Removing the svchost exe virus from a Windows system. Removing the svchost exe virus from a Windows system Video: svchost loads the processor. solution
Settings 

Removing the svchost exe virus from a Windows system. Removing the svchost exe virus from a Windows system Video: svchost loads the processor. solution

How to remove the svchost.exe virus? Virus infection of the SVCHOST.EXE process is a very common occurrence. This is due to the fact that Windows uses svchost.exe processes simultaneously for different purposes. Therefore, it is beneficial for the virus to get lost among them and act like a resident. Symptoms usually include heavy or full computer loading. The network and internet stop working. If there are many suspicious svchost.exe processes in the task manager, this does not mean that you have a virus.

Windows uses this process for many things, such as updating the OS. A sign that raises suspicion of the presence of a virus is an active svchost.exe process launched by the user. If you see this process running not from NETWORK SERVICE, LOCAL SERVICE or SYSTEM, but from your account, then there is probably a Trojan on the computer.

Unfortunately, the actions of such viruses sometimes lead to severe damage to the system. This problem can be solved in two ways. Either full or by restoring the registry. We will describe simple recommendations that will answer the question “How to remove a Trojan virus from svchost.exe?” Note that before scanning with an antivirus, you need to disconnect from the Internet and local network, that is, unplug the cable from the network card. Connect the USB drives you use.

    1. So, the first thing we can recommend is to install a good antivirus. Not all virus removal programs are suitable for scanning. But there are several software solutions that should help in the fight against the virus embedded in SVCHOST.EXE.
    2. Disable the System Restore service (relevant for Windows XP). It's done like this. Right-click on My Computer -> Properties -> System Restore tab -> check the box Disable system restore on all drives. This is done so that the svchost.exe virus does not return after treatment.
    3. Check startup. Click Start -> Run (for Win 7 the command line is immediately available) -> enter “msconfig”. It should not contain svchost.exe files.

  1. Download CureIT - http://www.freedrweb.com/cureit and check all logical drives and flash drives in Windows safe mode.

In principle, you don’t have to download CureIT and use a high-quality antivirus with updated signatures, but it’s better to play it safe and check everything in two different ways. After checking, you may need to restore the Windows registry keys. If something doesn't work out, you can always call

The svchost system file quite often becomes a target for hacker attacks. Moreover, virus writers disguise their malware under its software “appearance.” One of the most prominent representatives of the “false svchost” viruses is Win32.HLLP.Neshta (Dr.Web classification).

This “impostor” copies itself to a Windows directory, infects files with the “exe” extension and takes away system resources (RAM, Internet traffic). However, he is capable of other nasty things. There are known cases of infection when the virus svchost loads the computer's RAM by 98-100%, disconnects the Internet channel, and disrupts the functioning of the local network.

svсhost files - good and evil, or who is who

The whole difficulty of neutralizing viruses of this type is that there is a risk of damaging/deleting a trusted Windows file with the same name. And without it, the OS will not work; you will have to reinstall it. Therefore, before we begin the cleaning procedure, let’s get acquainted with the special signs of a trusted file and a “stranger”.

True Process

Manages system functions that are launched from dynamic libraries (.DLLs): checks and loads them. Listens to network ports and transmits data through them. In fact, it is a Windows utility application. Located in the C directory: → Windows → System 32. In OS versions XP/7/8, in 76% of cases it has a size of 20,992 bytes. But there are other options. You can find out more about them on the recognition resource filecheck.ru/process/svchost.exe.html (link - “29 more options”).

Has the following digital signatures (in the task manager, the “Users” column):

  • SYSTEM;
  • LOCAL SERVICE;
  • NETWORK SERVICE.

hacker fake

May be located in the following directories:

  • C:\Windows
  • C:\My Documents
  • C:\Program Files
  • C:\Windows\System32\drivers
  • C:\Program Files\Common Files
  • C:\Program Files
  • C:\My Documents

In addition to alternative directories, hackers use almost identical names, similar to the system process, to disguise the virus.

For example:

  • svch0st (digit “zero” instead of letter “o”);
  • svrhost (instead of “c” the letter “r”);
  • svhost (no "s").

There are countless versions of the “free interpretation” of the name. Therefore, it is necessary to pay special attention when analyzing existing processes.

Attention! The virus may have a different extension (other than exe). For example, “com” (Neshta virus).

So, knowing the enemy (the virus!) by sight, you can safely begin to destroy it.

Method number 1: cleaning with Comodo Cleaning Essentials utility

Cleaning Essentials is an antivirus scanner. Used as an alternative system cleaning software. It comes with two utilities for detecting and monitoring Windows objects (files and registry keys).

Where to download and how to install?

1. Open comodo.com (the official website of the manufacturer) in your browser.

Advice! It is better to download the utility distribution package on a “healthy” computer (if possible), and then run it from a USB flash drive or CD.

2. On the main page, hover over the “Small & Medium Business” section. In the submenu that opens, select the Comodo Cleaning Essentials program.

3. In the download block, in the drop-down menu, select the bitness of your OS (32 or 64 bit).

Advice! The bit depth can be found through the system menu: open “Start” → enter “System Information” in the line → click on the utility with the same name in the “Programs” list → look at the “Type” line.

4. Click the “Free Download” button. Wait until the download completes.

5. Unpack the downloaded archive: right-click on the file → “Extract all...”.

6. Open the unpacked folder and double-click on the “CCE” file with the left button.

How to configure and clean the OS?

1. Select “Custom scan” mode.

2. Wait a little while the utility updates its signature databases.

3. In the scanning settings window, check the box next to drive C. And also enable checking of all additional elements (“Memory”, “Critical Areas..”, etc.).

4. Click "Scan".

5. Upon completion of the scan, allow the antivirus to remove the detected impostor virus and other dangerous objects.

Note. In addition to Comodo Cleaning Essentials, you can use other similar antivirus utilities to clean your PC. For example, Dr. Web CureIt!.

Helper utilities

The Cleaning Essentials treatment package includes two auxiliary tools designed for real-time system monitoring and manual malware detection. They can be used if the virus cannot be neutralized during the automatic scanning process.

An application for quick and convenient work with registry keys, files, services. Autorun Analyzer determines the location of the selected object and, if necessary, can delete or copy it.

To automatically search for svchost.exe files, in the “File” section, select “Find” and specify the file name. Analyze the found processes, guided by the properties described above (see “Hacker fake”). If necessary, remove suspicious objects through the utility's context menu.

Monitors running processes, network connections, physical memory and CPU load. To catch a fake svchost using KillSwitch, follow these steps:

  1. On the System tab, open the Processes section.
  2. Analyze all activated svchost processes:
    • right click on the file;
    • select "Properties";
    • look at its current directory. If it is different from C:\Windows\system32\, it is most likely that the object being examined is a virus.

If malware is detected:

  1. Additionally, look at the “Rating” column (safe) and the signature in its field.
  2. If these properties also do not correspond to the characteristics of the trusted system file, activate the context menu again (right-click). And then run the “Suspend” and “Delete” functions in sequence.
  3. Continue checking, the virus may have created and launched copies of itself. It is also imperative to get rid of them!

Method No. 2: using system functions

Checking startup

  1. Click "Start".
  2. Type msconfig in the search bar and press Enter.
  3. In the System Configuration window, go to the Startup tab.
  4. View the commands (the “Command” column) that launch elements when Windows starts, and their location (directories, registry keys in the “Location” column):
    • Disable all directives containing svchost (click the checkbox next to the entry). This is 100% a virus. The system process of the same name is never registered in startup.
    • Open the malware directory (listed in “Location”) and delete it. To neutralize a key in the registry, use the standard regedit editor: “Win ​​+ R” → regedit → Enter.

Analysis of active processes

  1. Press "Ctrl + Alt + Del".
  2. Click on the “Processes” tab.
  3. Check the properties of all active svchosts (name, extension, size, location). When analyzing, rely on the data from the filecheck.ru service and the characteristics given in this article.

Right-click on the image name. From the menu, select Properties.

If a virus is detected:

  • in the properties of the object, find out its location (copy or remember);
  • click “End process”;
  • go to the malware directory and remove it using the standard function (right-click → Delete).

If it is difficult to determine: trusted or virus?

Sometimes it is difficult to say for sure whether svchost is real or fake. In such a situation, it is recommended to carry out additional detection using the free online scanner Virustotal. This service uses 50-55 antiviruses to scan an object for viruses.

  1. Open virustotal.com in your browser.
  2. Click Select File.
  3. In Windows Explorer, open the directory of the process you want to check, select it by clicking, and then click “Open”.
  4. To start scanning, click “Check!” The file will be uploaded from the PC to the service and scanning will begin automatically.
  5. Review the test results. If most antivirus programs detect an object as a virus, it must be removed.

It’s no secret to any Windows user that when the computer freezes or slows down, the first thing you need to do is look at the “Task Manager” in order to end the processes that are weighing down the system. The task, let’s say, is for first-graders: it seems like we were swimming and we know what’s there and how. However, looking once again into the notorious dispatcher, many users, to their surprise, notice almost for the first time that the process svchost.exe is leading to overload of the central processor, which, attention, is displayed in not one, but 4 at once , or even more lines:

Well, think for yourself, what other reaction could there be at this moment, other than panic at the thought that a virus has settled on your favorite PC? In my memory, there has never been a time when system processes were duplicated in the “Task Manager”! However, before looking in horror for a solution on how to quickly remove svchost.exe from your computer, you need to figure out whether it is actually a virus or not.

Step No. 1: Detecting viruses

Perhaps it’s worth noting right away that the svchost.exe process itself does not pose any threat to Windows, no matter how strange it may seem. In fact, it is designed to run services built into the system, services and various programs that use special DLL libraries in their work. However, given the fact that there are often quite a lot of such system services on a computer, executing them in one process can be very difficult. This is why svchost.exe is often launched several times, servicing individual Windows services.

It is clear that deleting such processes does not make any sense, since to disable them it will be enough to simply restart the computer. At the same time, completely deleting the svchost.exe system file can lead to malfunctions in Windows, the appearance of all sorts of errors and other problems with Windows. That’s why, having found a whole fan of svchost.exe in the “Task Manager”, there is no need to rush to say goodbye to it right away: everything can be much simpler.

However, you shouldn’t relax in this case either. The fact is that viruses often disguise themselves as svchost.exe, bringing with them very unpleasant gifts in the form of:

  • random exit of the computer from sleep mode;
  • a system error appears when launching applications, opening a disk drive, or reading a disk;
  • automatic reboot of Windows;
  • turning off the computer for no reason;
  • PC slowdown due to CPU load of more than 90%;
  • spontaneous opening of applications, etc.

The question arises, how can you determine in this case where the virus is and where the normal system process svchost.exe is? The answer is simple - take a closer look at it.

So, the first sign that svchost.exe is a virus will be the execution of this process on behalf of the user (normally it is launched on behalf of LOCAL SERVICE, SYSTEM (system) or NETWORK SERVICE). To determine this, just press Ctrl+Shift+Esc on your keyboard at the same time, thereby calling up the “Task Manager”, then select the “Processes” tab in the window that opens and, finally, look at the data indicated in the “User” column for the process svchost.exe:

I note that for the same purpose, if you wish, you can use a special program Process Explorer, which displays complete information about all processes running on the computer, including svchost.exe:

At the same time, the location of such a file can help determine whether there is a threat from svchost.exe. Remember: normally it is stored only in one of 4 folders located on the hard drive, namely in the directory:

  • WINDOWS\Prefetch
  • WINDOWS\ServicePackFiles\i386
  • WINDOWS\system32
  • WINDOWS\winsxs

Accordingly, if svchost.exe is located in some other place, for example, separately in the WINDOWS folder, rest assured: this is a real virus. At the same time, the “Task Manager” can again help you check whether this is actually the case. In this case, after starting it, you will need to right-click on the line with the process name svchost.exe, select the “Properties” item in the menu that opens, and then pay attention to the “Location” field:

In addition, the name of the process itself can be a clue. Thus, any deviations from the spelling of svchost.exe in the image name can be safely regarded as a hidden virus threat. Therefore, if you see in the “Task Manager” processes such as svhost.exe, svehost.exe, svxhost.exe, svchos1.exe, svchest.exe, svch0st.exe and other misspelled values, you can safely delete them: these are viruses.

