I’m going to make this as short and as clear on the instructions as possible. Take note however that I’m not an expert on viruses so I advice you to consult an expert first or, if you are willing, just go a head and follow my instructions. I was once a programmer, but I didn’t pursue that field, and I moved on to web development. Anyway I have encountered many viruses in my daily use of computers, and as much as I know programing and how code works, I can usually remove it without using any anti-virus software. However, be warned that the following procedure will require you to edit your Registry and thus no mistakes must be made there. Or else you may end up with a messed OS.
Introduction
SSCVIHOST.exe according to my research has many names, the popular are W32/Sohana-AO (Sophos) and W32.Imaut.AY (Symantec/Norton). Basically this is a type of worm virus that spreads via USB thumb drives and/or Yahoo! Messenger. A worm virus, technically, doesn’t destroy your files, it just add tons of of useless files in order to fill up your hard drive or slowdown your system resources. We don’t like that do we?
Anti-virus softwares
Most major anti-virus products with the latest definition files installed, detects this virus so you don’t have to worry about it spreading through your hard drive. Sophos, Symantec Norton, TrendMicro PcCillin, already detects this. I’m not sure about McAffe, AVG, or ESET NOD 32. But I will tell you this, BitDefender, even with the latest update installed doesn’t detect this. So you have that anti-virus program, chances are, SSCVIHOST.exe will eventually reach your computer.
Symptoms
- CLTR+ALT+DEL is not working
- Folder Options is missing from your TOOLS menu
- Registry Editor (RegEdit) is not working
- Your system is slowing down gradually
- There seems to be a lot of hard drive activity even if you are doing nothing
- You have a New Folder.exe in every folder and in each sub folder
Preparation
This is the actual procedure I did when the worm infiltrated my PC. Before you start on the procedure, you have to download this file from Symantec.
UnHookExec.inf (click to go to the website and the download link).
The file will enable RegEdit and other commands disabled by the virus. Save this file in your desktop. Now let’s start.
Removing the virus
FIRST: You have to stop the virus from running in the first place. If your system is already infected, it is already running in the background. You must restart your computer then run it in safe mode.
- Restart your PC
- Press F8 as soon after the BIOS boots. If you don’t know what that is, just keep pressing F8 until a menu appears.
- Select Safe Mode from the menu
- On your desktop, right click on the file UnHookExec.inf then select install. You won’t see any prompt or confirmation so don’t worry about it.
- By now, CTRL+ALT+DEL is already working so open up your Task Manager. End task the following programs/processes:
- SSCVIHOST.exe
- blastclnnn.exe
- New Folder.exe
SECOND: Delete the virus files from your PC. There are two ways to do this, via windows shell or command prompt (DOS) shell. Since Folder Options has been disabled by the virus, you cannot switch to show hidden files and system files. Well you can edit it in your Registry, but let’s just do it the DOS-way. Follow this carefully.
- Select Run from your start menu, then type cmd. Press enter. The paths differ depending on your operating system, but in this procedure let’s assume you are using Windows XP
- At the command prompt go to your system32 folder (this may differ if you are using NT/2000 or XP). For the sake of this procedure lets assume you are using XP. Type cd\windows\system32
- On this path (c:\windows\system32>) type the following commands in order:
- attrib -h -r -s SSCVIHOST.exe
- del SSCVIHOST.exe
- attrib -h -r -s blastclnnn.exe
- del blastclnnn.exe
- attrib -h -r -s autorun.ini
- del autorun.ini
- cd\windows\ (this will move you to the windows prompt c:\windows)
- attrib -h -r -s SSCVIHOST.exe
- del SSCVIHOST.exe
THIRD Clean up the registry. Your RegEdit is already running because of the file we’ve downloaded from Symantec. On your run box (from the Start menu) type regedit. WARNING: Be careful on what you edit here, because a single mistake may screw up your system. Just follow the paths that are mentioned here so you won’t get lost. Make sure you edit only what mentioned in this procedure.
Navigate to the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
“Shell” = “Explorer.exe SSCVIHOST.exe”
(edit and remove the word SSCVIHOST.exe leaving only Explorer.exe, if you screw this up windows shell won’t show on your next boot)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
“Yahoo Messengger” = “%System%\SSCVIHOST.exe”
(delete this entry)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\
“shared” = “[SHARE NAME]\New Folder.exe”
(delete this entry)
Restore the following registry entries to their original values, if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“DisableTaskMgr” = “1″
(set to zero (0) to enable)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“DisableRegistryTools = “1″
(set to zero (0) to enable)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NofolderOptions” = “1″
(set to zero (0) to enable)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\”AtTaskMaxHour”
(Remove an entry here that has a name with blastclnnn.exe, or just remove all entries here)
FOURTH Clean again after cleaning. Restart your PC, again in Safe Mode (remember to press F8). This time we will remove all other files that have been created by the virus. Folder options in your Tools menu is already working so open that up. Then select “Show Hidden files and folders” and uncheck “Hide protected operating system files.” Then search your whole hard disk (using windows search from the start menu) and SHIFT+DEL all these files. Also cleanup your recycle bin after this.
- SSCVIHOST.exe
- blastclnnn.exe
- New Folder.exe (these are the garbage files created by the worm it will create thousands upon thousands of these in your hard drive)
FIFTH Check your autoruns. On your run box at the start menu, type msconfig. Look at the startup tab for any suspicious files that are related to the virus and disable (you can also remove it in the registry) it.
That’s it. Reboot your system normally and check your Task Manager (CLTR+ALT+DEL) if there are running processes that aren’t supposed to be running.
For more information and/or reference to the virus check out these sites:
Trendmicro
Sophos
Symantec/Norton
UPDATE 2008.01.23: For an easier removal of the SSCVIHOST.exe (Sohana D) worm virus, you can get a tool to remove it at sergiwa.com
Download SRT – Sohanad Removal Tool to remove the virus and its accompanying files
Download RRT – Remove Restrictions Tool to enable RegEdit, Folder Options, Task Manager, etc.
Popularity: 59% [?]
@Super genius
thanks for the greeting.
@Zef
You can do the second and forth step (while in safe mode), but instead of searching for the SSCVIHOST.exe you can search for the virus file asdsdsd.exe
feel free to comment back here again
@geoffrey
from the third step above, you shouldn’t have deleted the explorer.exe from your registry. just do the third step above and add again explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
“Shell” = “Explorer.exe SSCVIHOST.exe”
(edit and remove the word SSCVIHOST.exe leaving only Explorer.exe, if you screw this up windows shell won’t show on your next boot)
to start your taskbar manually, press CTRL+ALT+DEL, then click File, New task run, then type, explorer.exe
Ryman,
I actually didn’t remove explorer.exe. I just removed SSCVIHOST.exe. anyways, upon checking, the 2nd e from .exe was missing. restarted the pc and it is working properly. thanks again kabayan.
since you help last time, can i ask you if you know this virus/spyware, it’s called password.doc.exe
you see my usb got infected again and i thought it was gone already but…. now computer is also infected
@jjmaki
I can’t find the exact name of the virus you’ve got. But what exactly does the virus do? does it creates many files? is your folder options or task manager still working?
You can actually remove this virus on your computer if you log in to Safe Mode. Then make a thorough search on your computer by searching its filename and deleting it and also searching for the same name on your registry.
Feel free to ask again here, for more support
thanks but i already removed it (^o^)
whenever my pc starts, a pop-up always comes out and says that “SCCVIHOST.EXE cannot be found” or something like that. my ctrl-alt-del still works SOMETIMES though. does this still imply that my pc is still infected with this worm?
and what can you say about KASPERSKY 2009? do you think this is better than BITDEFENDER 2009?
@patibaito
it means that the virus is gone, but there are still programs that are looking for it and wanting it to execute. to remove this annoying popup just follow the THIRD and FIFTH step from my guife above.
in my opinion, kaspersky is better that bitdefender. but that’s just me, other users may vote for the other anti-virus product. as for me, I’ve only use ESET NOD32
Hey there! Thanks for the guide Ryman, but I still have problems.
After the Welcome screen there’s a prompt that will pop up saying “SSCVIHOST.exe could not be found”
I tried opening my registry editor but it still says “Registry editing has been disabled by your administrator”
My Taskmanager also shows the same error “Taskmanager has been dis..blahbalahblah”
Are you a Filipino?
I’m from Cavite
@Soryak
Yup I’m a Filipino, I’m here at Q.C.
1. Download, and double click this file to enable registry editing that was disabled by the virus. Enable-Reg-Task.reg
2. Then follow the THIRD step above.
Post back here if there are still problems
is it possible to transfer or get virus through file sharing in network?
@gemina
yes. it is possible.
Dear You are really genius, I tried this and it really worked I have always tried to be so but due to lack of professionals, lack of better facilities and expensive education in my country I have never been able to take such courses or initiatives There fore I always pay tribute to British who ruled this land and invented so many things for the ease of mankind. Would that in my country my nation should take part in such creative activities but Alas> corrupt environment has always been discouraging.
Jehanzeb From Muzaffargarh (Punjab) Pakistan
zebjg@yahoo.co.uk
i got hit with this virus via a flash drive, i was gonna try your guide but when i log on to safe mode it wont start it says lsass.exe error
is this a diffferent virus?
@jowy
lsass.exe is a windows component, but it can be infected with a virus.
check my previous comment here http://www.eternalmoonlight.net/2007/12/01/removing-the-sscvihostexe-worm-virus/comment-page-4/#comment-192
thank you for your post it helps me alot….