Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: svchost.exe file in the /windows directory not system32

27 Jul 2012   #1

7 Home Premium 64-bit
svchost.exe file in the /windows directory not system32

Anyone else able to help on this?

My issue is pretty much the same.... I have a svchost.exe file in the /windows directory (not system32, where it SHOULD be). All the usual virus/malware cleaning programs can't get rid of it (I've run Hitman Pro, Malware Bytes, and TDSS Killer). Malware Bytes is still finding it on quick scans and full scans.

The effect it is having on my computer is that it is not allowing the computer to see get on the internet. It will "see" my router, but it won't connect to the internet, or interact with the other 2 computers on my network.

The Farber Service Scanner results are:
Connection Status:
Localhost is accessible
LAN connected
Attempt to access (Google/Yahoo, etc...): unreachable
Other Services:
sharedaccess Service is not running. Checking service configuration:
The start type of shared access is set to Disabled
ImagePath of sharedaccess service is OK
The ServiceDll of sharedaccess service is OK

Since I cannot get online with that machine, it's very difficult to fix, having to download scanners/cleaners on my other computers, transfer them by USB drives or SD card to the infected machine, then take logs or whatever and move them back to the healthy machine to try to get help from experts. Any help you guys could offer would be greatly appreciated.

Thank you.

My System SpecsSystem Spec
27 Jul 2012   #2
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10

Do you remember the name of the virus that the programs keep finding?

Suggest you do a scan with Windows Offline Defender. This is a boot disk that will scan your PC at start up. This tutorial will guide you through the process.

Windows Defender Offline

Another suggestion, run Malwarebytes in safe mode.
My System SpecsSystem Spec
28 Jul 2012   #3

7 Home Premium 64-bit

Quote   Quote: Originally Posted by Borg 386 View Post
Do you remember the name of the virus that the programs keep finding?
Having just re-run Malware Bytes, it's coming up with zilch. Showing no infection, both from safe-mode and regular windows 7. However, the problem connecting to the internet still exists. The 1 problem that it WAS finding up until now, was simply listed as svchost.exe in the C/windows/ directory.

However, if I look into the Quarantine tab, stuff that has previously been found and quarantined include:

Quote   Quote: Originally Posted by Borg 386 View Post
Suggest you do a scan with Windows Offline Defender. This is a boot disk that will scan your PC at start up. This tutorial will guide you through the process.

Windows Defender Offline
OK, I will give that a shot and report back, thank you.
My System SpecsSystem Spec

28 Jul 2012   #4

MS Windows 7 Ultimate SP1 64-bit

Here is how to run WDO (link to WDO in my signature).

Windows Defender Offline
· is a free standalone, bootable malware and virus remover from Microsoft.
· performs an offline scan of an infected PC to remove viruses, rootkits and other advanced malware.

Download Windows Defender Offline (about 764 kB)

You will have the choice of downloading the 32bit version (x86) or the 64 bit version (x64).
The link will help you determine whether you are running a 32 bit version or 64 bit version of Windows

NOTE!! You can download and prepare a 32 bit version using a 64 bit version of Windows
NOTE!! You can download and prepare a 64 bit version using a 32bit version of Windows.

You run the 32 bit version on a 32 bit version of Windows.
You run the 64 bit version on a 64 bit version of Windows.

The 32 bit download file name is: mssstool32.exe
The 64 bit download file name is: mssstool64.exe

For the curious, this program was originally name Microsoft Standalone System Sweeper.

You will need an Internet Connection.
Insert 512 mB (Microsoft’s 256 mB is no longer accurate) or larger USB stick into a usb port.
Run the downloaded program--mssstool64.exe or mssstool32.exe
NEXT button
Choose the option On a USB flash drive that is not password protected
NEXT button
NEXT button
The install program will format the usb stick using the NTFS format.
The install program will download about 210 mB.
The install program will name the USB stick WDO_Media32 or WDO_Media64
The WDO_Media32 usb stick will have used space of 255 mB (268,140,544 bytes)
The WDO_Media64 usb stick will have used space of 282 mB (296,165,376 bytes)
You can expect the number of mB to increase as more malware appears.

UPDATE Windows Defender Offline USB stick:
· reinsert the usb stick
· run the installation program, mssstool64.exe or mssstool32.exe, again.
· the update will download about 66 mB (mssstool32.exe) and 68 mB (mssstool64.exe).

Since the malware database is sometimes updated several times in a day, always update before running.

Bootup your computer from the USB stick
Windows Defender Offline will automatically perform a quick scan.
After the quick scan finishes, Choose Full Scan
Select all of your drives

The initial, full scan can easily take several hours, but
Remember, your computer is being very thoroughly checked for all types of malware.
My System SpecsSystem Spec
28 Jul 2012   #5

7 Home Premium 64-bit

OK, I ran Windows Defender Offline. It found 9 problems rated as "severe" and supposedly cleaned them up. (I can list those if necessary).

Upon going back in and resetting it to boot up like normal windows, I find the problem still exists. It's seeing my network, but not connecting to it or the internet. Subsequent scans of Malware Bytes still comes up with nothing. TDSS Killer finds nothing. FSS still finds the same thing as reported in my first post above. SVCHost analyzer still finds the same 3 problems when run as admin. two of them are Windows Defender (service name WinDefend), whose status is "active", the other is WinHTTP Web Proxy Auto-Discovery Service, which is also "active". For both, it says "the system cannot find the file specified" (referring to their respective dll files).
My System SpecsSystem Spec
28 Jul 2012   #6

Microsoft Windows 10 Professional / Windows 7 Professional

Time for a fresh install...actually, after a big infection like that, it was the obvious thing to do.
My System SpecsSystem Spec
28 Jul 2012   #7
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10

Since this is a rootkit, a clean reinstall would be the best/safest option.

Clean Install Windows 7

ZeroAccess belongs to the Sirefef family. Depending on the variant you have, it may have done irreparable damage.

Encyclopedia entry: Trojan:Win32/Sirefef.AC - Learn more about malware - Microsoft Malware Protection Center
Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. Particular variants of Win32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.

As a consequence of being infected with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup.
My System SpecsSystem Spec
28 Jul 2012   #8

MS Windows 7 Ultimate SP1 64-bit

yes you need a clean install. Use this link which despite its title covers all cases.

Use the instructions there to use DiskPart and CLEAN to wipe your disk which is necessary in your case. A format does not eliminate the traces of all malware.

Clean Reinstall - Factory OEM Windows 7
My System SpecsSystem Spec
28 Jul 2012   #9

7 Home Premium 64-bit

I understand that it's not looking good... and that a fresh install of 7 may be warranted. However, I'm not quite ready to give up just yet, so I have a few more questions, if you all would be so kind to offer your feedback....

1) - What about the program SuperAntiSpyware? That was recommended to me earlier today as another option that might find the problem.
1a) - What about ComboFix? That seems to be a last ditch resort from what I read, as it's "aggressive". But what if it DOES solve the problem without having to resort to a complete re-install?
2) - If TDSSKiller, MalwareBytes, Hitman Pro, and Windows Defender Offline, ALL are no longer seeing any traces of this rootkit/trojan, is it possible that I might just need to reset some settings that the virus changed on me? For instance, a similar malware got me a few months ago, and after it was removed/deleted, I was left with files that were "grayed-out", or "hidden". I had to download a program called "unhide" and it reverted everything back to normal. Could there be a similar fix for this? For instance, if some file was just changed that's not letting my computer "see" the network or the internet past my router, could there be a switch to flip, instead of resorting to a move as drastic as a complete re-install?
3) - If I DO have to re-install 7 and wipe my system clean, can I first move files I need off to another drive without worrying about sending the virus along with it? Specifically, I'm referring to video files (wmv and m2t, m2ts, mts, or mp4 extensions) and Word/Excel docs.
4) - If I DO do a new install of 7, and have temporarily put those files I needed to keep onto an external, which programs should I FIRST install on the new copy of 7 to provide maximum protection, and how would I go about "scanning" my external drives to make sure the same problem isn't transfered back onto this clean install?

I'd rather deal with 1, 1a, and 2, instead of 3 and 4.... but I welcome your thoughts on all the options. Thank you again for this education! I gotta admit, it's kind of fun, even though it's as frustrating as it is.
My System SpecsSystem Spec
28 Jul 2012   #10

MS Windows 7 Ultimate SP1 64-bit

I will only address 3) and 4).

Yes, viruses do reside in such files.

If you export them to another drive, then , and this is important, AFTER your reinstall or Clean install, you can use MalwareBytes to scan the files BEFORE you 'import' the files to your clean system.

And once you make a clean install, immediately install MSE, Microsoft Security Essentials, link in my signature.
Then you can download Malwarebytes using the LINK IN MY SIGNATURE. This is important because this program is a favorite target of hackers trying to get you to download from an infected site. They are very skilled at making you think that you have a legitimate site.

To do less than a Clean install, in your case, is just asking for problems.
My System SpecsSystem Spec

 svchost.exe file in the /windows directory not system32

Thread Tools

Similar help and support threads
Thread Forum
How to delete a file in system32
Hi all, I'm trying to delete a file in System32 folder. No matter what I did such as Right click, drop and drag, install Delete programm, I still cannot delete this virus file. Could you please show me how to delete that file pls. Thanks.
System Security
File: \Windows\system32\winload.exe missing or corrupt
I'm trying to repair my cousin's laptop. It's lenovo X120e Windows 7. I think it's 32-bit version of windows. The laptop is a netbook so there is no cd/dvd drive so I'm loading the Windows 7 disks through flash drive or usb method to use the Windows 7 repair. I tried using the startup repair but it...
BSOD Help and Support
Windows Live Mail can't communicate with Windows 7 file directory
I think this is a Windows problem rather than a Windows Live Mail problem. For no apparent reason, I could no longer save or open email attachments. No error messages, just nothing happens. I opened up all of the mail security and nothing changed. Then I found that doing something like importing or...
Browsers & Mail
how do i edit my host file in Windows\System32\drivers\etc -
Hi everyone i am using windows 7 on my HP laptop. I am trying to edit my host file . This is a sample HOSTS file used by Microsoft TCP/IP for Windows. The location of the file is: C:\Windows\System32\drivers\etc The systems on my laptop seem to be incorrectly configured to prevent me...
General Discussion
Regedit--windows searches in wrong directory (windows\system32)
Hi to the group. I am having a problem figuring out why I no longer can run regedit from the run bar in search. The search gives an error message that regedit can't be found in C:\windows\system32 which I can understand because its actual location on my computer is in C:\windows and opens...
General Discussion
windows explorer directory file totals
anyone know how to get those to show without selecting a group of files? i know in xp i was able to enable the status bar and then it would show total size of files in a particular folder but in win7 it only shows a total size when the files are selected. thanks.

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:43.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App