[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

ssvhost.exe Virus, Torjan or SpyWare?

Posted on 2006-06-26
7
Medium Priority
?
1,248 Views
Last Modified: 2013-12-04
I discovered ssvhost.exe on an XP SP2 PC (note the spelling, this is a NOT a Windows program).
It was acting like a Virus, Torjan or SpyWare but was not caught or SpySweeper or CA EZArmor.
I didn't find it referenced in the Registry or any ini file.
I booted into Safe Mode and just deleted it in Windows/System32 and system is performing great again.

Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?

0
Comment
Question by:tpgriffin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 1

Assisted Solution

by:Sentinel8o
Sentinel8o earned 400 total points
ID: 16986647
You can run FileAlyzer on  the exe and see what dlls and reg entries its associated with. That would give you some more info to google up.

http://www.safer-networking.org/en/filealyzer/index.html

I would try housecall,s online scanner at
http://housecall.trendmicro.com
or
Microsoft's antispyware (windows defender)
http://www.microsoft.com/athome/security/spyware/software/default.mspx
0
 
LVL 6

Assisted Solution

by:LindyMoff
LindyMoff earned 400 total points
ID: 16986886
According to one source (http://www.castlecops.com/s10687-ssvhost_exe.html), this could be a variant of the Win32.rbot worm:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437

If you're really curious about what processes are doing *right this minute*, check out SysInternals' Process Explorer, file explorer, and TCPView (www.sysinternals.com).
0
 
LVL 32

Accepted Solution

by:
r-k earned 800 total points
ID: 16988516
As noted above, almost surely a virus, since the same virus will often use multiple file names, that isn't a good way to identify it.
If it happens again, don't delete the file, instead, copy it to a floppy or CD before deleting.

Then you can analyse it more carefully. One good place for this is to submit to:

 http://www.virustotal.com/en/indexf.html

where they check your file against the top 20 or so AV engines.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:tpgriffin
ID: 16988777
Yeah, my mistake was I did a full delete of the file so I can't do post-mortem on it.

I was disapointed that it's wasn't caught by EZ Armor.

0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 800 total points
ID: 16988864
I would still do the following:

 If you recall the approx. date of that file, or even when you first noticed symptoms, do a Search (in Win Explorer) of your C: drive for all files created on or after that date. That may show you other files left behind by the virus.

In any case, sort the files in the following three folders by date, and see what might be recently created and abnormal:

 c:\
 c:\windows
 c:\windows\system32

(be sure the option to "Show Hidden Files" is enabled)
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 400 total points
ID: 17173106
>>I discovered ssvhost.exe on an XP SP2 PC <<

If that is how it's spelled then no doubt about it as being nasty doesn't matter where it is.

The legit one is of course svchost.exe which is in the system or system32 folder(depends on what OS)

This one below though it looks like a virus but it is the legit Windows Print Spooler  c:\windows\SCVHOSTS.EXE


>>Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?<<
MS Malicious Removal tool detects RBot so it probably would. A lot of viruses now names themselves similar to that of windows files to avoid detection.

Even Hijackthis detects those.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question