Svchost not in system 32 folder

I was running a routine scan because my pc had been running slowly lately.
The scans from the sticky didnt show anything but i ran HJT and but it thru the Hjt analyze website thru a link from this site and it was clean except for the process svchost running from system folder not system 32 where it should be.
I opend me process list and found a few svchosts on the list, how could i find out wich one is the bugged one and how should i get rid of it ?

 

This is the legit file below, if this file exits in any other location delete it.
C:\WINDOWS\System32\svchost.exe

 

Thats the thing, its in C:/WINDOWS/Svchost.exe.
How do i delete it?
I did a search for it and found it but i couldnt delete it. I havent tried to shut system restore off and try but i will tomorrow.
Do you think that will work?

 

If that file remains in that location you most likely have some other problems as well. Just in case I would recommend starting the general cleanup procedures.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: [FON

 

I have already done the sticky, do you want to see the hijack this log?

 

there is also one other problem which might have something to with the matter.
Antivir guard keeps blocking this startpage trojan horse i usually get 3-5 attempts every 2 hours, ill be back with more information on that after next block

 

Just going to add one thing, I was fiddeling around with Hijack this and found a process manager.

In it i found the Svchost not running from C:\WINDOWS\System32\svchost.exe but it was running from C:\WINDOWS\svchost.exe.

I tried killing the process but it didnt let me, saying that either it was protected by windows or it was a service utility of somekind.
Hoping that it was the first of those, i turned off system restore and tried again.
The same happend again, saying that it was protected by windows or it was a service utility of somekind.

-Icelander

 

Sorry about that...your statement about having completed the Read Me First in your original post must have been missed. Please go ahead and post your HJT log making sure you follow the info outlined by garrick in post #4.

 

Okey.. soo here it is.

 

You have not completed all of the online scans. Please run the below online scans posting your results.

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

I see you have ran TrendMicro, run it again with the others. After you complete these online scans, reboot and post a fresh HJT log.

 

Doing the bitdefender at the moment, est. time is 3 hours so im gonna go to sleep and run the other scans tomorrow.

Looking over the files it has disinfected/deleted, it seems that it has gotten rid of the svchost in the wrong place, hope that it deleted it premanently.

here is one of the trojans that ANTIvir is always blocking:
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8LUJ8DOV\PROTECTOR_UPDATE[1].EXE

Is the Trojan horse TR/StartPage.nk.8.A

There others, keep you updated.

 

Okay!

Will be awaiting full results and fresh HJT log.

Good Luck!

 

I woke upp this morning and found that bitdefender had finished, It had tried to disinfect a few viruses and failed in all so it deleted them all, Just to be sure it had deleted the svchost i ran it again after a reboot. It hadnt. So i decided to try it in safe mode which failed cause i couldnt connect to the internet but i ran all the other scans i have in safe mode. nothing showed upp exept a little spyware with adaware and microsoft antispyware.

What could cause the Svchost to move?

Im running the other online scans atm.

(I had accurate info a second ago but pressed a wrong button and i went back in the explorer )

RAV found:
A C:/WINDOWS/System32/kill.exe infected

Always when i start to scan with trendmicro it starts an active update, not knowing what it is i usually cancel it...

Trend froze alot while scanning, never happend before with Trend.
Trend found:
Possible virus C:/Programs files/edonkey2000/Plugins/BTplugin.dll (i reconize the file, it is not a virus )

Trojanscan found: ( Scaned D: A: C: )
C:\Documnets and settings\IBM\Cookies\ibm@counter.impressur[2].txt Diagnosis: Trace. Tracking cookie
C:\Program Files\AVPersonal\INFECTED\A0004638.EXE.VIR
Diagnosis: Trojan. Win32.StartPage.nk
C:\Program Files\AVPersonal\INFECTED\ELITEXXG32.EXE.VIR
Diagnosis: Trojan. Win32.StartPage.nk

Another trojan always attacking me and blocked by ANTIvir is:
C:\PROGRAM FILES\MICROSOFT ANTISPYWARE\QUARANTINE\1B78AF88-DCEC-460A-8D15-767222\99BCDF3B-5B22-4943-83C5-A400A4

Is the Trojan horse TR/Dldr.Agent.GD.1

and another:
C:\DOCUME~1\IBM\LOCALS~1\TEMP\V7KK3GA01356

Is the Trojan horse TR/Dldr.Totavel.A.1

What i read out of this is that my Antivir is infected and is trying to allow startpage (could be a virus/spyware/trojan) onto my pc but it still blocks it.

hope this helps

-icelander

 

Post a fresh HJT log after you complete all of the scans.

