svchost.exe: The Portable Virus

I know experimenting with malware is like playing with fire, but I just couldn’t resist this time (maybe I’ve been influenced by xkcd). Svchost.exe is a cute little amateur virus, most commonly found nestled in a flash-drive’s autorun.inf file. A PC is infected when the autorun window appears and “Open folder to view files” is clicked. It will (likely) run and take 100% of your computer’s resources. This post will help you know if your drive is infected, and how to clean the infected drive, but not remove it from your infected computer.

First the first sign you will see is when you open-up “My Computer.” You will see that the icon on your infected drive is a folder icon (this indicates that the autorun has been changed, and the computer does not associate it with Windows Explorer). On some computers it will not open unless you right-click -> explore, but on others it will open the same way as usual.

The second sign is when you open the drive’s root. Go to tools -> Folder Options -> View. Check “Show Hidden Files and Folders” (in Vista, you may need to press “alt” to get to the menu bar).  Then uncheck “Hide Protected Operating System Files.” You reveal them, you should look for two files; svchost.exe and autorun.inf (these are the only two files I saw, but there are other cases where there are others. If you encounter any, look them up before deleting them).

To be sure, open up the autorun.inf file. Look at its contents. If anywhere in the file you see what is in the quotes, your flash-drive in infected.

[autorun]

shell=verb

open=svchost.exe

action=Open folder to view files

shell\open=open

icon=%systemroot%\system32\SHELL32.dll, 4

To remove the virus, simply go on a computer where you have administrator access and rights, and simply delete those two files (as I said before, look up any other files before deleting them).

This should work, it did for me. Leave a comment if it didn’t and I’ll be happy to help.

Advertisements

, , , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: