How to remove svchost.exe (virus) and to recognize the system file svchost

By | 24.04.2016

svchost virus removal

How to remove svchost.exe virus

Svchost file system often becomes a target for hackers. Moreover, the virus writers camouflage their malicious software under its «appearance». One of the most prominent representatives of the category of viruses «pseudo-svchost» — Win32.HLLP.Neshta (Dr.Web classification).

This «impostor» copies itself to the Windows directory, infects files with the extension «the exe» and takes the system resources (memory, Internet traffic). However, it is capable of other and muck. There have been cases of infection, when the virus svchost loads the computer’s RAM to 98-100%, off the Internet channel, disrupts the functioning of the local network.

How to remove svchost.exe, who «planted» in the attackers? There are at least two methods of detection and elimination of the parasite. Let us not procrastinate! Getting clean PC.

svshost Files — good and evil, or who is who

All complexity neutralize viruses of this type is that there is the risk of damaging / remove trusted Windows file with the same name. But the OS will not work without it, it will have to reinstall. Therefore, before proceeding with the purification procedure, a look at the special signs of trusted file and the «outsider.»

The true process

Controls system functions that run from dynamic-link libraries (.DLL): checks for and downloads. Listens to network ports, it transmits data. In fact, this is the system a Windows application. It is located in the directory C: → Windows → System 32. In versions of Windows XP / 7/8 in 76% of cases, has a size of 20 992 bytes. But there are other options. Detail are available on the Sensor detection resource (link — «29 More options»).

It has the following digital signature (in the manager of the «Members» task column):


Hacker fake

It may be in the following directories:

  • C: \ Windows
  • C: \ My Documents
  • C: \ Program Files
  • C: \ Windows \ System32 \ drivers
  • C: \ Program Files \ Common Files
  • C: \ Program Files
  • C: \ My Documents

In addition to the alternative directory, as hackers use virus disguise almost identical, similar to the system process names.

For example:

  • svch0st (the number «zero» instead of letters «o»);
  • svrhost (instead of «with» the letter «r»);
  • svhost (no «s»).

Versions of «free interpretation» countless names. Therefore it is necessary to exercise greater attention in the analysis of existing processes.

Warning: The virus can be another extension (other than exe). For example, «com» (Neshta virus).

So, knowing the enemy (the virus!) In person, you can safely proceed to its destruction.

Method №1: cleaning utility Comodo Cleaning Essentials

Cleaning Essentials — anti-virus scanner. Used as an alternative software-based purification system. Attached are two tools for the detection and monitoring of Windows objects (files or registry keys).

Where to download and how to install?

1. Open the browser (official manufacturer’s website).

Tip! The distribution utility is better to download to «healthy» computer (if possible), and then run a USB-stick or CD-ROM.

Comodo Cleaning Essentials

2. «Small & Medium Business» home page, move the cursor to the section. In the submenu, select the program Comodo Cleaning Essentials.

boot setup

3. In the download section, in the drop-down menu, select your operating system bit width (32 or 64 bit).

! Tip Bit can be found via the system menu, open the «Start» → enter the string «System Information» → click on the utility of the same name in the «Programs» list → see row «type.»

4. Click the «Free Download». Wait until the download is complete.

unpacking the installer

5. Unzip the downloaded file: Right-click on the file → «Extract All …».

6. Open the extracted folder and click the left mouse button 2 times on the file «CCE».

How to set up and clean up the OS?

1. Select «Custom scan» mode (selective scan).

2. Wait for a while until the utility will update their signature databases.

scanning options

3. In the scan settings check the box in front of the disk C. But also enable verification of all additional elements ( «Memory», «Critical Areas ..» et al.).

4. Press the «Scan».

5. On completion of testing, allow the antivirus to remove viruses detected impostor, and other dangerous objects.

Note. In addition to Comodo Cleaning Essentials, for the treatment of a PC, you can use other similar anti-virus utility. For example, Dr. Web CureIt !.

Auxiliary tools

The curing Cleaning Essentials program package includes two auxiliary tool designed for real-time monitoring and detection of malware manually. They can be activated in the event that the virus will not be able to neutralize during automatic inspection.

Important Utilities recommended for advanced users only.

Autorun Analyzer

Autorun Analyzer

Application for quick and easy work with registry keys, files, services, and services. Autorun Analyzer determines the location of the selected object can delete or copy it if necessary.

To automatically find svchost.exe file in the section «File», select the «Find» and specify the file name. Analyze the results process, guided by the properties described above (see. «The hacker fake»). If necessary, remove suspicious objects from the context menu of the utility.



Monitors running processes, network connections, physical memory and CPU load. In order to «catch» a fake svchost using KillSwitch, follow these steps:

  1. In the «System» tab, click the «Processes» section.
  2. Analyze all activated processes svchost:
    • right click on the file;
    • select «Properties»;
    • look at his current directory. If it is different from the C: \ Windows \ system32 \, most likely, that the object under study is a virus.

In the case of malware detection:

  1. Additionally, check out the count in his field «Evaluation» (safe — safe) and signature.
  2. If these properties are not correspond to the characteristics of a trusted system file, again activate the context menu (right click). And then subsequently run the «Pause» function and «Delete».
  3. Continue to check, perhaps a virus created and launched its own copy. From them, too, it is imperative to get rid of!

Method №2: use of system functions

startup Testing

  1. Click «Start».
  2. Type msconfig, and press the «Enter» in the search box.
  3. In the «System Configuration» tab «Startup».
  4. Review Team (column «Team») that start at Windows startup items, and their locations (directories, registry keys in the column «Location»):
    • All directives containing svchost, disable (remove the check mark by clicking near the record). It is 100% virus. System process with the same name has never registers in the startup.
    • Open the directory malware (listed in the «Location») and delete it. To neutralize the registry key, use a staff editor regedit: «Win + R» → regedit → Enter.

Analysis of active processes

  1. Press «Ctrl + Alt + Del».
  2. Click on the tab «Processes».
  3. Check the properties of the active svchost (name, extension, size, location). The analysis guided by the data service and data contained in this article.
Task Manager

Right-click on the image name. select «Properties» in the menu.

If a virus is detected:

  • in the object properties to find the location (copy or remember);
  • click «End Process»;
  • go to the directory and delete the malicious program it using the standard function (right click → Delete).

If it is difficult to determine: a trusted or a virus?

Sometimes it is difficult to say definitely whether this svchost or fake. In this situation, it is recommended to conduct additional detection of a free online scanner «Virustotal». This service is to check an object for viruses using antivirus 50-55.

  1. Open in browser.
  2. Click «Select File».
  3. In Windows Explorer, open the directory of the process that you want to test, highlight it click, and then click «Open».
  4. Click the «Check!» to start the scan. The file is loaded from the PC to the service and automatically starts scanning.
  5. Check out the results of the test. If the majority of antivirus programs detected the object as a virus, you should delete it.


After neutralizing the «parasite» of Microsoft Windows, regardless of the removal of the applied method, scan disk partitions curing utility Malwarebytes Anti-Malware or Kaspersky Virus Removal Tool. Check the operation of the main anti-virus: detection, review the settings, update a signature database.

One thought on “How to remove svchost.exe (virus) and to recognize the system file svchost

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *