Removing the SSCVIHOST.exe worm virus
I’m going to make this as short and as clear on the instructions as possible. Take note however that I’m not an expert on viruses so I advice you to consult an expert first or, if you are willing, just go a head and follow my instructions. I was once a programmer, but I didn’t pursue that field, and I moved on to web development. Anyway I have encountered many viruses in my daily use of computers, and as much as I know programing and how code works, I can usually remove it without using any anti-virus software. However, be warned that the following procedure will require you to edit your Registry and thus no mistakes must be made there. Or else you may end up with a messed OS.
Introduction
SSCVIHOST.exe according to my research has many names, the popular are W32/Sohana-AO (Sophos) and W32.Imaut.AY (Symantec/Norton). Basically this is a type of worm virus that spreads via USB thumb drives and/or Yahoo! Messenger. A worm virus, technically, doesn’t destroy your files, it just add tons of of useless files in order to fill up your hard drive or slowdown your system resources. We don’t like that do we?
Anti-virus softwares
Most major anti-virus products with the latest definition files installed, detects this virus so you don’t have to worry about it spreading through your hard drive. Sophos, Symantec Norton, TrendMicro PcCillin, already detects this. I’m not sure about McAffe, AVG, or ESET NOD 32. But I will tell you this, BitDefender, even with the latest update installed doesn’t detect this. So you have that anti-virus program, chances are, SSCVIHOST.exe will eventually reach your computer.
Symptoms
- CLTR+ALT+DEL is not working
- Folder Options is missing from your TOOLS menu
- Registry Editor (RegEdit) is not working
- Your system is slowing down gradually
- There seems to be a lot of hard drive activity even if you are doing nothing
- You have a New Folder.exe in every folder and in each sub folder
Preparation
This is the actual procedure I did when the worm infiltrated my PC. Before you start on the procedure, you have to download this file from Symantec.
UnHookExec.inf (click to go to the website and the download link).
The file will enable RegEdit and other commands disabled by the virus. Save this file in your desktop. Now let’s start.
Removing the virus
FIRST: You have to stop the virus from running in the first place. If your system is already infected, it is already running in the background. You must restart your computer then run it in safe mode.
- Restart your PC
- Press F8 as soon after the BIOS boots. If you don’t know what that is, just keep pressing F8 until a menu appears.
- Select Safe Mode from the menu
- On your desktop, right click on the file UnHookExec.inf then select install. You won’t see any prompt or confirmation so don’t worry about it.
- By now, CTRL+ALT+DEL is already working so open up your Task Manager. End task the following programs/processes:
- SSCVIHOST.exe
- blastclnnn.exe
- New Folder.exe
SECOND: Delete the virus files from your PC. There are two ways to do this, via windows shell or command prompt (DOS) shell. Since Folder Options has been disabled by the virus, you cannot switch to show hidden files and system files. Well you can edit it in your Registry, but let’s just do it the DOS-way. Follow this carefully.
- Select Run from your start menu, then type cmd. Press enter. The paths differ depending on your operating system, but in this procedure let’s assume you are using Windows XP
- At the command prompt go to your system32 folder (this may differ if you are using NT/2000 or XP). For the sake of this procedure lets assume you are using XP. Type cd\windows\system32
- On this path (c:\windows\system32>) type the following commands in order:
- attrib -h -r -s SSCVIHOST.exe
- del SSCVIHOST.exe
- attrib -h -r -s blastclnnn.exe
- del blastclnnn.exe
- attrib -h -r -s autorun.ini
- del autorun.ini
- cd\windows\ (this will move you to the windows prompt c:\windows)
- attrib -h -r -s SSCVIHOST.exe
- del SSCVIHOST.exe
THIRD Clean up the registry. Your RegEdit is already running because of the file we’ve downloaded from Symantec. On your run box (from the Start menu) type regedit. WARNING: Be careful on what you edit here, because a single mistake may screw up your system. Just follow the paths that are mentioned here so you won’t get lost. Make sure you edit only what mentioned in this procedure.
Navigate to the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
“Shell” = “Explorer.exe SSCVIHOST.exe”
(edit and remove the word SSCVIHOST.exe leaving only Explorer.exe, if you screw this up windows shell won’t show on your next boot)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
“Yahoo Messengger” = “%System%\SSCVIHOST.exe”
(delete this entry)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\
“shared” = “[SHARE NAME]\New Folder.exe”
(delete this entry)
Restore the following registry entries to their original values, if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“DisableTaskMgr” = “1″
(set to zero (0) to enable)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“DisableRegistryTools = “1″
(set to zero (0) to enable)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NofolderOptions” = “1″
(set to zero (0) to enable)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\”AtTaskMaxHour”
(Remove an entry here that has a name with blastclnnn.exe, or just remove all entries here)
FOURTH Clean again after cleaning. Restart your PC, again in Safe Mode (remember to press F8). This time we will remove all other files that have been created by the virus. Folder options in your Tools menu is already working so open that up. Then select “Show Hidden files and folders” and uncheck “Hide protected operating system files.” Then search your whole hard disk (using windows search from the start menu) and SHIFT+DEL all these files. Also cleanup your recycle bin after this.
- SSCVIHOST.exe
- blastclnnn.exe
- New Folder.exe (these are the garbage files created by the worm it will create thousands upon thousands of these in your hard drive)
FIFTH Check your autoruns. On your run box at the start menu, type msconfig. Look at the startup tab for any suspicious files that are related to the virus and disable (you can also remove it in the registry) it.
That’s it. Reboot your system normally and check your Task Manager (CLTR+ALT+DEL) if there are running processes that aren’t supposed to be running.
For more information and/or reference to the virus check out these sites:
Trendmicro
Sophos
Symantec/Norton
UPDATE 2008.01.23: For an easier removal of the SSCVIHOST.exe (Sohana D) worm virus, you can get a tool to remove it at sergiwa.com
Download SRT - Sohanad Removal Tool to remove the virus and its accompanying files
Download RRT - Remove Restrictions Tool to enable RegEdit, Folder Options, Task Manager, etc.
Hi..
my name is charlez from Indonesia..
i really thanks to this site. i was have problem with that .exe
but now its gone..after i use your advice step by step
thank you very much to everybody here.
chao…
@Charlez
Thanks for visiting the site. I’m glad I could be of help.
I wonder how intelligent or able people like you try to help people like us who doesnt have any further knowledge about this kind of problem. Thanks for the post it will help a lot.. godbless
Ryman Thank you very much.
I experienced the above problem and now
i rectified it.
really your explanation too good and extreamely clear.
once again thank you very much for your extraordinary
information.
May god bless you.
with thanks,
Siva sankaran from India
@newbie_14
Thanks for the visit.
@Siva sankaran
Thanks for the comment. Originally, I was planning to do a thorough guide for this topic. Unfortunately, I have little time to make it so I just made this simpler guide.
i want free antivirous and spyremover download in my computer
@anasansari
If you want a true free antivirus, you can get one at http://free.grisoft.com they have the AVG anti-virus software and AVG anti-spyware software.
And for free anti-spyware programs. Try using these products:
Lavasoft Ad-Aware
Spybot - Search and Destroy
You can search for their websites in your search engines.
I’m Rhamil from PHILIPPINES…
Thanks for this guide….
It has been a big problem for me because every time
I connect a storage device into my computer..
It will take up almost 15 mb…..
In storage devices??
How can I remove SSCVIHOST.exe there??
Thanks for the guide. Im also from the phil. long live..xD
@Rhamil
Hello Rhamil, the guide above contains instructions on removing the SSCVIHOST.exe on your hard drive.
To remove the one in your USB/portable/flash storage device, just follow STEP 4 (you don’t need to boot in safe mode).
From your Tools, Folder options menu, select “Show Hidden files and folders” and uncheck “Hide protected operating system files.”
Then delete these files in your removable drive.
SSCVIHOST.exe
blastclnnn.exe
New Folder.exe
autorun.inf (Be careful in deleting this, there are some portable storage device that actually use this. To check, open the file in notepad, if it has words like SSCVIHOST or blastclnnn then delete it).
Unfortunately when you plug your USB drive in another computer that is affected by the virus, it will again get contaminated. See my post here
USB flash drive or Portable card reader?
Also to stop AUTORUN (and autorunning the virus) when you plug your infected device in another computer, press and hold the SHIFT key. Autorun in windows is dangerous because this is when the virus spreads.
@MARK ARVYN BAUTISTA
Thanks for visitng kababayan.
Hello Ray
Thank’s for give us that important information about removing a SSCVHOST.exe virus.
I had follow all your instruction as shown at this site.
But I have a problem, and until this second that virus cannot remove out of my computer,
Here the problems :
1. In save mode, After i install the UnHookExec.inf, then I type : CTRL + ALT + DEL .. still with the same reason ” only bla bla bla by administrator. what’s wrong with that.
2. I can’t run “cmd” ,,, but it run with “command”.
3. also that I cannot run “regedit”
ok back to a real windows / normally.
long time a go, i always show all hidden system on my PC. so that I can see/find a hidden system.
Well, Successful to delete “blastclnnn.exe” and “new folder.exe” but not the damn “SSCVHOST.exe” even I had put out -hiden, -read, -system.
What wrong with that…
and in normally windows, i cannot run the registry..
thank’s before..
I will mark your site for nexe information from you.
@Upie
1. UnHookExec.inf (that was created by Symantec) should work it’s way through your registry, thus enabling CTRL+ALT+DEL and regedit. In safe mode, you must be running as administrator, then right click and install UnHookExec.inf file.
2. “Command” is the same as “cmd”, you must be using a different version of Windows. The guide above, assumes that you are using Windows XP.
3. Same as my answer to #1.
You can’t delete “SSCVHOST.exe” yet because it might still be running in the background. Like I’ve said, your CTRL+ALT+DEL (Task Manager) should be working.
Feel free to comment again if you have any problems. Good luck.
Hello ,
Yes , Ive been following the guide but the virus keeps coming back , is it due to the network? I have 3 PCs , should I shutdown all and make the virus removal 1 by 1? Im really sorry I just want to erase these new folders.exe , but I dont have that SSCVHOST.exe thingy , I have scvhost.exe. Is it the same?
Im really sorry , Im 13. :3
@Deo
If your 3 PC is in a network, then check every PC with the virus. It will spread through the network, and any USB flash drive you insert in a computer that is already infected. I suggest using an anti-virus software to prevent it from coming back.
Shutdown first the other two, then check each PC one by one. You have to remove the virus file, specially the autorun.inf file that is related to the virus.
Don’t remove the SVCHOST.exe (check spelling) because it is being used by your computer. It’s not the same as the SSCVIHOST.exe virus.
@Ryman
Thanks man , Im using Ad aware ^^ , yeah that virus really created 3000+ folders. Thanks for helping , your guide was kick ass xD.
Many many thanks for removal process. It is realy helpful.
Hi.. I really thank you for your advice..It really helps..I tried every steps to remove the SSCVIHOST.exe but It does not works except the one that you recommend…
@Deo
Also remember to update your anti-spyware software regularly for it to be able to detect new spywares.
@diginode & GREG
Thanks too. I’m glad my simple guide solved your SSCVIHOST.exe virus problems.
hey, thx for this site….but i still have a bit problem….i downloaded the file that u required, i have install that on my desktop, but when i try to click CTRL+ALT+DEL, the Task Manager was still not working….it’s confusing me…. and also, there’s no New Folder.exe or SSCVIHOST.exe on my drive ….. the virus only attacked system32 and it’s only in my flashdisk. so what should i do???? thx before….may God bless
@Mannuella
You have to right click the file then select Install, double clicking it won’t work. The file should work (and it’s made by Symantec).
If it is only in your flashdisk, insert it in your USB drive while holding the SHIFT key to prevent it from autorunning. When the drive shows up in My Computer, delete the files related to the virus. Just follow the FOURTH step I mentioned above.
Please post back here again if you are still having problems. Anyway I’m planning to make a registry file to enable the task manager and regedit, if the file from Symantec still doesn’t work.
yes, i have right click on that file, but it still didn’t working…. SSCVIHOST.exe and New Folder.exe are on my flashdisk and also in my drive C:\WINDOWS\system32, but SSCVIHOST.exe and New Folder.exe are not in my drive D, E, F and G… it’s weird… I think, you should make a registry file to enable the task manager and regedit…..thx before.. May God bless
@ Ryman
Hi, can you please give me information about something that infected my PC. I think its a kind of virus or other maliciuos programs. I got it when i inserted a flashdisk, an autorun pops up, then a “Microsoft Word Document” appeared in my desktop. When I’d “right-clicked” the file, the 1st 3 options are:
Test
Configure
Install
I decided to delete it since I don’t know what it is, but it just keep appearing on my desktop.
Thanks to the guide about SSCVIHOST.exe virus, i learned alot about the registry. I had that virus too last week, and i got rid of it because of you guide.
Jason From Philippines
You mentioned that the scripts you suggested were for the Windows XP platform. How can I use it for Win98SE? or is there another guide for removing this worm on Win98SE? I have the free edition of AVG but it hasn’t been successful in detecting this.
Thanks! Your doing an awesome job for the PC community. God bless!
Rommel from QC, Philippines
@Manuella
I suggest you create a backup of your whole registry in case something goes wrong. There are a lot of free Registry backup softwares available on the Internet.
Anyway here is the registry file I created to enable your Registry Editor and Task Manager. Just right click, then choose save as. Enable-Reg-Task.reg After downloading the file, double click it, then select Yes to modify the registry.
I created this by exporting the registry entry from my system. I’m using Win XP SP2, if you are using a different OS, I’m not sure if this will work. If it does work, then just follow the steps above to remove the virus.
@KingPin/Jason
If it keeps appearing after you’ve already deleted it then the virus is already in your system. I cannot identify what type of virus you have because I don’t know what programs are running in your PC. Anyway if you could list all the running programs in your Task Manager (ctrl+alt+del), we could probably identify the culprit.
I also suggest to get a decent anti-virus software to remove it. See my post here… What’s the better anti-virus software?
@Rommel
I’m sorry to say that my guide is for Windows XP. I created it because my system got infected and created this steps on how I removed it.
In Win98 this is the system folder the virus resides
C:\Windows\System\
About the registry, I’m not sure if it is located in a different path. But you can search for the file names I mentioned inside the registry. Just run your registry editor, then click Edit, then Find. Type the file names of the virus then if found just delete the entry. Press F3 to continue searching.
Also I suggest changing your anti-virus software. See my post here… What’s the better anti-virus software?
@ Ryman
After reading some threads and topics from different forums regarding viruses and other viral problems, i think i know what virus infected my PC. The “lsass.exe virus”, and that’s what keeping the “MsWord file” in my desktop, and my RUN command in the start menu is missing. Also, the “New Task” in application tab of Task Manager seems to be disabled. I tried to delete some named items from the forums that they tell us to remove using the registry editor, but still it keeps showing up. I’m wondering if you can still help me remove it without using any anti-virus program. Here’s the running processes on my TaskManager:
•ctfmon.exe ADMIN 3,692k
•taskmgr.exe ADMIN 2,656k
•alg.exe LOCAL SERVICE 3616k
•iexplorer.exe ADMIN 3,616k
•rundll32.exe ADMIN 3,584k
•jusched.exe ADMIN 2,440k
•Apache.exe SYSTEM 5,792k
•nSvcIp.exe SYSTEM 6,528k
•spoolsv.exe SYSTEM 6,924k
•explorer.exe ADMIN 10,304k
•svchost.exe SYSTEM 5,276k
•nvsvc32.exe SYSTEM 3,816k
•nSvcLog.exe SYSTEM 4,296k
•svchost.exe LOCAL SERVICE 4,544k
•svchost.exe NETWORK SERVICE 3,384k
•svchost.exe SYSTEM 25,188k
•svchost.exe NETWORK SERVICE 5,184k
•Apache.exe SYSTEM 6,032k
•svchost.exe SYSTEM 5,052k
•lsass.exe SYSTEM 936k-960k
•services.exe SYSTEM 5,936k
•winlogon.exe SYSTEM 9,124k
•csrss.exe SYSTEM 1,940k
•avgemc.exe SYSTEM 1,880k
smss.exe SYSTEM 400k
svchost.exe LOCAL SERVICE 3,276k
•avgamsvr.exe SYSTEM 476k
•avgupsvc.exe SYSTEM 704k
•BlueSoleil.exe ADMIN 13,796k
•avgcc.exe ADMIN 472k
•lsass.exe ADMIN 29,000k, (adds 4k every seconds)
•System SYSTEM 240k
•Sytem Idle Process SYSTEM 28k
I only have AVG as my av software, but it’s only free version. See if you can help me about this. if not, should i have HiJackThis to post my logs in here?
Thanks and hoping…
Jason
@KingPin/Jason
Based on the files running in your task manager, I assume you have Internet Explorer running, along with Apache, AVG anti-virus, your Bluetooth driver, and all the others are windows components, including the lsass.exe.
According to Symantec the name of the virus is W32.Sasser. It is a worm virus that corrupts lsass.exe
However, lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated. Link.
The lsass.exe file included with Microsoft Windows is not spyware, a trojan, or a virus. However, like any file on your computer it can become corrupted by a virus or trojan. antivirus programs can detect and clean this file if it has become infected. Because this file is part of Microsoft Windows users should never delete or remove this file if they think it is infected, let the antivirus program handle it. Link.
So basically, we can’t just terminate the lsass.exe file. Instead you can try to use the removal tool designed to remove the W32.Sasser worm virus. Download tool here and instructions for removal. Try the removal tool first if it works.
Good luck
@Ryman
So that’s why “lsass.exe” is a critical process to stop. Thanks man!
By the way, I forgot to tell you that there is another process in the TaskManager that I’ve already stopped before I posted them here. I read from some forum that “lsass.exe.exe” should not exist in the processes. At first, I didn’t noticed that there are two “.exe” extensions, so I stopped it right away. I’ll try if this removal tool is gonna work.
Seems like, Symantec has all solutions regarding worms which keeps me thinking if I should have AV software from Symantec.
Anyway, I really appreciate your help and advices. You’re a HERO!!!
More power…
@KingPin/Jason
Good luck in removing the virus, I hope it does work. Anyway, I’m a former user of Symantec Norton Anti-virus for many years. And I didn’t have any problems about the product except for one thing, it uses up too many system resources (memory). You can read my story about it here. It is a highly recommended product among the AV softwares.
@Ryman
Sad to say, but the tool (FxSasser) didn’t detect anything.
I’m really confused now, i followed all the instructions as written, but nothing came up.
I guess I’m up to my last resort: Reformat.
When I’m done, I’ll be researching more about other viral problems and how to prevent it. After all, reformatting was my first choice before i read your guides. I’ll be studying harder, and have a discussion area/forum like this so I can also help others just like what you are doing.
i have successfully removed SSCVIHOST.exe, blastclnnn.exe, New Folder.exe and the cloned folders thru the manual removal. It was a nerve wrecking procedure since you’ve warned that any wrong script might mess up the entire OS if I did it wrong. Oh well now I can rest easy.
thanks so much!
however I’m not seeing any Folder Options under the Tools Menu of Internet Explorer, but this function is in Windows Explorer’s View menu. Or is this because of Win98SE’s architecture?
@KingPin/Jason
Maybe it’s another type of virus, but with the same name.
@Rommel
Congrats
The Folder options is in the Windows Explorer menu. So it’s just right. 
Pare,
Thanks for the info! It’s very helpful and very thorough. I would like to acknowledge your adept skill in writing. It really helped a lot.
Thanks.
@Cricket
Thanks also for visiting my site
One laptop of out agencies Directors got infected by the worm virus sscvihost.exe….
Your article “Removing SSCVIHOST.exe worm virus did helped me a lot….
Indeed her laptop slowed down a lot….because of the many processes the above mentioned worm virus has created….
Again thank you very much….
hey Ryman, thx… thx…thx….it’s succesful, but a bit problem, when i set my computer to window xp, Tools still had no Folder Options. But i have handled it…… Thx…thx…thx…. for this site…. May God bless you!!!!!!!!!!!!!! Greetings from Indonesia
@jake ilustre
thanks also for visiting the site
@Manuella
you can show it again by going to your registry editor (run regedit). then follow this path
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NofolderOptions” = “1″
(set to zero (0) to enable)
Thanks a lot man, your steps above very very helpful, saved me a lot of trouble….. thanks again
I hope this instructions work… the sscvihost.exe really is getting into my nerves…. grrrr!
hi.. i reformatted our pc..after doing so, i installed 2 anti-virus softwares, avg and avira.. still my pc got infected.. i followed both processes but still task manager and registry edit is disabled by administrator.. im using windows home edition xp version 2002. hope you could help. thanks
@Rahul
Hi. Thanks also for visiting.
@Bily
Don’t worry, you will remove the virus in no time.
@zyril
You can follow the steps I mentioned above to enable your task manager and regedit. Or alternatively, you can download the registry file I made…
Enable-Reg-Task.reg
You can also read my post about anti-virus… here
i’ve tried everything you that you instructed. but i still can’t get my task manager to work.
@Kenneth
Try this file I made. Download, then double click so that it will merge to your registry
Enable-Reg-Task.reg
Thanks for sharing
good day!
same thing happens to me,after installing UnHookExec.inf…task manager still don’t work!so i search if there is another option other than task manager,then i find this so called “process manager or explorer by sysinternals”. (just search it on the web on how to download it!)It really work the way task manager do!!!then jst continue the steps what ryman gave…
hope this will help…
thanks for helping us ryman….YOUR THE MAN!!
@zebeye
Thanks for the additional info.
I also use the tools provided by sysinternals, in fact I always use “autoruns” and “regmon” tool that they have. Their autoruns tool shows you all the processes that autoruns when your computer starts up. This is where I first found the SSCVIHOST.exe worm.
can’t thank you enough for your post, it was a BIG help. and the avira Antivir helped to. it contained them all.
thank you!!!
For those who want a free reliable Anti-Virus program, I suggest using AVIRA. It has almost all definitions of worms and viruses(if updated), and can easily remove them during scan. Also, it fixes bad registries made by worms. Up to now, AVIRA is the only free anti-virus program that exceeded my expectations.
For those still having problems with the TaskManager and/or RegEdit, have the registry file made by Ryman. It works.
Still got SSCVIHOST.exe?
Ryman’s Guide + AVIRA = 100% will remove it
Good Day! Thanks to Ryman for this…
@KingPin
Where can i download that avira anti vrus? And what are needed to download it? by the way, what do you mean it exceeded you expectations?
i’m just curious, thanks
@Juju
Thanks also for visiting.
@KingPin
I’ll also like to try that Avira anti-virus. Thanks for the suggestion.
@Khaye
You can get Avira AV at their official site at http://www.avira.com. You can try the software for 30 days, and purchase if you are satisfied.
@Ryman
Hey again. Just want to ask you if you know about this: “killer.exe”
A friend of mine have this in his processes in the TaskManager. At first, it doesn’t seem harmful, but later on we noticed that system programs and applications were minimizing by themselves, and cannot be restored. And when you try to run those programs again, nothing would appear because it’s still running. Even the TaskManager was minimizing. You can only re-open it again by closing it first.
To close it, right-click the TaskManager icon on your system tray(it’s located lower right of the screen where your clock and calendar is) and select close.
Although Avira antivir fixed it, I’m just curious if that symptom (minimizing) is also an added “tweaks” in the registry.
Still studying
Does this AVIRA antivir expires? because it says that it generates license key every update..
@KingPin
I haven’t encountered that virus yet, but according to my research there is a safe and unsafe form of killer.exe.
There is a ‘legit’ program that runs killer.exe to stop web popups by minimizing them. Unfortunately, the one that your friend have is the trojan virus. Killer.exe also has many names, and it depends on the accompanying file. It means that not only the killer.exe process you should eliminate, but also the other files that come with it.
I can’t discuss all the types here since there are so many, but I’ll mention the two most common.
If you removed the killer.exe file and your system is restored, and there are no other after-effects, we can assume that it is the single killer.exe named KILLAV-FK TROJAN. [pcreview.co.uk]
Another variant is from an infected file called funnyUSTscandal.avi.exe, take note that this is not a legit video (avi) file because of the .exe extension. There are many, who got infected by this virus because ‘they’ thought that it was actually a video. Double clicking the file executes the virus. Too bad for those who are looking for scandals.
Anyway, aside from killer.exe, it also loads two files; lsass.exe and smss.exe. All three must be deleted and removed. The steps to remove this is much like my instructions above.
If any of the readers here are looking for instructions on how to remove killer.exe created by funnyUSTscandal.avi.exe, you can visit a great tutorial made by dindin.
iamdindin.multiply.com
@Khaye
I can’t answer that coz I still haven’t tried the software yet.
@KingPin
Khaye has a question for you, 3 posts above, and the one directly above.
@Ryman
I knew it in the first place that it is the funnyUSTscandal.exe because iv’e seen it before on some internet cafe. Their pervert customers downloaded it thinking that it was originally a scandal video, which they didn’t know that is is a virus. Luckily, avira has patterns of it and removed all threats brought by the virus.
Unfortunately for me, i was hoping that It’s an oppurtunity for me to research about it. By using the RegEdit, I thought that I can look for some changes made by the virus. But I failed, ofcourse because even before I can open a path of the registry, It’s already minimized. So, I decided to look for another way to research on it. Anyway, I’m also a fan of Belldandy. Can you give me some tips on how to customize my windows just like yours?
Fact: Why does lsass.exe and smss.exe are mostly target of worms/trojans to corrupt?
Basically, is it because it’s also the most common legit file that windows use for process securities and stablity?
As far as i know, Windows is updating regularly to improve security holes and other vulnerability.
Tip: Update your Windows regularly, it helps strengthen ur security and stability of your system.
————————————————————————–
@Khaye
Sorry if I didn’t noticed your posts directed to me.
If you had already read this, I assume that you knew already where to download it, because Ryman already posted it.
To answer your question, AVIRA exceeded my expectations because, like I said, It has almost all definitions regarding worms and viruses plus it’s free, compared to other free AV software that only detects few patterns, and sometimes unable to remove it.
About the expiration, I can’t also answer that as of now, because it’s only been a week since I started using it.
Thanks for posting…
Ok.. Thanks for everything.
thank you for the SSCVIHOST.exe removal procedure. ihope i did it correctly. hoping much precise step by step on procedures next time. this is for beginners. thank you!
@Ryman
Hey man, Sorry for bugging you again.
Do you know how to set a password for any folder in WinXP? I’ve searched the net, but only softwares are available to password-protect folders. Doesn’t WinXP support this feature?
@KingPin
Regarding Windows customization, which part of Windows do you want to customize? Background, icons, folder icons?
Yes, lsass.exe and smss.exe is a part of windows, that’s why it is commonly targeted by viruses. Even the real SVCHOST.exe is a primary target of most trojans. Trojans (like the horse in the story of Troy), must hide inside your system unnoticed to be able to ‘attack’ your system without you knowing it.
Mac OS and Linux OS are much safer to use rather than Windows. But it doesn’t mean that windows have a lot of security holes. It’s just that Windows is the most commonly used OS in the world, that’s why it is always a target for viruses and cracks. Regular updates and patches fixes these holes. Unfortunately for those users of Windows XP (like me) we only have until April this year before Microsoft stop making updates. When Win XP service pack 3 (not the release candidate, but the official release) arrives, it is the last support we will get from Microsoft.
As for password protecting your folders, you’ll have to rely on third party softwares for that. I don’t know if there is an internal function for that in the native Win XP.
Oh and feel free to comment and ask questions anytime
@ail
Thanks also for visiting.
have to say, gr8 job….
that bit of advice was priceless….
had the same complaint in my computer…tried all sort of things…didn’t work…had avg as anti-virus….had to do system restore….and then deleted all the above said files….
now no problems…..actually, it started from my mp3 player….deleted files from there also….
there isn’t any problem by restoring the pc, is there?
also, i have changed my anti-virus to nod 32(well updated) and also running spybot, always….is that enough protection???
would really like your opinion….
@faheem
I guess you won’t encounter any more problems in your PC since the virus was removed. I use the same anti-virus as yours, although instead of NOD32, I use ESET Smart Security with the included NOD32 plus a firewall. Also aside from Spybot, install Lavasoft Ad-aware anti-spyware. And use Mozilla Firefox browser, instead of Internet Explorer.
Dear Ryman;
I really appreciate what you stated as means of removing virus/worms from person computers.
I am now getting a simlar problem. A type of vicrus appears with name ‘Folders.exe” hides all my folders in my USB stick. Even it infected my laptop local disks. But, the virus hides itself aslo. by using Folder Option, I tried to remove it manually, but it appears again after a moment. I treid to recover my folders on my USB stick using all poosible ways.
So, can you help?
Thank you in advance.
Meku
thanks…..that was helpful…..keep up the good work…
@Meku
It keeps re-appearing because (1) the virus is still running in the background, check your task manager and (2) the virus auto executes itself or another file to replicate the one you’ve deleted.
Check the tools found at sergiwa.com if it can remove the virus for you, if not, you really need to plug your USB drive into a computer with an updated anti-virus.
When plugging a USB drive and you know it is infected, press and hold the SHIFT key immediately after you plug it, this is to prevent it from autorunning.
@faheem
Thanks for visiting
Hi Ryman! Thank you for this guide. I dont even have to reformat my hard disk just to remove these virus. I’d say you are great!! Thank you for this site. God bless!
@Vashiel
I’m glad my guide helped. Back then when I wasn’t knowledgeable about this kinds of stuff, I usually resort to reformat.
I already downloaded the UnHookExec.inf.
And tried installing it as was said on the instructions.
But how come my TaskManager is still disabled??
@Nikko
You can just use the file I made to enable regedit and task manager, it only works for Windows XP.
Right click here and save as to download. Once downloaded, double click the file and it will edit your registry, remember you have to be in safe mode.
If you are still having problems, comment back here.
Thanks… Problem solved!!!
by the way… when I used the file yo made (XP pc), it allowed me open my task manager but it instantly closes so I cant see the processes running. so i used the unHookExec file…
Just want to ask what’s the reasonwhy that happened, the closing of task manager thingy..
@Nikko
It is because of the virus (or maybe something else?). I haven’t encountered the auto closing window. Anyway, I really do suggest using UnHookExec.inf first, and if that doesn’t work, try the file I made.
BTW, you can view the contents of the file I made if you open it in notepad, just to see what changes it will make to your registry.
thank you very much dude, you saved my PC.
i’m just wondering why my AVG detected the SRT - Sohanad Removal Tool as a trojan. I was able to download it before but now Firefox wouldnt access the file anymore
@momopi
That’s one of the problem of AVG. I once use AVG sometime ago, but I changed to another anti-virus software because the program is detecting too many ‘false positives’
You can read about it at my post here
wow! galing talaga ng pinoy! tnx for the guide! you’re a big help! sscvihost has been pissing me off for more than a year already. finally! i found ya! now i know where to run to, whenever i need help on removing virus and spyware. mabuhay ka kapatid!
@Ms. mendoza
I’m glad my post helped in removing the virus from your computer. If you still have problems or questions, just comment back here.
Salamat sa pag bisita dito.
hello sir,
i have a problem in my system where there’s a messge coming right at its start.. it says the file sscvihost.exe is found missing n so on.. i scan my system n got this virus deleted.. but still this message seems to pop up every time i start my comp.. plz help!! thanks in advance!!
@madhu
There are a few reasons why this happens.
1. The SSCVIHOST.exe file is called in your autorun. Type msconfig in your run box then go to startup tab. If there is a line there with the said filename, delete it.
2. It is still called in the registry. Type regedit in your run box. Then press CTRL+F on the Registry Editor. Type SSCVIHOST.exe and start searching. If found, delete the entry. Keep pressing F3 to continue searching the whole registry.
3. You have an autorun.inf file at the root of your drive. Delete it.
In addition to #1. Sometimes the system doesn’t see the file. You have to use a tool created by Microsoft for this. It is called autoruns and you can download this free small program at sysinternals.
Once downloaded, just run the file autoruns.exe and you can see all the programs that automatically runs from your system.
Thanks loads for your timely help Ryman.. i didnt know how to perform this point of yours in your solution ” You have an autorun.inf file at the root of your drive. Delete it.”
anyways, even without doing it my problem is solved now.. the message doesnt pop up now..
i have another problem.. my storage devices are affected by viruses of the same sort like sscvihost.exe, autorun.inf etc.. my ipod n creative mp3 are affected becoz of this.. can u tell me a safe method to clean them without the viruses attackin my system? becoz of this fear i dont even charge my ipod in my system.. kindly help me!! thanks once again!!
@madhu
In the case of USB flash drives, MP3 players (like your iPod and Creative), and external USB devices which have a storage here’s what you have to do.
1. First, open Folder Options from the Tools menu, in your explorer or any open folder.
2. Click the View tab and select the option Show hidden files and folders and uncheck Hide protected operating system files.
3. Click Apply, then Ok.
4. Plug your USB device while holding and pressing the SHIFT key from your keyboard. This is to prevent it from auto-running and spreading the virus. Wait until it stops reading before you release the SHIFT key.
5. Go to My Computer, and right-click the USB device from there. Choose the option explore, don’t choose autorun or open.
