My laptop recently got infected with the mIRC backdoor flood. I eventually found where it had located on my computer it was at C:Windows/system32/softreg/svchost.exe I deleted it using gipo utility file remover on boot, the flood of pop ups has stopped, but now I am getting an error message at start up which says Cannot find the file svchost.exe is this a windows file? What should I do next? Any help would be most welcome.
A description of Svchost.exe in Windows XP Pro INTRODUCTION This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs). MORE INFORMATION The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. read more here http://support.microsoft.com/?kbid=314056 Description of Svchost.exe in Windows 2000 View products that this article applies to. Article ID : 250320 Last Review : November 1, 2006 Revision : 3.2 This article was previously published under Q250320 For a Microsoft Windows XP version of this article, see 314056 (http://support.microsoft.com/kb/314056/EN-US/). SUMMARY Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging. Svchost.exe groups are identified in the following registry key: read more here http://support.microsoft.com/kb/q250320/ more info "Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. It manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. In normal conditions multiple instances of Svchost.exe run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging. More info More info Note: The svchost.exe file is located in the folder C:\Windows\System32. In other cases, svchost.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager. Virus with same name: Symantec Security Response - W32.Welchia.Worm Symantec Security Response - W32.Assarm@mm McAfee - W32/Jeefo read more here http://www.neuber.com/taskmanager/process/svchost.exe.html
It's very likely that not only the svchost file but also csrss.exe have been replaced with malware. it's possible to replace them with known good versions, but that doesn't always cure the infection.
I would recommend running full and up-to-date virus and anti-spyware scans. These should pick out the virus(es), spyware and other malware on your computer. You can use the Windows XP CD to replace the svchost file that is currently on your computer with its original. This should help the clean up process but as janrocks said it doesn't always cure the infection.
Thanks for that guys I went into windows/system32/softreg/svchost.exe and deleted it the mIrc back door flood virus was there even though Norton had come up clean after a full scan I had done a virus check with Norton (with latest updates)I think my computer is ok now apart from the missing svchost.exe file which I must have deleted along with the virus as I keep getting the message at start up "cannot find the file svchost.exe" and then one that says if this file is not present on your computer then remove reference to it from the registery.I didn't get a recovery disc with my computer, but a recovery partition, which appears to be locked, does anyone know if there is a place where I can download that file(svchost.exe) from? I really appreciate you guys giving me your time like this, Thanks a million !
Are we talking windows XP? Svchost.exe should be in the windows/system32 directory only. If your using that laptop right now you have to have that file in there because XP simply will not work without it. Unhide all files and search your c: drive for it. A copy of it may also be in the service pack files folder. The only reason I can think of you getting an error is because something is telling the OS to look in the wrong folder, system32/softreg for it. You may have to recreate that folder and put a copy in but I think the one in windows/softreg you had was bogus. If you can not find svchost.exe anywhere anybody can email it to you it's only 14K in size. If you do find it post the version number which should be 5.1.2600.2180 A system restore to a point before you killed that file then save a copy in another folder may help. You may get the virus back but I really don't think it's completly gone yet. Reason for the error. Then you can work on another method to kill the virus. Have to love computers that don't come with real discs. What happens if the drive fails and the recovery partition is damaged? Then what. There should / may be a key you have to hit when booting up to tell the computer to load / fix the os from the recovery partition. Check out your user manual or go the the manufactures web site and find one there.
Hi the_goat, That could be a false positive, but upload your svchost.exe here: http://virusscan.jotti.org/ Post me the log
Thanks BKF and all who helped me out with this problem. I think the problem may be sorted out. When I got the virus my Norton AV didn't show it up so I went into windows C:system32/softreg/svchost.exe and I could see the mIrc logo so I used Gipo utilities remove on boot to delete it, this handy little tool will remove a file while your computer is booting so it works, even on files that are constsntly reading to the HD to prevent deletion. I have since learned that some viruses can be named svchost.exe and I am thinking that this is what I deleted, because my computer was working fine after I deleted it. I took your advice BKF and looked up my user manual and I found that by pressing f11 on my keyboard I was able to recover my machine to factory settings, I had back ups of all my license's and SW's. My computer is running very sweet now so a Big thanks to all of you, AFTERDAWN IS THE BEST ON THE NET!
Hi RAV 009 Thanks for the link, I am hopeing by restoring to factory settings all will sorted. I will post again in a week Thanks again.
Hi the_goat, Since you've restored to factory settings, there's no need any more But if you want to, you can.
Hi All My machine seems to be running very sweetly now all thanks to you guys Have a great new year everybody..
I have exactly the same problem, and I'm not willing to do a system restore. Can anybody tell me how to locate and fix that registry entry?
It APPEARS that I have found the answer. http://www.geekstogo.com/forum/lofiversion/index.php/t141828.html I can't be certain yet, but the advice in that thread is worth following regardless. AVGas found four malicious files on my computer. Probably all from the same infection, but still; Norton didn't find anything.
