Removing a Trojan horse in Windows 7

Posted on 2012-08-13
Last Modified: 2012-08-14
Dear experts,

In AVG, I continually get a popup on my screen that a threat (dropper.generic_c.MMI) is detected in c:\windows\system32\services.exe. My only option in the popup is to "show details":

Processname: C:\Windows\System32\svchost.exe
Process-ID: 732
...or ignore the threat.

AVG tells me that services.exe is a whitelisted file and should not be removed. Here are some more information:

I've googled the net to find out more, and read that it should be dangerous, but I don't feel like I experience those symptoms. I don't see changed homepages, or programs shut down. I don't see those keys in my regedit either, so I think my computer isn't that much infected. (Reference:

But what can I do to remove this, and how do I do it?
Is it safe to remove services.exe?

Thanks in advance!
Question by:DanishCoder
    LVL 31

    Assisted Solution

    Svchost.exe and Services.exe are windows system files, but they operate as containers for Windows Services. That's why you see so much confusion as to whether or not they are malicious. The virus has installed itself on the system as a windows service.

    You can use tools like HijackThis and Sysinternals Autoruns to show you the services and processes that start on bootup, and you can remove the malicious ones. These are not auto-scanning tools, they just show you everything that runs on the system. It is up to you to make the determination as to what shouldn't be there.
    LVL 44

    Expert Comment

    by:Martin Liss
    Here are directions.
    LVL 28

    Expert Comment

    MartinLiss, just FYI, your hyperlink is broken.  You simply need to remove the "http://" from the end.
    LVL 34

    Expert Comment

    AVG can show many false possitves.
    I suggest you scan with another antivirus software to see if false or not,

    Free online scanners:


    LVL 44

    Expert Comment

    by:Martin Liss
    LVL 6

    Accepted Solution


    It could be a false positive by AVG or not. If it's not, then you should not trust the results of any scan you do within that compromised OS.

    Before you do anything, since the OS is still working, backup all your data.

    You should try booting your system from one of the Live AV discs, bypassing the compromised OS, and doing a full scan.
    I recommend that, on a different system that you're confident is clean, you download and create a Live AV disc, and use that to scan your system.

    - Windows Defender Offline
    - BitDefender Rescue CD
    - Live AntiVirus and Recovery Discs

    Once a system has been compromised, you can never be 100% certain that there isn't something still lurking that the current AV software can't detect yet. e.g. Rootkits, etc.

    So, if you determine that indeed your OS was compromised, I recommend you backup all your data, wipe the hard drive, and:
    1. Do a clean install of the OS
    2. Download new drivers direct from the source


    Author Comment

    Hi experts,

    It's time to catch up :-)

    Thanks for your description. I think you're right. I'm not sure that I can remove those *.exe files. Because when you say "Windows services" I think of Internet Information Server (IIS), and I don't want to make that one unstable ;-)
    By the way, "services.exe" and "svchost.exe" was created, opened, and edited on July 14, 2009. But may that means that it could install itself there without changing the opening date?

    I've seen the article before I asked this question.
    In the regedit.exe, I don't see those 4 keys they mention.
    When it comes to files, the only file is "C:\Windows\System32\services.exe".
    So I supposed nothing is wrong here.

    I've tried out the two links, but it only gave me further problems.
    Panda reported an update error "Sorry, updating is incomplete due to an error."
    Bitdefender did not find anything, so I installed it, and it gave me the option to remove other virus software at the same time. I removed AVG Free, and after BD was installed, I was not able to start the computer or connect to the internet. I uninstalled BD, and was able to access the Internet again, and I reinstalled AVG and now there is no virus.

    Thanks for your description. I'll keep it for another time, but I don't believe that my OS is infected so much. I've backed-up my stuff using Carbonite for the last 4 years I think. Quite happy with the product.

    Thanks for your help!

    Author Closing Comment

    After installing BitDefender (which denied my access to the Internet), I uninstalled BD and re-installed AVG Free. I run a scan, and AVG says no threats. I'm sure BitDefender is a good program, and that it did what it was supposed to do, but if my internet doesn't work, I can't keep the program on my computer.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now