ssvhost.exe Virus, Torjan or SpyWare?

I discovered ssvhost.exe on an XP SP2 PC (note the spelling, this is a NOT a Windows program).
It was acting like a Virus, Torjan or SpyWare but was not caught or SpySweeper or CA EZArmor.
I didn't find it referenced in the Registry or any ini file.
I booted into Safe Mode and just deleted it in Windows/System32 and system is performing great again.

Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?

tpgriffinAsked:
Who is Participating?
 
r-kConnect With a Mentor Commented:
As noted above, almost surely a virus, since the same virus will often use multiple file names, that isn't a good way to identify it.
If it happens again, don't delete the file, instead, copy it to a floppy or CD before deleting.

Then you can analyse it more carefully. One good place for this is to submit to:

 http://www.virustotal.com/en/indexf.html

where they check your file against the top 20 or so AV engines.
0
 
Sentinel8oConnect With a Mentor Commented:
You can run FileAlyzer on  the exe and see what dlls and reg entries its associated with. That would give you some more info to google up.

http://www.safer-networking.org/en/filealyzer/index.html

I would try housecall,s online scanner at
http://housecall.trendmicro.com
or
Microsoft's antispyware (windows defender)
http://www.microsoft.com/athome/security/spyware/software/default.mspx
0
 
LindyMoffConnect With a Mentor Commented:
According to one source (http://www.castlecops.com/s10687-ssvhost_exe.html), this could be a variant of the Win32.rbot worm:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437

If you're really curious about what processes are doing *right this minute*, check out SysInternals' Process Explorer, file explorer, and TCPView (www.sysinternals.com).
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
tpgriffinAuthor Commented:
Yeah, my mistake was I did a full delete of the file so I can't do post-mortem on it.

I was disapointed that it's wasn't caught by EZ Armor.

0
 
r-kConnect With a Mentor Commented:
I would still do the following:

 If you recall the approx. date of that file, or even when you first noticed symptoms, do a Search (in Win Explorer) of your C: drive for all files created on or after that date. That may show you other files left behind by the virus.

In any case, sort the files in the following three folders by date, and see what might be recently created and abnormal:

 c:\
 c:\windows
 c:\windows\system32

(be sure the option to "Show Hidden Files" is enabled)
0
 
rpggamergirlConnect With a Mentor Commented:
>>I discovered ssvhost.exe on an XP SP2 PC <<

If that is how it's spelled then no doubt about it as being nasty doesn't matter where it is.

The legit one is of course svchost.exe which is in the system or system32 folder(depends on what OS)

This one below though it looks like a virus but it is the legit Windows Print Spooler  c:\windows\SCVHOSTS.EXE


>>Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?<<
MS Malicious Removal tool detects RBot so it probably would. A lot of viruses now names themselves similar to that of windows files to avoid detection.

Even Hijackthis detects those.
0
All Courses

From novice to tech pro — start learning today.