Step No. 2: Remove viruses from svchost.exe

It must be said that due to the numerous varieties of svchost.exe viruses, there is currently no universal way to remove them from a computer. In particular, a full scan of Windows with an antivirus program installed on the PC can help solve this problem. The main thing in this case is not to forget before starting it:

  • disconnect from the local network and the Internet;
  • end suspicious svchost.exe processes in the Task Manager;
  • clear startup of svchost.exe files. In this case, we first need to press ÿ+R on the keyboard, then enter the msconfig task into the “Run” utility that appears, click OK, and then after selecting the “Startup” tab in the window that opens, check for the presence of svchost.exe in it:

At the same time, so that the effect of treating your computer does not turn out to be temporary, you must take care of installing and updating a powerful antivirus and firewall in Windows. This is the only way to be sure that the problem with the malicious Trojan file svchost.exe will not return to the system.

Svchost.exe is the name of a system process under which a number of viruses disguise themselves. This malware may cause you to lose your internet connection or cause a serious system crash. Therefore, it is important to know how to remove svchost exe before your computer stops working.

Revealing

It is quite difficult to detect the svchost.exe virus on a computer. The problem is that svchost is a Windows system module that runs services. Disabling these services may result in errors and incorrect system operation.

Various viruses only appropriate this name to themselves, hiding among the truly useful processes in the Task Manager.

Attention! The fact that the svchost.exe process is present in the Task Manager does not mean that the computer is infected with a virus! Such processes must be started, since without them the system cannot work correctly!

But how can one identify a malicious one among active processes if they all have the same name? You must refer to the “User Name” field, which indicates who is the initiator of the process launch.

System modules run under the name "System", "Local Service" or "Network Service". If you see that the svchost.exe process is running as a user, you know that this is a virus operating in disguise.

Removal

Unfortunately, a virus masquerading as a system module can be completely removed in only two ways: by completely reinstalling the system or by clearing the registry.

Programs that allow you to remove the url mal virus will not help here. SpyHunter, a utility that can be used to remove ads by offerswizard, cannot cope with this kind of task.

There is no point in talking about reinstallation separately: this is an extreme measure when other methods have already been tried and found to be ineffective.

It’s better to immediately move on to cleaning the registry, but first you can try installing a more powerful antivirus package or using the Dr.Web CureIt healing utility, which helps remove trovi com and deal with other similar virus applications.

It’s great if you can do both – check the system using an antivirus with updated signatures, and then launch Dr.Web CureIt and use it to scan the hard drive again.

Don't forget to also check the Windows startup list.

Press Win+R, enter the command “msconfig” and go to the “Startup” tab. Check that svchost exe is not in the list of startup items. If a virus is detected, uncheck it and then remove it from the list.

If the above steps do not help, proceed to cleaning the registry.

Working with the registry

Open the system registry using the "regedit" command. Here you will have to change and delete a number of entries, so be patient.

Go to HKEY_Local Machine → Software → Microsoft → Windows → CurrentVersion → Run. Find the key “PowerManager”=”%WinDir%svchost.exe” and delete it.

Now you need to delete other entries related to the virus. Go to HKLM→Software→Microsoft→Windows NT→CurrentVersion→WinLogon. Find the "Userinit" key and check its value. Change it to the form “C:\Windows\system32\userinit.exe,”. To do this, right-click on the key and select “Change”.

Use the search function (Ctrl+F) and find other entries with the value “svchost”. Remove them all.

As you can see, you will have to suffer a little with the registry entries. Therefore, if possible, reinstall the system or try to roll back its previous state using a restore point.

Detailed guide to removing the svchost.exe virus.

Navigation

Desktop or laptop users who from time to time suffer from sudden slowdowns in the performance of their devices and freezing of the operating system Windows 7, they are trying to solve this problem by disabling unnecessary processes. When they launch Task Manager, they find an incredible number of active processes. svchost.exe, which consume all processor resources, clog up RAM and thereby significantly reduce the performance of the device.

Most users have no idea how to get out of this unpleasant situation and therefore resort to the most radical measures. We will try to tell you in as much detail as possible about how to permanently solve the problem with the consumption of computer resources by a virus. svchost.exe and restore it to its former performance.

  • Svchost.exe is considered an important executable file that initiates the launch of a number of vital services and functions for the operating system, and also allows the launch of applications, programs and games installed by the user. A standard system process does not cause any damage to the computer, does not load the processor or RAM, and is available in " Task Manager» several active processes svchost.exe not yet a reason to panic. This is done by viruses that have penetrated the device and take the form svchost.exe, and thereby complicate the process of their removal.
  • File svchost.exe located in the partition of the disk on which the operating system was installed, in the folder /Windows/System32, while malware that takes on its guise is often located in the “ Windows», « Program Files" And " Documents and Settings" In addition, viruses are often embedded in system folders " drivers», « config», « system" and others.

