ssvhost.exe Virus, Torjan or SpyWare?

I discovered ssvhost.exe on an XP SP2 PC (note the spelling, this is a NOT a Windows program).
It was acting like a Virus, Torjan or SpyWare but was not caught or SpySweeper or CA EZArmor.
I didn't find it referenced in the Registry or any ini file.
I booted into Safe Mode and just deleted it in Windows/System32 and system is performing great again.

Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?

tpgriffinAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
r-kConnect With a Mentor Commented:
As noted above, almost surely a virus, since the same virus will often use multiple file names, that isn't a good way to identify it.
If it happens again, don't delete the file, instead, copy it to a floppy or CD before deleting.

Then you can analyse it more carefully. One good place for this is to submit to:

 http://www.virustotal.com/en/indexf.html

where they check your file against the top 20 or so AV engines.
0
 
Sentinel8oConnect With a Mentor Commented:
You can run FileAlyzer on  the exe and see what dlls and reg entries its associated with. That would give you some more info to google up.

http://www.safer-networking.org/en/filealyzer/index.html

I would try housecall,s online scanner at
http://housecall.trendmicro.com
or
Microsoft's antispyware (windows defender)
http://www.microsoft.com/athome/security/spyware/software/default.mspx
0
 
LindyMoffConnect With a Mentor Commented:
According to one source (http://www.castlecops.com/s10687-ssvhost_exe.html), this could be a variant of the Win32.rbot worm:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437

If you're really curious about what processes are doing *right this minute*, check out SysInternals' Process Explorer, file explorer, and TCPView (www.sysinternals.com).
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
tpgriffinAuthor Commented:
Yeah, my mistake was I did a full delete of the file so I can't do post-mortem on it.

I was disapointed that it's wasn't caught by EZ Armor.

0
 
r-kConnect With a Mentor Commented:
I would still do the following:

 If you recall the approx. date of that file, or even when you first noticed symptoms, do a Search (in Win Explorer) of your C: drive for all files created on or after that date. That may show you other files left behind by the virus.

In any case, sort the files in the following three folders by date, and see what might be recently created and abnormal:

 c:\
 c:\windows
 c:\windows\system32

(be sure the option to "Show Hidden Files" is enabled)
0
 
rpggamergirlConnect With a Mentor Commented:
>>I discovered ssvhost.exe on an XP SP2 PC <<

If that is how it's spelled then no doubt about it as being nasty doesn't matter where it is.

The legit one is of course svchost.exe which is in the system or system32 folder(depends on what OS)

This one below though it looks like a virus but it is the legit Windows Print Spooler  c:\windows\SCVHOSTS.EXE


>>Anyone know if a major/legit Virus or Spyware scanner that's catching ssvhost.exe?<<
MS Malicious Removal tool detects RBot so it probably would. A lot of viruses now names themselves similar to that of windows files to avoid detection.

Even Hijackthis detects those.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.