6. After opening the portable USB device. You can see the files related to the virus there. Delete the files that have names like these:
autorun.inf
SSCVIHOST.exe
blastclnnn.exe
New Folder.exe
__.vbs
__.exe
__.reg
funnyUSTscandal.avi.exe
or any other suspicious files you see.
After doing this, reset the setting I mentioned on #2.
The first four files above are from the Blaster Worm virus, and Sohana-D worm virus. Other files I’ve mentioned are from other types of worms and trojans that I’ve encountered in other infected USB devices. Remember that if you see any autorun.inf file in any type of external device like MP3 players, USB drives, memory cards, digital cameras and even mobiles phones, you have to delete it.
Sometimes, there are some devices that actually use this file. As a precaution, you can open autorun.inf in notepad to see its contents. If the filenames mentioned inside the files are suspicious, then look and find these named files, and then delete it.
If you are not sure if the autorun.inf file from your portable device is from a virus or a legit file. You can zip/rar (compress) it, as a backup, then delete it. That way if anything goes wrong, like your device doesn’t play anymore, you can restore it.
hello sir,
i did what u mentioned in your previous post but in vain.. the files like autorun, regsvr, newfolder. exe are immediately coming back after i delete it.. they’re gone for a second but come bac immediately.. kindly help..
thanks!!
@madhu
It keeps coming back because the virus is actively running in the background and you haven’t entirely removed it. You have to do the process I mentioned in safe mode (the whole removal process of SSCVIHOST.exe).
Also you have to check your registry (regedit) and autorun (use the autoruns file from sysinternals I mentioned above) to remove and prevent it from auto-running.
You have to do all of this with your USB devices not plugged in. Make sure that the virus files are gone, use process explorer from sysinternals to check all active running processes..
hi! hope you don’t mind.
you can also use task killer to be able to see all the running processes and windows in your computer when your task manager is disabled 
http://www.rsdsoft.com/task_killer/index.php4
when you have already installed it, simply click the icon then you’ll notice that you’ll find the task killer icon in your system tray. simply click it once(left click) to stop unwanted processes or windows
Ryman // Mar 2, 2008 at 9:25 am
@Nikko
It is because of the virus (or maybe something else?). I haven’t encountered the auto closing window. Anyway, I really do suggest using UnHookExec.inf first, and if that doesn’t work, try the file I made.
BTW, you can view the contents of the file I made if you open it in notepad, just to see what changes it will make to your registry.
hi ryman
i couldnot make the view hidden files from the folder option if i try that it will work and if i got back to check the settings the view hidden files would had already gone to donot show the hidden files button . can u plz help me out of this.
thanks in advance
i have checked the taskmanager and regedit both works but i couldnt make the show the hidden files enable despite the folder option is being working. what do i do to show the hidden files. i tried to remove it from the regedit but when i change the value form 2 to 0 the value again rolls back to 2 and i cant see the hidden files and folders . can u give me the solution i am using xp sp2.
thanks
@akash
I think you have another type of virus, since SSCVIHOST.exe doesn’t affect the hidden files settings. In any case, you can use the Remove Restrictions Tool by downloading it at sergiwa.com
hi reyman
since i couldnot see the hidden files i dont know the name of the virus , i could tell you only its effect even nod32 and antivir antivirus cant detect it.
can u give me the other solution
thanks
@akash
I couldn’t guess what type of virus you have because there are many viruses with similar effect that you have now. Did you try out the tool I mentioned in my reply above? You really have to enable show hidden files and folders.
In DOS prompt, there is a way to see the hidden files. Just type dir/p/a:h then press enter
Hello.. Im from phil. too. Thanks to this site. I had just found out last night that my pc has thsi virus. I kept on erasing the files and thos ethat are in the regedit but they kept on coming back. This really helped a lot. I would just liek to add a software that enable dme to view the processes and edit the regedit. You can also use TuneUp Utilities 2006…
Thanks for that tool suggestion Rouie
NOTE:
“UPDATE 2008.01.23: For an easier removal of the SSCVIHOST.exe (Sohana D) worm virus, you can get a tool to remove it at sergiwa.com
Download SRT - Sohanad Removal Tool to remove the virus and its accompanying files
Download RRT - Remove Restrictions Tool to enable RegEdit, Folder Options, Task Manager, etc.”
The download is a trojan horse
@Rouie
May I ask from what source?
I was able to remove the file thru AVG anitvirus sw and now there is no virus but whenever when i restart my comp i am getting error “Windows cannot find SSCVIHOST.exe. Make sure you type the correct file name or else click start and search for the file”
Pls suggest resolutions.
@Robin
The virus file SSCVIHOST.exe is removed, but Windows is still looking for the file because it is trying to load it. You have to manually remove the entry in your registry to stop the error.
To do this just follow the THIRD step I mentioned in the above guide in editing the registry.
thanks buddy. i just removed the sscvihost.exe entry but rest of the other entries were not available to be removed. This resolved the issue. Thanks buddy.
I have one more issue, while shutting down my comp its just gets struck at the shutting down window and i have to manually shutdown the system. What do u think the issue should be? thanks much for your support buddy!!
@Robin
There are many causes for that error. The ones I can think of are: (1) some of your Windows system file is corrupted, and need to be replaced or re-installed, (2) there is a program that doesn’t exit properly and it is causing a stuck-up at shutdown, (3) a hard disk problem, try defragmenting or using scan disk.
I’ve encountered that problem a few years back, but I can’t seem to remember what I did to fix it. Or it just fixed it self.
ryman,
thanks for your very informative entry here. however, here’s my problem with regards to the newfolder.exe virus:
1. I noticed that i have that newfolder.exe on my desktop and i assumed that it may be a virus.
2. my task manager, folder options, run, search, and reg edit were disabled.
