svchost.exe file in the /windows directory not system32

tanyafitness · 27 Jul 2012

Anyone else able to help on this?

My issue is pretty much the same.... I have a svchost.exe file in the /windows directory (not system32, where it SHOULD be). All the usual virus/malware cleaning programs can't get rid of it (I've run Hitman Pro, Malware Bytes, and TDSS Killer). Malware Bytes is still finding it on quick scans and full scans.

The effect it is having on my computer is that it is not allowing the computer to see get on the internet. It will "see" my router, but it won't connect to the internet, or interact with the other 2 computers on my network.

The Farber Service Scanner results are:
Connection Status:
Localhost is accessible
LAN connected
Attempt to access (Google/Yahoo, etc...): unreachable
Other Services:
sharedaccess Service is not running. Checking service configuration:
The start type of shared access is set to Disabled
ImagePath of sharedaccess service is OK
The ServiceDll of sharedaccess service is OK

Since I cannot get online with that machine, it's very difficult to fix, having to download scanners/cleaners on my other computers, transfer them by USB drives or SD card to the infected machine, then take logs or whatever and move them back to the healthy machine to try to get help from experts. Any help you guys could offer would be greatly appreciated.

Thank you.

Borg 386 · 27 Jul 2012

Do you remember the name of the virus that the programs keep finding?

Suggest you do a scan with Windows Offline Defender. This is a boot disk that will scan your PC at start up. This tutorial will guide you through the process.

Windows Defender Offline

Another suggestion, run Malwarebytes in safe mode.

tanyafitness · 28 Jul 2012

Borg 386 said:

Do you remember the name of the virus that the programs keep finding?

Having just re-run Malware Bytes, it's coming up with zilch. Showing no infection, both from safe-mode and regular windows 7. However, the problem connecting to the internet still exists. The 1 problem that it WAS finding up until now, was simply listed as svchost.exe in the C/windows/ directory.

However, if I look into the Quarantine tab, stuff that has previously been found and quarantined include:
Trojan.Agent
Trojan.Agent
Rootkit.ZeroAccess
Trojan.Agent.EXPD1
Trojan.Agent
Trajan.Happili
Rootkit.ZeroAccess

Borg 386 said:

Suggest you do a scan with Windows Offline Defender. This is a boot disk that will scan your PC at start up. This tutorial will guide you through the process.

Windows Defender Offline

OK, I will give that a shot and report back, thank you.

karlsnooks · 28 Jul 2012

tanya,
Here is how to run WDO (link to WDO in my signature).

HOW TO USE WINDOWS DEFENDER OFFLINE ON A USB STICK
Windows Defender Offline
· is a free standalone, bootable malware and virus remover from Microsoft.
· performs an offline scan of an infected PC to remove viruses, rootkits and other advanced malware.

Download Windows Defender Offline (about 764 kB)

You will have the choice of downloading the 32bit version (x86) or the 64 bit version (x64).
The link will help you determine whether you are running a 32 bit version or 64 bit version of Windows

NOTE!! You can download and prepare a 32 bit version using a 64 bit version of Windows
NOTE!! You can download and prepare a 64 bit version using a 32bit version of Windows.

You run the 32 bit version on a 32 bit version of Windows.
You run the 64 bit version on a 64 bit version of Windows.

The 32 bit download file name is: mssstool32.exe
The 64 bit download file name is: mssstool64.exe

For the curious, this program was originally name Microsoft Standalone System Sweeper.

INSTALLATION:
You will need an Internet Connection.
Insert 512 mB (Microsoft’s 256 mB is no longer accurate) or larger USB stick into a usb port.
Run the downloaded program--mssstool64.exe or mssstool32.exe
NEXT button
Choose the option On a USB flash drive that is not password protected
NEXT button
NEXT button
.
The install program will format the usb stick using the NTFS format.
The install program will download about 210 mB.
The install program will name the USB stick WDO_Media32 or WDO_Media64
The WDO_Media32 usb stick will have used space of 255 mB (268,140,544 bytes)
The WDO_Media64 usb stick will have used space of 282 mB (296,165,376 bytes)
You can expect the number of mB to increase as more malware appears.

UPDATE Windows Defender Offline USB stick:
· reinsert the usb stick
· run the installation program, mssstool64.exe or mssstool32.exe, again.
· the update will download about 66 mB (mssstool32.exe) and 68 mB (mssstool64.exe).

Since the malware database is sometimes updated several times in a day, always update before running.

PERFORM AN OFFLINE SCAN
Bootup your computer from the USB stick
Windows Defender Offline will automatically perform a quick scan.
After the quick scan finishes, Choose Full Scan
Select all of your drives

The initial, full scan can easily take several hours, but
Remember, your computer is being very thoroughly checked for all types of malware.

tanyafitness · 28 Jul 2012

OK, I ran Windows Defender Offline. It found 9 problems rated as "severe" and supposedly cleaned them up. (I can list those if necessary).

Upon going back in and resetting it to boot up like normal windows, I find the problem still exists. It's seeing my network, but not connecting to it or the internet. Subsequent scans of Malware Bytes still comes up with nothing. TDSS Killer finds nothing. FSS still finds the same thing as reported in my first post above. SVCHost analyzer still finds the same 3 problems when run as admin. two of them are Windows Defender (service name WinDefend), whose status is "active", the other is WinHTTP Web Proxy Auto-Discovery Service, which is also "active". For both, it says "the system cannot find the file specified" (referring to their respective dll files).

OldMX · 28 Jul 2012

Time for a fresh install...actually, after a big infection like that, it was the obvious thing to do.

Borg 386 · 28 Jul 2012

Since this is a rootkit, a clean reinstall would be the best/safest option.

Clean Install Windows 7

ZeroAccess belongs to the Sirefef family. Depending on the variant you have, it may have done irreparable damage.

Encyclopedia entry: Trojan:Win32/Sirefef.AC - Learn more about malware - Microsoft Malware Protection Center

Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. Particular variants of Win32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.

As a consequence of being infected with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup.

karlsnooks · 28 Jul 2012

yes you need a clean install. Use this link which despite its title covers all cases.

Use the instructions there to use DiskPart and CLEAN to wipe your disk which is necessary in your case. A format does not eliminate the traces of all malware.

Clean Reinstall - Factory OEM Windows 7

tanyafitness · 28 Jul 2012

I understand that it's not looking good... and that a fresh install of 7 may be warranted. However, I'm not quite ready to give up just yet, so I have a few more questions, if you all would be so kind to offer your feedback....

1) - What about the program SuperAntiSpyware? That was recommended to me earlier today as another option that might find the problem.
1a) - What about ComboFix? That seems to be a last ditch resort from what I read, as it's "aggressive". But what if it DOES solve the problem without having to resort to a complete re-install?
2) - If TDSSKiller, MalwareBytes, Hitman Pro, and Windows Defender Offline, ALL are no longer seeing any traces of this rootkit/trojan, is it possible that I might just need to reset some settings that the virus changed on me? For instance, a similar malware got me a few months ago, and after it was removed/deleted, I was left with files that were "grayed-out", or "hidden". I had to download a program called "unhide" and it reverted everything back to normal. Could there be a similar fix for this? For instance, if some file was just changed that's not letting my computer "see" the network or the internet past my router, could there be a switch to flip, instead of resorting to a move as drastic as a complete re-install?
3) - If I DO have to re-install 7 and wipe my system clean, can I first move files I need off to another drive without worrying about sending the virus along with it? Specifically, I'm referring to video files (wmv and m2t, m2ts, mts, or mp4 extensions) and Word/Excel docs.
4) - If I DO do a new install of 7, and have temporarily put those files I needed to keep onto an external, which programs should I FIRST install on the new copy of 7 to provide maximum protection, and how would I go about "scanning" my external drives to make sure the same problem isn't transfered back onto this clean install?

I'd rather deal with 1, 1a, and 2, instead of 3 and 4.... but I welcome your thoughts on all the options. Thank you again for this education! I gotta admit, it's kind of fun, even though it's as frustrating as it is.

karlsnooks · 28 Jul 2012

I will only address 3) and 4).

Yes, viruses do reside in such files.

If you export them to another drive, then , and this is important, AFTER your reinstall or Clean install, you can use MalwareBytes to scan the files BEFORE you 'import' the files to your clean system.

And once you make a clean install, immediately install MSE, Microsoft Security Essentials, link in my signature.
Then you can download Malwarebytes using the LINK IN MY SIGNATURE. This is important because this program is a favorite target of hackers trying to get you to download from an infected site. They are very skilled at making you think that you have a legitimate site.

To do less than a Clean install, in your case, is just asking for problems.