is often disabled by this virus and had to be manually re-enabled

    Since registry, task manager and folder options are blocked there is no way of using the regular manual clean up processes.

    The error message " Registry Editing has been disabled by Administrator appears as soon as the machine is booted or rebooted

    We have also run FixSflog.exe tool. The result says that this computer is not infected

    From whatever little research we could do this virus is using 'AutoIt' script  and uses a file called SCVHSOT.exe in windows\system32 folder which is not visible. We came to know about it because of an error message thrown up by 'AutoIt'

    This virus has entered by disabling autoprotect after acquiring administrative rights of an 'Owner'

    We have also identified another machine using WidowsXP machine having the same problem

    Any help will be appreciated


  • 2.  RE: SCVHSOT.exe

    Posted Oct 24, 2007 09:27 AM
    I think you should really be leveraging support to deal with this issue; it is going to be highly likely they have seen this issue.


  • 3.  RE: SCVHSOT.exe

    Posted Dec 06, 2007 04:07 AM
    I had over 40 machines infected with this "virus". Since it disables everything, including the antivirus, here's a workaround.

    First do this: run unhookexec.inf to enable the registry (can be dled from symantec)

    1. Boot in Safe mode with command prompt.
    2. go to your windows folder and enter this command.  ATTRIB
    you will usually find two files; autorun.ini -shr and scvhsot.exe shr
    modify the attributes and remove the system, hidden and read only attribs [attrib scvhsot.exe -s -h -r]
    3. now go to the windows/system32 and do the same as step2
    4. these files are also located on all root partitions/drives; repeat step2
    5. enter this command:  regedit
    6. remove all related keys/strings
    hklm>software>microsoft>windows>currentversion>run -----> remove items running scvhsot
    hkcu>software>microsoft>windows>currentversion>run------> remove items running scvhsot
    hklm>software>microsoft>windowsnt>currentversion>winlogon -----> modify key shell (it must be Explorer.exe only)
    7. Restart

    Your registry editor, taskmanager, msconfig, and other administration tools should be working. Update your antivirus and run a full scan.





    Message Edited by dexmax on 12-06-2007 01:08 AM