 

Okay, here is a fresh hijack this log.

What could be causing the Svchost to move?

 

Are you familiar with Iceland Telecom?

Do you have Serv-U FTP Server installed and do you use it?

 

No my internet connection is thru simnet, heres a thread: www.simnet.is
I might be connected to that thru simnet.

I have no idea what Serv-U FTP server is... when i connect to the internet i use an ITeX PPP connection.

-icelander

 

Okay! Go into Control Panel, look for Serv-U or anything relating to Serv-U FTP Server and uninstall if found. Afterwards let me know if you find this and attach a fresh HJT log.

 

Found nothing in the controlpanel, not with a hint of connection.

I am running a search for it atm....
Nothing found

 

Okay, we will do everything manually...post a fresh HJT log and we will go from there.

 

Okay, sounds exicting!

 

Download Pocket KillBox
(Don't run it yet)

Click Start > Run > type services.msc and Click OK

Locate Serv-U FTP Server (Serv-U) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply


Now, Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKCU\..\Run: [LDM] \Program\

O17 - HKLM\System\CCS\Services\Tcpip\..\{10777870-4EEC-4E3A-BE81-96A24204D7E3}: NameServer = 212.30.200.200 212.30.200.199
O17 - HKLM\System\CS1\Services\Tcpip\..\{10777870-4EEC-4E3A-BE81-96A24204D7E3}: NameServer = 212.30.200.200 212.30.200.199

O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINDOWS\svchost.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\svchost.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.


Now Allow Killbox to reboot your system, after you have rebooted post a fresh HJT log.

 

how do i locate the serv-u? i tried all i knew earlyr with no progress..

 

What do you mean..the file or service?

 

Do exactly as it says to do.

Click Start > Run > type services.msc and Click OK

This will open the services!

In the list of services locate, Serv-U FTP Server (Serv-U)


Run Killbox while still in safe mode, read closely!

 

k, im gonna go to sleep and work on it tomorrow

 

Its best to get it over with now, because if you leave it running or reboot any it could mutate and get worse cause it to be more difficult to remove.

Will be awaiting your new results and log.

 

sorry, i had already gone to sleep.

I am gonna run it now

 

Okey..

Did all you told me to do.

I ran HJT in safe mode and got rid of:
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKCU\..\Run: [LDM] \Program\

But the others werent on the list, first i thought that it was something to do with that i wasnt connected to the internet.
I tried connecting with my ITeX PPP connection. But it wouldnt open to let me connect.

I ran the killbox as asked.

Everything seems to be fine, I ran HJT again in normal mode with internet on
and looked over the log.

I found:
O17 - HKLM\System\CCS\Services\Tcpip\..\{10777870-4EEC-4E3A-BE81-96A24204D7E3}: NameServer = 212.30.200.200 212.30.200.199
O17 - HKLM\System\CS1\Services\Tcpip\..\{10777870-4EEC-4E3A-BE81-96A24204D7E3}: NameServer = 212.30.200.200 212.30.200.199

But didnt find:
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINDOWS\svchost.exe

I geuss that is because i shut down the Serv-U before i ran the HJT scan in safe mode.

It seems that my problem is solved, thank you

-Icelander

 

sorry forgot to post a HJT log.

 

Reboot into Safe Mode and have HJT fix the below entry:

O4 - HKCU\..\Run: [LDM] \Program\

Afterwards reboot and tell me how things are running.

Are you having any further problems?

 

K, did that.

Things are running fine.
One thing tho, I keep logging in and out of msn. Could be nothing could be something.

It seems that the C:/WINDOWS/Svchost.exe is gone so im pretty happy

Do you want a new HJT log anyways?

 

Just to confirm your clean you can attach a fresh HJT log. Thats probably just MSN, mines does that from time to time.

If you want it addressed you can post it in the Software Forum.

 

Here is a new HJT log.

I looked over it and saw this:
O4 - HKCU\..\Run: [LDM] \Program\
still there...

 

I think that entry is related to the Logitech Desktop Messenger. Do you have Logitech Desktop Messenger installed?

 

Yes, I do.

 

So am i clean?

 

just wondering.. what is this:

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

Then that entry is ok!

If you not having any further problems, yes!

Just a plugin for IE, its safe!

Are you having any further problems?

 

No, thank you for everything.

Its well apreciated!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!