• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1000
  • Last Modified:

Removing a Trojan horse in Windows 7

Dear experts,

In AVG, I continually get a popup on my screen that a threat (dropper.generic_c.MMI) is detected in c:\windows\system32\services.exe. My only option in the popup is to "show details":

Processname: C:\Windows\System32\svchost.exe
Process-ID: 732
...or ignore the threat.

AVG tells me that services.exe is a whitelisted file and should not be removed. Here are some more information: http://goo.gl/GiJbY

I've googled the net to find out more, and read that it should be dangerous, but I don't feel like I experience those symptoms. I don't see changed homepages, or programs shut down. I don't see those keys in my regedit either, so I think my computer isn't that much infected. (Reference: http://goo.gl/qWiC4)

But what can I do to remove this, and how do I do it?
Is it safe to remove services.exe?

Thanks in advance!
DanishCoder
0
DanishCoder
Asked:
DanishCoder
2 Solutions
 
Frosty555Commented:
Svchost.exe and Services.exe are windows system files, but they operate as containers for Windows Services. That's why you see so much confusion as to whether or not they are malicious. The virus has installed itself on the system as a windows service.

You can use tools like HijackThis and Sysinternals Autoruns to show you the services and processes that start on bootup, and you can remove the malicious ones. These are not auto-scanning tools, they just show you everything that runs on the system. It is up to you to make the determination as to what shouldn't be there.
0
 
Martin LissRetired ProgrammerCommented:
Here are directions.
0
 
Run5kCommented:
MartinLiss, just FYI, your hyperlink is broken.  You simply need to remove the "http://" from the end.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
Michael-BestCommented:
AVG can show many false possitves.
I suggest you scan with another antivirus software to see if false or not,

Free online scanners:

Panda:
http://www.pandasecurity.com/homeusers/solutions/activescan/

Bitdefender:
http://www.bitdefender.com/scanner/online/free.html
0
 
Martin LissRetired ProgrammerCommented:
0
 
RootsManCommented:
@DanishCoder,

It could be a false positive by AVG or not. If it's not, then you should not trust the results of any scan you do within that compromised OS.

Before you do anything, since the OS is still working, backup all your data.

You should try booting your system from one of the Live AV discs, bypassing the compromised OS, and doing a full scan.
I recommend that, on a different system that you're confident is clean, you download and create a Live AV disc, and use that to scan your system.

Try:
- Windows Defender Offline
- BitDefender Rescue CD
- Live AntiVirus and Recovery Discs

Once a system has been compromised, you can never be 100% certain that there isn't something still lurking that the current AV software can't detect yet. e.g. Rootkits, etc.

So, if you determine that indeed your OS was compromised, I recommend you backup all your data, wipe the hard drive, and:
1. Do a clean install of the OS
2. Download new drivers direct from the source

.
0
 
DanishCoderAuthor Commented:
Hi experts,

It's time to catch up :-)

@Frosty555
Thanks for your description. I think you're right. I'm not sure that I can remove those *.exe files. Because when you say "Windows services" I think of Internet Information Server (IIS), and I don't want to make that one unstable ;-)
By the way, "services.exe" and "svchost.exe" was created, opened, and edited on July 14, 2009. But may that means that it could install itself there without changing the opening date?

@MartinLiss
I've seen the article before I asked this question.
In the regedit.exe, I don't see those 4 keys they mention.
When it comes to files, the only file is "C:\Windows\System32\services.exe".
So I supposed nothing is wrong here.

@Michael-Best
I've tried out the two links, but it only gave me further problems.
Panda reported an update error "Sorry, updating is incomplete due to an error."
Bitdefender did not find anything, so I installed it, and it gave me the option to remove other virus software at the same time. I removed AVG Free, and after BD was installed, I was not able to start the computer or connect to the internet. I uninstalled BD, and was able to access the Internet again, and I reinstalled AVG and now there is no virus.

@RootsMan
Thanks for your description. I'll keep it for another time, but I don't believe that my OS is infected so much. I've backed-up my stuff using Carbonite for the last 4 years I think. Quite happy with the product.

Thanks for your help!
DC
0
 
DanishCoderAuthor Commented:
CONCLUSION:
After installing BitDefender (which denied my access to the Internet), I uninstalled BD and re-installed AVG Free. I run a scan, and AVG says no threats. I'm sure BitDefender is a good program, and that it did what it was supposed to do, but if my internet doesn't work, I can't keep the program on my computer.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now