Solved

ssvhost.exe Virus, Torjan or SpyWare?

Posted on 2006-06-26
7
1,221 Views
Last Modified: 2013-12-04
I discovered ssvhost.exe on an XP SP2 PC (note the spelling, this is a NOT a Windows program).
It was acting like a Virus, Torjan or SpyWare but was not caught or SpySweeper or CA EZArmor.
I didn't find it referenced in the Registry or any ini file.
I booted into Safe Mode and just deleted it in Windows/System32 and system is performing great again.

Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?

0
Comment
Question by:tpgriffin
7 Comments
 
LVL 1

Assisted Solution

by:Sentinel8o
Sentinel8o earned 100 total points
ID: 16986647
You can run FileAlyzer on  the exe and see what dlls and reg entries its associated with. That would give you some more info to google up.

http://www.safer-networking.org/en/filealyzer/index.html

I would try housecall,s online scanner at
http://housecall.trendmicro.com
or
Microsoft's antispyware (windows defender)
http://www.microsoft.com/athome/security/spyware/software/default.mspx
0
 
LVL 6

Assisted Solution

by:LindyMoff
LindyMoff earned 100 total points
ID: 16986886
According to one source (http://www.castlecops.com/s10687-ssvhost_exe.html), this could be a variant of the Win32.rbot worm:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437

If you're really curious about what processes are doing *right this minute*, check out SysInternals' Process Explorer, file explorer, and TCPView (www.sysinternals.com).
0
 
LVL 32

Accepted Solution

by:
r-k earned 200 total points
ID: 16988516
As noted above, almost surely a virus, since the same virus will often use multiple file names, that isn't a good way to identify it.
If it happens again, don't delete the file, instead, copy it to a floppy or CD before deleting.

Then you can analyse it more carefully. One good place for this is to submit to:

 http://www.virustotal.com/en/indexf.html

where they check your file against the top 20 or so AV engines.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:tpgriffin
ID: 16988777
Yeah, my mistake was I did a full delete of the file so I can't do post-mortem on it.

I was disapointed that it's wasn't caught by EZ Armor.

0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 200 total points
ID: 16988864
I would still do the following:

 If you recall the approx. date of that file, or even when you first noticed symptoms, do a Search (in Win Explorer) of your C: drive for all files created on or after that date. That may show you other files left behind by the virus.

In any case, sort the files in the following three folders by date, and see what might be recently created and abnormal:

 c:\
 c:\windows
 c:\windows\system32

(be sure the option to "Show Hidden Files" is enabled)
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 17173106
>>I discovered ssvhost.exe on an XP SP2 PC <<

If that is how it's spelled then no doubt about it as being nasty doesn't matter where it is.

The legit one is of course svchost.exe which is in the system or system32 folder(depends on what OS)

This one below though it looks like a virus but it is the legit Windows Print Spooler  c:\windows\SCVHOSTS.EXE


>>Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?<<
MS Malicious Removal tool detects RBot so it probably would. A lot of viruses now names themselves similar to that of windows files to avoid detection.

Even Hijackthis detects those.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now