Official process svchost.exe can only be run as SYSTEM, LOCAL SERVICE or NETWORK SERVICE. In order to determine on whose behalf the process was launched, do the following:

  • Step 1. Right-click on the free space on the taskbar and in the window that opens, select the line “ Launch Task Manager", or press the combination of buttons on the keyboard at the same time Ctrl + Shift + Esc.

  • Step 2. In the window that appears, go to the section “ Processes"and for convenience, sort the processes by name. Find processes " svchost.exe"and look carefully on behalf of which user or service they were activated. If the name of your account appears next to the process, then you are clearly looking at a virus program that is preventing the operating system from functioning correctly.

How to neutralize the svchost.exe virus using standard tools in the Windows 7 operating system?

If you find a malicious program among your processes disguised as svchost.exe, then you can try to get rid of it using standard operating system tools Windows 7. To do this, do the following:

  • Step 1. The first step is to disable the service that causes the virus to activate. Open " Task Manager" and find the malicious process in the list svchost.exe. Right-click on it and in the window that appears, select the line “ Go to services».

Figure 1. How to neutralize the svchost.exe virus using standard tools of the Windows 7 operating system?

  • Step 2. The window that opens will highlight the services that run the malicious software. You need to remember their names, and then open “ Control Panel" and go to the section " Administration».

  • Step 3. In chapter " Administration"you need to go to the tab " Services"and among the complete list, find by name those that activate the virus. In the column " Startup type» set state « Disable" for each of the services, then click the buttons " Apply" And " OK».

  • Step 4. Now go back to " Task Manager", right-click on the malicious process and select the line " End the process" After these steps and restarting the computer, the virus will no longer be activated. However, it will still remain on the computer. In order to completely remove it, you need to resort to third-party software.

Preventing the virus from starting by disabling operating system services is only a temporary measure. Even if you manage to find a program infected with a virus and remove it, the system will still contain files created by this program, which are also infected. To get rid of them, you need to resort to the help of specialized programs.

Unfortunately, most modern free antivirus programs are ineffective, and some people simply may not have the money for paid ones. However, there is a free utility " Dr.Web CureIt", which performs a deep scan of the disk, scans files for viruses and successfully “cures” them. You can download it from official website manufacturer according to this link. To get rid of the virus svchost.exe Using this utility, do the following:

  • Step 1. Program " Dr.Web CureIt"does not require installation, so just download it from official website and run it. Next, open on your computer “ Task Manager" and find the malicious process. Right-click on it and select the line “ Open file storage location».

  • Step 2. The folder containing the virus-infected file will open. At the top of the window you can see the exact address of its location. Remember this address and switch to the window with the utility.

  • Step 3. Since the program may miss some infected files during a full scan, it is best to scan the computer in separate directories. We should start with the one in which our infected file is located. To do this, on the main screen of the program, click on the button “ Select objects to scan».

  • Step 4. In the window that opens, standard directories for scanning will appear, including RAM, the Windows root directory, documents and much more. You must click on the “ Click to select files and folders", manually find the directory with the infected file, mark it with a checkmark and press the button " OK».

  • Step 5. After selecting the directory, click the button Run scan" and wait for the process to complete. If the utility cannot “cure” virus-infected files, it will automatically send them to quarantine. After a spot check of directories, you can perform a full scan of your computer. It is recommended to check your computer with this program at least once a week. " Dr. Web CureIt» is constantly improving and updating virus databases. Therefore, with each update you will have to download the program again from official website .

IMPORTANT: The processes and services depicted in the screenshots are not viral and are taken as an example only. Do not under any circumstances delete or disable them on your computer!

VIDEO: svchost loads the processor. Solution

views


You may also like

How can I see who is connected to my Wi-Fi router?

How can I see who is connected to my Wi-Fi router?

0
Fast leveling - we get a lot of experience

Fast leveling - we get a lot of experience

0
Fast leveling - we get a lot of experience

Fast leveling - we get a lot of experience

0