svchost.exe file in the /windows directory not system32

Alejandro85 · 28 Jul 2012

I agree with everyone else, that the best thing is a full reformat of the system to clean up everything. Even though it's not something good, it's the best bet in the long run, generally speaking, when a Windows installation has some (severe) malfunction it's much faster to just reinstall it from scratch then try to repair it.

Make sure that before formating, you copy all your data files to another drive, CD or other place booting from a portable OS. And once you install Windows again, first of all install an antivirus and do a full scan of the backup you made, just to prevent a re-infection.

Borg 386 · 30 Jul 2012

Just because your scanners are showing clean doesn't necessarily mean you are free of a virus. There are different categories of viruses, some more stubborn/harder to remove then others. A rootkit is one of the harder ones to remove (in most cases) & even if you do manage clear most of it, there's always a chance that some remnant of it may cause problems down the road, or even reinstall itself at some point. Not to mention the damage that was probably caused to some of your operating system files, which will need to be repaired.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; re-installation of the operating system may be the only available solution to the problem.

Being that Microsoft recommends a reinstall when it comes to this virus, this remains your best bet.

Back up your files on the medium of your choice and make sure they are thoroughly scanned before putting them back on the system. If in doubt, you can submit files (up to 32MB) to VirusTotal, which will scan the files with multiple AV programs.

https://www.virustotal.com/

Another thing you may wish to do, after you have done a reinstall (do not do this now), is to make a system image. This can be invaluable should something like this happen down the road:

Backup Complete Computer - Create an Image Backup

Jacee · 30 Jul 2012

Please read about ZeroAcess and what it does, here ZeroAccess Rootkit Guards Itself with a Tripwire « Webroot Threat Blog

karlsnooks · 30 Jul 2012

Borg,
I agree. Only an offline malware removal tool such as Microsoft's offline malware removal tool, WDO, will catch many problems.

Incidentally, I disagree with Jaycee's advice, but that is another topic and I'm in no mood for such discussions.

Jacee · 30 Jul 2012

My advice is to wipe the OS and do a 'clean' install. Once you have a Rootkit, your computer has been severely compromised and it will never be stable again.... unless you do what I just said.

The article above, that I linked to, tells what ZA Rootkit does and how it acts to render your computer worthless.

karlsnooks · 30 Jul 2012

I disagree. Not all rootkits are created equal. True, there are some that do irreparable damage to your system files, however, most people would like to avoid a reinstall like the plague if at all possible. I give them a possibility that works in an amazing number of cases.

Jacee · 30 Jul 2012

Nope, not all Rootkits are created equal... this one creates it's own hidden partition that is just about impossible to find, let alone clean up.

Karl, did you read what ZA is and does? Would you allow it to be "fixed" on one of your own computers, or wipe and 'clean install' the OS?

tanyafitness · 01 Aug 2012

Thank you for addressing 3 & 4 in my previous message. If I get to that stage I will definitely follow the advice on that.

However, I'm the type that likes a good fight. LOL. I went ahead and skipped #1 (SUPER AntiVirus), and did #2 (ComboFix) instead. So far, combofix seems to have fixed the problem. I'm waiting for feedback on the combofix logs on another forum before I declare the issue solved, but so far, I seem to be back up and running with no issues remaining on the infected computer. Internet connection is back, updated Hitman and Malware Bytes, and all 3 (Hitman, MalwareByes, and Kapersky TDSS Killer) showing no signs of infection. Keeping my fingers crossed that ComboFix did the job!

I will review all the other information above. I was able to get all important files over to an external, so I bought myself some time and can go ahead and try to fight this battle before giving up and having to re-install 7.

tanyafitness · 04 Aug 2012

Between ComboFix and OTL, I seem to have solved all problems. I will keep you all updated with any relevant info.

I would like any input on what anti-virus, anti-malware programs you all recommend to prevent this from happening again. Things like real-time protection that don't slow things down too much (I do lots of video editing....). I will always use Malware Bytes. I've heard good things about Avast. What else? And is it advised to just stick with one or two defense programs, or is running a bunch more OK?

Thank you very much for your help, advice, and assistance. It's been interesting to say the least!

karlsnooks · 04 Aug 2012

I use, and use only MSE, Microsoft Security Essentials.

This will help explain why:
Understanding Microsoft Anti-Malware Software 2012 ~ Security Garden