3. i was able to bring back all the disabled commands, so i am no able to access task manager, reg edit, etc.
4. newfolder.exe is still on my desktop. i noticed that i have autorun.inf in my C: drive and when opened in notepad, it’s calling to run a program called twinz.exe (i think it’s a virus too)
5. tried to delete both autorun and twinz.exe but IT KEEPS COMING BACK.
6. i also have both files in my USB and my other partition drive D:/.
my theory: the newfolder.exe is caused by twinz.exe.
i am no super computer techie but i sorta understand the language. hope you can help me =)
any help from you will be very much appreciated. thanks!
dorxie
manila, phils
typo from my previous comment entry:
3. i was able to bring back all the disabled commands, so i am NOW ABLE to access task manager, reg edit, etc.
additional comment:
i tried running the program you suggested, autoruns. found out that one program is running. it is called “software”, publisher is “vanzame” and it has the path C;/windows/system32/spools.exe.
vanzame is also the publisher of twinz.exe. what do you think abotu this? thanks.
@dorxie
I’ve done a quick research regarding your problem. Anyway, most of what you’ve already mentioned are true.
- The newfolder.exe on your desktop is definitely a virus. And any other “folder type” that has a .exe ,.com, or .bat, so it’s best to remove it.
- autorun.inf that exists in your root folder like c:\ is always a virus. Before you remove it, open it in notepad and make a note on which filenames it is executing, then delete it.
- twinz.exe (if my sources are correct) that is being executed by the autorun.inf file is a virus. According to various sources it is a custom made virus, that is why there are a lot of anti-virus softwares that hasn’t detected this virus yet.
- I did a search on the keyword “vanzame” and it didn’t return any relevant results. In short, it is not a legit file.
Regarding spools.exe
File spools.exe is located in the folder C:\Windows\System32. Known file sizes on Windows XP are 2125312 bytes (37% of all occurrence), 260608 bytes, 64000 bytes, 671232 bytes, 1777152 bytes, 729088 bytes.
The file is a file without information about the maker of this file. It is not a Windows core file. The program is not visible. File spools.exe is an unknown file in the Windows folder. The program uses ports to connect to LAN or Internet. The process is loaded during the Windows boot process (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). spools.exe is able to hide itself, record inputs, monitor applications, manipulate other programs. Therefore the technical security rating is 88% dangerous, however also read the users reviews.
I will post the possible solution on my next reply here.
@dorxie
Removing the twinz.exe virus, including newfolder.exe and spools.exe
The virus is both a trojan and a worm.
Here’s what you should do. But first remove any USB drives that are infected. And also you need to have the programs (1) Autoruns and (2) Process Explorer from sysinternals.
1. Start windows in Safe mode (F8).
2. Start regedit, then do a complete search. To do this, highlight My Computer on the regedit panel, then press CTRL+F. Remember to press F3 to continue searching. Search for these keywords:
newfolder.exe
twinz.exe
autorun.inf
If found, delete the entry. Just highlight it, then press DELETE key.
3. Start Process Explorer. Look at the running processes. If the above mentioned files exists, kill it. Also check if spools.exe is running, if it is highlight it to check if it is a legit Windows file or not. Read my comment above this one regarding spools.exe.
4. Start Autoruns. Look for the process that are running/executing the above mentioned files, including spools.exe. If they are found, delete it. Be careful in deleting spools.exe, if its publisher is Microsoft Corporation, then it is a legit file.
Check the spelling, sometimes virus makers tags a virus with almost the same spelling like Micro$oft Corp. or Yahoo Messengger. Always check the spelling.
5. You will have to delete the files from your hard drive very much like the SECOND and FOURTH steps I mentioned in the above guide (in removing SSCVIHOST.exe). But instead look for these files:
newfolder.exe
twinz.exe
autorun.inf
The SECOND method is using DOS mode. Since I don’t know exactly where the files are located you have to find them yourself. You can use the method similar in the FOURTH step since it is windows based and your folder options are already running.
5.1 Next, search your hard drive for the file: spools.exe. We can’t be too sure if it is legit or not, but just to be on the safe side, I would suggest you backup the file before deleting it. One way to back it up is to compress it in a .ZIP or .RAR file, that way it won’t execute easily.
5.2 Also check your other drive d:\ e:\ f:\ and so on for these files. Then SHIFT+DEL it so it won’t go to the recycle bin. Remember your root drive c:\ d:\ e:\ etc must not have any autorun.inf file
5.3 Remove the files from your USB devices like: USB drive, memory card, digital camera, mp3 players, and even your mobile phone. All of these can also be infected, believe me when I say that my MP4 player always got infected, and a friend’s mobile phone.
Remember to hold the SHIFT key when inserting USB devices to stop them from auto running and infecting your computer. All of the USB devices I mentioned above must not have an autorun.inf file on its root folder. But be careful, because there are some USB devices that actually use a legit autorun.inf file. So make a backup (ZIP/RAR), or check its contents by opening it in notepad.
6. Now all the registry entires, autoruns, processes, and the actual files are deleted, you can re start your windows normally.
————–
Also, like I always do, make a backup if you are not sure about what you are deleting. To backup the whole registry, just highlight my computer (in regedit), then select export on the file menu. So if anything happens, like you are getting errors and stuff, you can use the import (or just double click the exported file) function. To backup files, just ZIP or RAR it.
I also suggest using The Ultimate Troubleshooter. It shows all the process that are running, and also the startups. What I like about this program, is that it gives additional info and every little details on the known programs that are currently running. It is free and no installation needed.
Oh and please give a feedback of the results or anything that I’ve missed. I haven’t got a chance to encounter the virus you mentioned so I’m not entirely sure if the process I made is complete.