SSVICHOSST.exe removal

Quickheal: Worm.AutoRun.gdd
Avira: TR/Dropper.Gen
McAfee: W32/PEPatcher.d

This worm was first seen a long time back and has the functionality similar to Newfolder.exe. The worm spreads with the help of removable drives and when the User visits unknown websites. When executed, this worm creates several copies of itself in all the drives just to keep itself safe from being deleted completely thus making our removal process a bit difficult. It also schedules a task that executes the worm at every start-up. Similar to the other viruses, this one also modifies the Registry such that the target file is executed at Windows Boot-up. When the computer is connected to the internet, this worm acts as a Backdoor and a Trojan-downloader by pinging to several https and downloading other malicious content. Just like the Newfolder.exe, this one also creates a copy of the directory name in every drive along with an Autorun.inf that helps its execution once the directory is opened. No reports have shown that the worm disables any windows applications but if updated, it is capable of doing so. Hence, the Worm should be removed immediately in order to prevent further system damage. Here are the removal instructions of this Trojan-worm.

Manual instructions to remove SSVICHOSST.exe:

  1. As mentioned earlier, the worm creates a copy of itself almost everywhere and runs itself at every Start-up. This execution of the worm can be prevented by rebooting the computer in the Safe Mode. Click here if you're finding trouble booting in the Safe Mode.
  2. Once you're done, go to Start --> Run and type "regedit" to get to the Windows Registry Editing Tools. Here, we need to edit the registry such that the execution of the worm at the start up is prevented. To do this, navigate to the following keys

    Delete the value
    Yahoo Messengger = "%System%\SSVICHOSST.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Delete the value
    Shell = "Explorer.exe SSVICHOSST.exe"
  3. Just to be sure that you got rid of this worm from the registry, press Ctrl+F and look for the value "SSVICHOSST.exe". If you find any entries, remove the path of "SSVICHOSST.exe" from it. Don't delete the other part of the entry since they may have any other windows processes associated with them.
  4. Now its time to get rid of the worm from the computer. To get started, reboot your computer again in the Safe Mode.
  5. Once you've restarted your computer, don't open any of the drives. Go to Start-->Run and type "cmd" to open the Command Prompt. When it is opened, type "del C:\WINDOWS\Tasks\At1.job". This will delete the job scheduler that is associated to launch the worm at the start-up.
  6. Now you'll have to delete the main copy of the worm from the computer. To do this, type "cd C:\WINDOWS" in the Command Prompt followed by an enter. When you're there, type "attrib -r -a -s -h" to remove the attributes of all the files. Then type "del SSVICHOSST.exe" to delete the file. Once that is deleted, type "cd System32" to go to the next target directory. Remove the attributes in the same way as before and type "del SSVICHOSST.exe" again. Also delete autorun.ini and setting.ini from that directory.
  7. You got rid of the worm's main file but not its copies. Using the Command Prompt, go to every drive of yours and delete the file "New folder.exe". Don't forget to remove the attributes this time. Also delete the "autorun.inf" file present in the drive. To go to a drive using the Command Shell, type "{drive letter}:". The drive letter maybe C, D, E or F. Also look for the file "SSVICHOSST.exe" in all the drives. If found, delete them immediately.
  8. The Worm is a very clever one. It creates a copy of itself in every folder of your drives if it has spread far enough. So if you find any .exe files with a folder icon, delete them immediately.
  9. Now you have successfully deleted the virus. Sit back and have a snack.

Posts that might help you here:

Enable Safe Mode booting, enabling registry and enabling Command Prompt.

The following anti-viruses are recommended to delete the worm.

BitDefender AntiVirus Pro 2011
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme