Solved

ssvhost.exe Virus, Torjan or SpyWare?

Posted on 2006-06-26
7
1,228 Views
Last Modified: 2013-12-04
I discovered ssvhost.exe on an XP SP2 PC (note the spelling, this is a NOT a Windows program).
It was acting like a Virus, Torjan or SpyWare but was not caught or SpySweeper or CA EZArmor.
I didn't find it referenced in the Registry or any ini file.
I booted into Safe Mode and just deleted it in Windows/System32 and system is performing great again.

Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?

0
Comment
Question by:tpgriffin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 1

Assisted Solution

by:Sentinel8o
Sentinel8o earned 100 total points
ID: 16986647
You can run FileAlyzer on  the exe and see what dlls and reg entries its associated with. That would give you some more info to google up.

http://www.safer-networking.org/en/filealyzer/index.html

I would try housecall,s online scanner at
http://housecall.trendmicro.com
or
Microsoft's antispyware (windows defender)
http://www.microsoft.com/athome/security/spyware/software/default.mspx
0
 
LVL 6

Assisted Solution

by:LindyMoff
LindyMoff earned 100 total points
ID: 16986886
According to one source (http://www.castlecops.com/s10687-ssvhost_exe.html), this could be a variant of the Win32.rbot worm:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437

If you're really curious about what processes are doing *right this minute*, check out SysInternals' Process Explorer, file explorer, and TCPView (www.sysinternals.com).
0
 
LVL 32

Accepted Solution

by:
r-k earned 200 total points
ID: 16988516
As noted above, almost surely a virus, since the same virus will often use multiple file names, that isn't a good way to identify it.
If it happens again, don't delete the file, instead, copy it to a floppy or CD before deleting.

Then you can analyse it more carefully. One good place for this is to submit to:

 http://www.virustotal.com/en/indexf.html

where they check your file against the top 20 or so AV engines.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:tpgriffin
ID: 16988777
Yeah, my mistake was I did a full delete of the file so I can't do post-mortem on it.

I was disapointed that it's wasn't caught by EZ Armor.

0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 200 total points
ID: 16988864
I would still do the following:

 If you recall the approx. date of that file, or even when you first noticed symptoms, do a Search (in Win Explorer) of your C: drive for all files created on or after that date. That may show you other files left behind by the virus.

In any case, sort the files in the following three folders by date, and see what might be recently created and abnormal:

 c:\
 c:\windows
 c:\windows\system32

(be sure the option to "Show Hidden Files" is enabled)
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 17173106
>>I discovered ssvhost.exe on an XP SP2 PC <<

If that is how it's spelled then no doubt about it as being nasty doesn't matter where it is.

The legit one is of course svchost.exe which is in the system or system32 folder(depends on what OS)

This one below though it looks like a virus but it is the legit Windows Print Spooler  c:\windows\SCVHOSTS.EXE


>>Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?<<
MS Malicious Removal tool detects RBot so it probably would. A lot of viruses now names themselves similar to that of windows files to avoid detection.

Even Hijackthis detects those.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question