Thursday, May 1, 2008

SSCVIHOST.exe - W32.Imaut.AY (Symantec/Norton) W32/Sohana-AO (Sophos) - How to remove it ?

Problem description:
As per few anti virus web sites this virus has symptom where Task manager will get disabled, there will be folders within folder with name "New Folder.exe" and there is unwanted disk movements on the machine.

Cause: This problem seems to be caused by a virus which uses SSCVIHOST.exe to spread itself.

Resolution: Try the following and let us know if this helps:

1. First of go to Safe mode of windows (f8 on the time of start of windows will show you options to choose safe mode), even though many things do not work in safe mode AV software are designed to work in safe mode. In safe mode AV software should be able to remove the viruses. This virus seems like using "SSCVIHOST.exe" binary.

2. Now once viruses are removed we need to find out what is disabled and what is not and also what is going on. If it would be me I will search for "SSCVIHOST.exe" in the registry all together and make sure where ever it is set to run we take that out and restore the original values.

(a) Check the properties of SHELL variable under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and make sure its set to "Explorer.exe"

(b) Make sure that there is nothing within Shared key located at
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares

if you like you can copy the following lines, paste into a TXT file, rename TXT extension to .reg and then merge it to your PC.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares]

(c) I have also heard that this binary adds itself to the yahoo messenger hives of registry:
Go to reg hive HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
On your tight hand side you will see "Yahoo! Pager" reg key its original value is [ "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet ] without braces.


(d) In case if you have Task manager disabled or reg tools disabled use the following:
You might can use the following to restore policies configured on your machine.

Copy the below lined to notepad, save it as policies.reg, and then double click on the file created to merge it

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoWindowsUpdate"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=dword:00000000


NOTE: Usually when SSCVIHOST.exe will be deleted virus will not spread any more, BUT since reg entries had reference to this binary they will show errors. That is why we want to clean the registry keys.

No comments: