Removing a Trojan horse in Windows 7

Dear experts,

In AVG, I continually get a popup on my screen that a threat (dropper.generic_c.MMI) is detected in c:\windows\system32\services.exe. My only option in the popup is to "show details":

Processname: C:\Windows\System32\svchost.exe
Process-ID: 732
...or ignore the threat.

AVG tells me that services.exe is a whitelisted file and should not be removed. Here are some more information:

I've googled the net to find out more, and read that it should be dangerous, but I don't feel like I experience those symptoms. I don't see changed homepages, or programs shut down. I don't see those keys in my regedit either, so I think my computer isn't that much infected. (Reference:

But what can I do to remove this, and how do I do it?
Is it safe to remove services.exe?

Thanks in advance!
Who is Participating?

It could be a false positive by AVG or not. If it's not, then you should not trust the results of any scan you do within that compromised OS.

Before you do anything, since the OS is still working, backup all your data.

You should try booting your system from one of the Live AV discs, bypassing the compromised OS, and doing a full scan.
I recommend that, on a different system that you're confident is clean, you download and create a Live AV disc, and use that to scan your system.

- Windows Defender Offline
- BitDefender Rescue CD
- Live AntiVirus and Recovery Discs

Once a system has been compromised, you can never be 100% certain that there isn't something still lurking that the current AV software can't detect yet. e.g. Rootkits, etc.

So, if you determine that indeed your OS was compromised, I recommend you backup all your data, wipe the hard drive, and:
1. Do a clean install of the OS
2. Download new drivers direct from the source

Svchost.exe and Services.exe are windows system files, but they operate as containers for Windows Services. That's why you see so much confusion as to whether or not they are malicious. The virus has installed itself on the system as a windows service.

You can use tools like HijackThis and Sysinternals Autoruns to show you the services and processes that start on bootup, and you can remove the malicious ones. These are not auto-scanning tools, they just show you everything that runs on the system. It is up to you to make the determination as to what shouldn't be there.
Martin LissOlder than dirtCommented:
Here are directions.
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

MartinLiss, just FYI, your hyperlink is broken.  You simply need to remove the "http://" from the end.
AVG can show many false possitves.
I suggest you scan with another antivirus software to see if false or not,

Free online scanners:


DanishCoderAuthor Commented:
Hi experts,

It's time to catch up :-)

Thanks for your description. I think you're right. I'm not sure that I can remove those *.exe files. Because when you say "Windows services" I think of Internet Information Server (IIS), and I don't want to make that one unstable ;-)
By the way, "services.exe" and "svchost.exe" was created, opened, and edited on July 14, 2009. But may that means that it could install itself there without changing the opening date?

I've seen the article before I asked this question.
In the regedit.exe, I don't see those 4 keys they mention.
When it comes to files, the only file is "C:\Windows\System32\services.exe".
So I supposed nothing is wrong here.

I've tried out the two links, but it only gave me further problems.
Panda reported an update error "Sorry, updating is incomplete due to an error."
Bitdefender did not find anything, so I installed it, and it gave me the option to remove other virus software at the same time. I removed AVG Free, and after BD was installed, I was not able to start the computer or connect to the internet. I uninstalled BD, and was able to access the Internet again, and I reinstalled AVG and now there is no virus.

Thanks for your description. I'll keep it for another time, but I don't believe that my OS is infected so much. I've backed-up my stuff using Carbonite for the last 4 years I think. Quite happy with the product.

Thanks for your help!
DanishCoderAuthor Commented:
After installing BitDefender (which denied my access to the Internet), I uninstalled BD and re-installed AVG Free. I run a scan, and AVG says no threats. I'm sure BitDefender is a good program, and that it did what it was supposed to do, but if my internet doesn't work, I can't keep the program on my computer.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.