Solved svchost.exe file in the /windows directory not system32

Anyone else able to help on this?

My issue is pretty much the same.... I have a svchost.exe file in the /windows directory (not system32, where it SHOULD be). All the usual virus/malware cleaning programs can't get rid of it (I've run Hitman Pro, Malware Bytes, and TDSS Killer). Malware Bytes is still finding it on quick scans and full scans.

The effect it is having on my computer is that it is not allowing the computer to see get on the internet. It will "see" my router, but it won't connect to the internet, or interact with the other 2 computers on my network.

The Farber Service Scanner results are:
Connection Status:
Localhost is accessible
LAN connected
Attempt to access (Google/Yahoo, etc...): unreachable
Other Services:
sharedaccess Service is not running. Checking service configuration:
The start type of shared access is set to Disabled
ImagePath of sharedaccess service is OK
The ServiceDll of sharedaccess service is OK

Since I cannot get online with that machine, it's very difficult to fix, having to download scanners/cleaners on my other computers, transfer them by USB drives or SD card to the infected machine, then take logs or whatever and move them back to the healthy machine to try to get help from experts. Any help you guys could offer would be greatly appreciated.

Thank you.

Do you remember the name of the virus that the programs keep finding?

Suggest you do a scan with Windows Offline Defender. This is a boot disk that will scan your PC at start up. This tutorial will guide you through the process.

http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html?filter

Another suggestion, run Malwarebytes in safe mode.

Borg 386 said:

Do you remember the name of the virus that the programs keep finding?

Click to expand...

Having just re-run Malware Bytes, it's coming up with zilch. Showing no infection, both from safe-mode and regular windows 7. However, the problem connecting to the internet still exists. The 1 problem that it WAS finding up until now, was simply listed as svchost.exe in the C/windows/ directory.

However, if I look into the Quarantine tab, stuff that has previously been found and quarantined include:
Trojan.Agent
Trojan.Agent
Rootkit.ZeroAccess
Trojan.Agent.EXPD1
Trojan.Agent
Trajan.Happili
Rootkit.ZeroAccess

Borg 386 said:

Suggest you do a scan with Windows Offline Defender. This is a boot disk that will scan your PC at start up. This tutorial will guide you through the process.

http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html?filter

Click to expand...

OK, I will give that a shot and report back, thank you.

tanya,
Here is how to run WDO (link to WDO in my signature).

HOW TO USE WINDOWS DEFENDER OFFLINE ON A USB STICK
Windows Defender Offline
· is a free standalone, bootable malware and virus remover from Microsoft.
· performs an offline scan of an infected PC to remove viruses, rootkits and other advanced malware.

Download Windows Defender Offline (about 764 kB)

You will have the choice of downloading the 32bit version (x86) or the 64 bit version (x64).
The link will help you determine whether you are running a 32 bit version or 64 bit version of Windows

NOTE!! You can download and prepare a 32 bit version using a 64 bit version of Windows
NOTE!! You can download and prepare a 64 bit version using a 32bit version of Windows.

You run the 32 bit version on a 32 bit version of Windows.
You run the 64 bit version on a 64 bit version of Windows.

The 32 bit download file name is: mssstool32.exe
The 64 bit download file name is: mssstool64.exe

For the curious, this program was originally name Microsoft Standalone System Sweeper.


INSTALLATION:
You will need an Internet Connection.
Insert 512 mB (Microsoft’s 256 mB is no longer accurate) or larger USB stick into a usb port.
Run the downloaded program--mssstool64.exe or mssstool32.exe
NEXT button
Choose the option On a USB flash drive that is not password protected
NEXT button
NEXT button
.
The install program will format the usb stick using the NTFS format.
The install program will download about 210 mB.
The install program will name the USB stick WDO_Media32 or WDO_Media64
The WDO_Media32 usb stick will have used space of 255 mB (268,140,544 bytes)
The WDO_Media64 usb stick will have used space of 282 mB (296,165,376 bytes)
You can expect the number of mB to increase as more malware appears.

UPDATE Windows Defender Offline USB stick:
· reinsert the usb stick
· run the installation program, mssstool64.exe or mssstool32.exe, again.
· the update will download about 66 mB (mssstool32.exe) and 68 mB (mssstool64.exe).

Since the malware database is sometimes updated several times in a day, always update before running.

PERFORM AN OFFLINE SCAN
Bootup your computer from the USB stick
Windows Defender Offline will automatically perform a quick scan.
After the quick scan finishes, Choose Full Scan
Select all of your drives

The initial, full scan can easily take several hours, but
Remember, your computer is being very thoroughly checked for all types of malware.

OK, I ran Windows Defender Offline. It found 9 problems rated as "severe" and supposedly cleaned them up. (I can list those if necessary).

Upon going back in and resetting it to boot up like normal windows, I find the problem still exists. It's seeing my network, but not connecting to it or the internet. Subsequent scans of Malware Bytes still comes up with nothing. TDSS Killer finds nothing. FSS still finds the same thing as reported in my first post above. SVCHost analyzer still finds the same 3 problems when run as admin. two of them are Windows Defender (service name WinDefend), whose status is "active", the other is WinHTTP Web Proxy Auto-Discovery Service, which is also "active". For both, it says "the system cannot find the file specified" (referring to their respective dll files).

Time for a fresh install...actually, after a big infection like that, it was the obvious thing to do.

Since this is a rootkit, a clean reinstall would be the best/safest option.

http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

ZeroAccess belongs to the Sirefef family. Depending on the variant you have, it may have done irreparable damage.

Encyclopedia entry: Trojan:Win32/Sirefef.AC - Learn more about malware - Microsoft Malware Protection Center

Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. Particular variants of Win32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.

As a consequence of being infected with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup.

Click to expand...

yes you need a clean install. Use this link which despite its title covers all cases.

Use the instructions there to use DiskPart and CLEAN to wipe your disk which is necessary in your case. A format does not eliminate the traces of all malware.

http://www.sevenforums.com/tutorials/219487-clean-reinstall-factory-oem-windows-7-a.html#post1839164

I understand that it's not looking good... and that a fresh install of 7 may be warranted. However, I'm not quite ready to give up just yet, so I have a few more questions, if you all would be so kind to offer your feedback....

1) - What about the program SuperAntiSpyware? That was recommended to me earlier today as another option that might find the problem.
1a) - What about ComboFix? That seems to be a last ditch resort from what I read, as it's "aggressive". But what if it DOES solve the problem without having to resort to a complete re-install?
2) - If TDSSKiller, MalwareBytes, Hitman Pro, and Windows Defender Offline, ALL are no longer seeing any traces of this rootkit/trojan, is it possible that I might just need to reset some settings that the virus changed on me? For instance, a similar malware got me a few months ago, and after it was removed/deleted, I was left with files that were "grayed-out", or "hidden". I had to download a program called "unhide" and it reverted everything back to normal. Could there be a similar fix for this? For instance, if some file was just changed that's not letting my computer "see" the network or the internet past my router, could there be a switch to flip, instead of resorting to a move as drastic as a complete re-install?
3) - If I DO have to re-install 7 and wipe my system clean, can I first move files I need off to another drive without worrying about sending the virus along with it? Specifically, I'm referring to video files (wmv and m2t, m2ts, mts, or mp4 extensions) and Word/Excel docs.
4) - If I DO do a new install of 7, and have temporarily put those files I needed to keep onto an external, which programs should I FIRST install on the new copy of 7 to provide maximum protection, and how would I go about "scanning" my external drives to make sure the same problem isn't transfered back onto this clean install?

I'd rather deal with 1, 1a, and 2, instead of 3 and 4.... but I welcome your thoughts on all the options. Thank you again for this education! I gotta admit, it's kind of fun, even though it's as frustrating as it is.

I will only address 3) and 4).

Yes, viruses do reside in such files.

If you export them to another drive, then , and this is important, AFTER your reinstall or Clean install, you can use MalwareBytes to scan the files BEFORE you 'import' the files to your clean system.

And once you make a clean install, immediately install MSE, Microsoft Security Essentials, link in my signature.
Then you can download Malwarebytes using the LINK IN MY SIGNATURE. This is important because this program is a favorite target of hackers trying to get you to download from an infected site. They are very skilled at making you think that you have a legitimate site.

To do less than a Clean install, in your case, is just asking for problems.

I agree with everyone else, that the best thing is a full reformat of the system to clean up everything. Even though it's not something good, it's the best bet in the long run, generally speaking, when a Windows installation has some (severe) malfunction it's much faster to just reinstall it from scratch then try to repair it.

Make sure that before formating, you copy all your data files to another drive, CD or other place booting from a portable OS. And once you install Windows again, first of all install an antivirus and do a full scan of the backup you made, just to prevent a re-infection.

Just because your scanners are showing clean doesn't necessarily mean you are free of a virus. There are different categories of viruses, some more stubborn/harder to remove then others. A rootkit is one of the harder ones to remove (in most cases) & even if you do manage clear most of it, there's always a chance that some remnant of it may cause problems down the road, or even reinstall itself at some point. Not to mention the damage that was probably caused to some of your operating system files, which will need to be repaired.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; re-installation of the operating system may be the only available solution to the problem.

Click to expand...

Being that Microsoft recommends a reinstall when it comes to this virus, this remains your best bet.

Back up your files on the medium of your choice and make sure they are thoroughly scanned before putting them back on the system. If in doubt, you can submit files (up to 32MB) to VirusTotal, which will scan the files with multiple AV programs.

https://www.virustotal.com/

Another thing you may wish to do, after you have done a reinstall (do not do this now), is to make a system image. This can be invaluable should something like this happen down the road:

http://www.sevenforums.com/tutorials/663-backup-complete-computer-create-image-backup.html

Please read about ZeroAcess and what it does, here ZeroAccess Rootkit Guards Itself with a Tripwire « Webroot Threat Blog

Borg,
I agree. Only an offline malware removal tool such as Microsoft's offline malware removal tool, WDO, will catch many problems.

Incidentally, I disagree with Jaycee's advice, but that is another topic and I'm in no mood for such discussions.

My advice is to wipe the OS and do a 'clean' install. Once you have a Rootkit, your computer has been severely compromised and it will never be stable again.... unless you do what I just said.

The article above, that I linked to, tells what ZA Rootkit does and how it acts to render your computer worthless.

I disagree. Not all rootkits are created equal. True, there are some that do irreparable damage to your system files, however, most people would like to avoid a reinstall like the plague if at all possible. I give them a possibility that works in an amazing number of cases.

Nope, not all Rootkits are created equal... this one creates it's own hidden partition that is just about impossible to find, let alone clean up.

Karl, did you read what ZA is and does? Would you allow it to be "fixed" on one of your own computers, or wipe and 'clean install' the OS?

Thank you for addressing 3 & 4 in my previous message. If I get to that stage I will definitely follow the advice on that.

However, I'm the type that likes a good fight. LOL. I went ahead and skipped #1 (SUPER AntiVirus), and did #2 (ComboFix) instead. So far, combofix seems to have fixed the problem. I'm waiting for feedback on the combofix logs on another forum before I declare the issue solved, but so far, I seem to be back up and running with no issues remaining on the infected computer. Internet connection is back, updated Hitman and Malware Bytes, and all 3 (Hitman, MalwareByes, and Kapersky TDSS Killer) showing no signs of infection. Keeping my fingers crossed that ComboFix did the job!

I will review all the other information above. I was able to get all important files over to an external, so I bought myself some time and can go ahead and try to fight this battle before giving up and having to re-install 7.

Between ComboFix and OTL, I seem to have solved all problems. I will keep you all updated with any relevant info.

I would like any input on what anti-virus, anti-malware programs you all recommend to prevent this from happening again. Things like real-time protection that don't slow things down too much (I do lots of video editing....). I will always use Malware Bytes. I've heard good things about Avast. What else? And is it advised to just stick with one or two defense programs, or is running a bunch more OK?

Thank you very much for your help, advice, and assistance. It's been interesting to say the least!

I use, and use only MSE, Microsoft Security Essentials.

This will help explain why:
Understanding Microsoft Anti-Malware Software 2012 ~ Security Garden