How to remove svchost using avz. Removing the svchost exe virus from a Windows system Svchost exe in the roaming folder is not removed

How to remove the svchost.exe virus? Virus infection of the SVCHOST.EXE process is a very common occurrence. This is due to the fact that Windows uses svchost.exe processes simultaneously for different purposes. Therefore, it is beneficial for the virus to get lost among them and act like a resident. Symptoms usually include heavy or full computer loading. The network and internet stop working. If there are many suspicious svchost.exe processes in the task manager, this does not mean that you have a virus.

Windows uses this process for many things, such as updating the OS. A sign that raises suspicion of the presence of a virus is an active svchost.exe process launched by the user. If you see this process running not from NETWORK SERVICE, LOCAL SERVICE or SYSTEM, but from your account, then there is probably a Trojan on the computer.

Unfortunately, the actions of such viruses sometimes lead to severe damage to the system. This problem can be solved in two ways. Either full or by restoring the registry. We will describe simple recommendations that will answer the question “How to remove a Trojan virus from svchost.exe?” Note that before scanning with an antivirus, you need to disconnect from the Internet and local network, that is, unplug the cable from the network card. Connect the USB drives you use.

1. So, the first thing we can recommend is to install a good antivirus. Not all virus removal programs are suitable for scanning. But there are several software solutions that should help in the fight against the virus embedded in SVCHOST.EXE.
2. Disable the System Restore service (relevant for Windows XP). It's done like this. Right-click on My Computer -> Properties -> System Restore tab -> check the box Disable system restore on all drives. This is done so that the svchost.exe virus does not return after treatment.
3. Check startup. Click Start -> Run (for Win 7 the command line is immediately available) -> enter “msconfig”. It should not contain svchost.exe files.

1. Download CureIT – http://www.freedrweb.com/cureit and check all logical drives and flash drives in Windows safe mode.

In principle, you don’t have to download CureIT and use a high-quality antivirus with updated signatures, but it’s better to play it safe and check everything in two different ways. After checking, you may need to restore the Windows registry keys. If something doesn’t work out, you can always call and order a virus removal service. And for those who find these recommendations insufficient, we advise you to read the article about that - it shows a detailed method for removing viruses manually.

The svchost system file quite often becomes a target for hacker attacks. Moreover, virus writers disguise their malware under its software “appearance.” One of the most prominent representatives of the “false svchost” viruses is Win32.HLLP.Neshta (Dr.Web classification).

This “impostor” copies itself to a Windows directory, infects files with the “exe” extension and takes away system resources (RAM, Internet traffic). However, he is capable of other nasty things. There are known cases of infection when the virus svchost loads the computer's RAM by 98-100%, disconnects the Internet channel, and disrupts the functioning of the local network.

svсhost files - good and evil, or who is who

The whole difficulty of neutralizing viruses of this type is that there is a risk of damaging/deleting a trusted Windows file with the same name. And without it, the OS will not work; you will have to reinstall it. Therefore, before we begin the cleaning procedure, let’s get acquainted with the special signs of a trusted file and a “stranger”.

True Process

Manages system functions that are launched from dynamic libraries (.DLLs): checks and loads them. Listens to network ports and transmits data through them. In fact, it is a Windows utility application. Located in the C directory: → Windows → System 32. In OS versions XP/7/8, in 76% of cases it has a size of 20,992 bytes. But there are other options. You can find out more about them on the recognition resource filecheck.ru/process/svchost.exe.html (link - “29 more options”).

Has the following digital signatures (in the task manager, the “Users” column):

• SYSTEM;
• LOCAL SERVICE;
• NETWORK SERVICE.

hacker fake

May be located in the following directories:

• C:\Windows
• C:\My Documents
• C:\Program Files
• C:\Windows\System32\drivers
• C:\Program Files\Common Files
• C:\Program Files
• C:\My Documents

In addition to alternative directories, hackers use almost identical names, similar to the system process, to disguise the virus.

For example:

• svch0st (digit “zero” instead of letter “o”);
• svrhost (instead of “c” the letter “r”);
• svhost (no "s").

There are countless versions of the “free interpretation” of the name. Therefore, it is necessary to pay special attention when analyzing existing processes.

Attention! The virus may have a different extension (other than exe). For example, “com” (Neshta virus).

So, knowing the enemy (the virus!) by sight, you can safely begin to destroy it.

Method number 1: cleaning with Comodo Cleaning Essentials utility

Cleaning Essentials is an antivirus scanner. Used as an alternative system cleaning software. It comes with two utilities for detecting and monitoring Windows objects (files and registry keys).

Where to download and how to install?

1. Open comodo.com (the official website of the manufacturer) in your browser.

Advice! It is better to download the utility distribution kit on a “healthy” computer (if possible), and then run it from a USB flash drive or CD.

2. On the main page, hover over the “Small & Medium Business” section. In the submenu that opens, select the Comodo Cleaning Essentials program.

3. In the download block, in the drop-down menu, select the bitness of your OS (32 or 64 bit).

Advice! The bit depth can be found through the system menu: open “Start” → enter “System Information” in the line → click on the utility with the same name in the “Programs” list → look at the “Type” line.

4. Click the “Free Download” button. Wait until the download completes.

5. Unpack the downloaded archive: right-click on the file → “Extract all...”.

6. Open the unpacked folder and double-click on the “CCE” file with the left button.

How to configure and clean the OS?

1. Select “Custom scan” mode.

2. Wait a little while the utility updates its signature databases.

3. In the scanning settings window, check the box next to drive C. And also enable checking of all additional elements (“Memory”, “Critical Areas..”, etc.).

4. Click "Scan".

5. Upon completion of the scan, allow the antivirus to remove the detected impostor virus and other dangerous objects.

Note. In addition to Comodo Cleaning Essentials, you can use other similar antivirus utilities to clean your PC. For example, Dr. Web CureIt!.

Helper utilities

The Cleaning Essentials treatment package includes two auxiliary tools designed for real-time system monitoring and manual malware detection. They can be used if the virus cannot be neutralized during the automatic scanning process.

An application for quick and convenient work with registry keys, files, services. Autorun Analyzer determines the location of the selected object and, if necessary, can delete or copy it.

To automatically search for svchost.exe files, in the “File” section, select “Find” and specify the file name. Analyze the found processes, guided by the properties described above (see “Hacker fake”). If necessary, remove suspicious objects through the utility's context menu.

Monitors running processes, network connections, physical memory and CPU load. To catch a fake svchost using KillSwitch, follow these steps:

1. On the System tab, open the Processes section.
2. Analyze all activated svchost processes:
   • right click on the file;
   • select "Properties";
   • look at its current directory. If it is different from C:\Windows\system32\, it is most likely that the object being examined is a virus.

If malware is detected:

1. Additionally, look at the “Rating” column (safe) and the signature in its field.
2. If these properties also do not correspond to the characteristics of the trusted system file, activate the context menu again (right-click). And then run the “Suspend” and “Delete” functions in sequence.
3. Continue checking, the virus may have created and launched copies of itself. It is also imperative to get rid of them!

Method No. 2: using system functions

Checking startup

1. Click "Start".
2. Type msconfig in the search bar and press Enter.
3. In the System Configuration window, go to the Startup tab.
4. View the commands (the “Command” column) that launch elements when Windows starts, and their location (directories, registry keys in the “Location” column):
   • Disable all directives containing svchost (click the checkbox next to the entry). This is 100% a virus. The system process of the same name is never registered in startup.
   • Open the malware directory (listed in “Location”) and delete it. To neutralize a key in the registry, use the standard regedit editor: “Win ​​+ R” → regedit → Enter.

Analysis of active processes

1. Press "Ctrl + Alt + Del".
2. Click on the “Processes” tab.
3. Check the properties of all active svchosts (name, extension, size, location). When analyzing, rely on the data from the filecheck.ru service and the characteristics given in this article.

Right-click on the image name. From the menu, select Properties.

If a virus is detected:

• in the properties of the object, find out its location (copy or remember);
• click “End process”;
• go to the malware directory and remove it using the standard function (right-click → Delete).

If it is difficult to determine: trusted or virus?

Sometimes it is difficult to say for sure whether svchost is real or fake. In such a situation, it is recommended to carry out additional detection using the free online scanner Virustotal. This service uses 50-55 antiviruses to scan an object for viruses.

1. Open virustotal.com in your browser.
2. Click Select File.
3. In Windows Explorer, open the directory of the process you want to check, select it by clicking, and then click “Open”.
4. To start scanning, click “Check!” The file will be uploaded from the PC to the service and scanning will begin automatically.
5. Review the test results. If most antivirus programs detect an object as a virus, it must be removed.

Threat name

Executable file name:

Threat type:

Affected OS:

Trojan Svchost

hlhtxo.exe

Spyware/Trojan

Win32 (Windows XP, Windows Vista, Windows Seven, Windows 8)

Trojan Svchost infection method

Trojan Svchost copies its file(s) to your hard drive. Typical file name hlhtxo.exe. Then it creates a startup key in the registry with the name Trojan Svchost and meaning hlhtxo.exe. You can also find it in the process list with the name hlhtxo.exe or Trojan Svchost.

If you have additional questions regarding Trojan Svchost, please fill out and we will contact you shortly.

Download the removal utility

Download this program and remove Trojan Svchost and hlhtxo.exe (download will start automatically):

* SpyHunter was developed by the American company EnigmaSoftware and is capable of removing Trojan Svchost automatically. The program was tested on Windows XP, Windows Vista, Windows 7 and Windows 8.

Functions

The program is able to protect files and settings from malicious code.

The program can fix browser problems and protects browser settings.

Removal is guaranteed - if SpyHunter fails, free support is provided.

24/7 anti-virus support is included in the package.

Download the Trojan Svchost removal utility from the Russian company Security Stronghold

If you are not sure which files to delete, use our program Trojan Svchost removal utility.. Trojan Svchost removal tool will find and completely remove Trojan Svchost and all problems associated with the Trojan Svchost virus. A fast, easy-to-use Trojan Svchost removal tool will protect your computer from the Trojan Svchost threat that harms your computer and violates your privacy. Trojan Svchost Removal Tool scans your hard drives and registry and removes any manifestation of Trojan Svchost. Regular antivirus software is powerless against malicious programs such as Trojan Svchost. Download this simplified removal tool specifically designed to solve problems with Trojan Svchost and hlhtxo.exe (the download will start automatically):

Functions

Removes all files created by Trojan Svchost.

Removes all registry entries created by Trojan Svchost.

The program can fix browser problems.

Immunizes the system.

Removal is guaranteed - if the Utility fails, free support is provided.

24/7 antivirus support via GoToAssist is included in the package.

Our support team is ready to solve your problem with Trojan Svchost and remove Trojan Svchost right now!

Leave a detailed description of your problem with Trojan Svchost in the section. Our support team will contact you and provide you with a step-by-step solution to your Trojan Svchost problem. Please describe your problem as accurately as possible. This will help us provide you with the most effective Trojan Svchost removal method.

How to remove Trojan Svchost manually

This problem can be resolved manually by removing registry keys and files associated with Trojan Svchost, removing it from the startup list and de-registering all associated DLL files. In addition, missing DLL files must be restored from the OS distribution if they were damaged Trojan Svchost.

In order to get rid of Trojan Svchost, You need:

1. Terminate the following processes and delete the corresponding files:

Warning: you need to delete only files whose checksums are in the list of malicious ones. There may be files with the same names on your system. We recommend using this to solve the problem safely.

2. Delete the following folders:

3. Delete the following registry keys and/or values:

Warning: If registry key values ​​are specified, you should delete only the specified values ​​and leave the keys themselves intact. We recommend using this to solve the problem safely.

4. Reset browser settings

Trojan Svchost can sometimes affect your browser settings, such as changing your search and home page. We recommend that you use the free "Reset Browsers" feature in "Tools" in the program to reset all browsers at once. Please note that before this you need to delete all files, folders and registry keys belonging to Trojan Svchost. To reset browser settings manually, use these instructions:

For Internet Explorer

If you are using Windows XP, click Start, And Open. Enter the following in the field Open without quotes and press Enter: "inetcpl.cpl".

If you are using Windows 7 or Windows Vista, click Start. Enter the following in the field Search without quotes and press Enter: "inetcpl.cpl".

Select a tab Additionally

Under Resetting Internet Explorer browser settings, click Reset. And press Reset again in the window that opens.

Select checkbox Remove personal settings to delete history, restore search and home page.

After Internet Explorer has completed the reset, click Close in the dialog box.

Warning: Reset browser settings V Tools

For Google Chrome

Locate your Google Chrome installation folder at: C:\Users\"username"\AppData\Local\Google\Chrome\Application\User Data.

In folder User Data, find the file Default and rename it to DefaultBackup.

Launch Google Chrome and a new file will be created Default.

Google Chrome settings reset

Warning: In case this doesn't work, use the free option. Reset browser settings V Tools in the Spyhunter Remediation Tool program.

For Mozilla Firefox

Open Firefox

From the menu, select Help > Problem Solving Information.

Click the button Reset Firefox.

After Firefox finishes, it will show a window and create a folder on your desktop. Click Complete.

Warning: This way you will lose your passwords! We recommend using the free option Reset browser settings V Tools in the Spyhunter Remediation Tool program.

Detailed guide to removing the svchost.exe virus.

Navigation

Desktop or laptop users who from time to time suffer from sudden slowdowns in the performance of their devices and freezing of the operating system Windows 7, they are trying to solve this problem by disabling unnecessary processes. When they launch Task Manager, they find an incredible number of active processes. svchost.exe, which consume all processor resources, clog up RAM and thereby significantly reduce the performance of the device.

Most users have no idea how to get out of this unpleasant situation and therefore resort to the most radical measures. We will try to tell you in as much detail as possible about how to permanently solve the problem with the consumption of computer resources by a virus. svchost.exe and restore it to its former performance.

• Svchost.exe is considered an important executable file that initiates the launch of a number of vital services and functions for the operating system, and also allows the launch of applications, programs and games installed by the user. A standard system process does not cause any damage to the computer, does not load the processor or RAM, and is available in " Task Manager» several active processes svchost.exe not yet a reason to panic. This is done by viruses that have penetrated the device and take the form svchost.exe, and thereby complicate the process of their removal.
• File svchost.exe located in the partition of the disk on which the operating system was installed, in the folder /Windows/System32, while malware that takes on its guise is often located in the “ Windows», « Program Files" And " Documents and Settings" In addition, viruses are often embedded in system folders " drivers», « config», « system" and others.

Official process svchost.exe can only be run as SYSTEM, LOCAL SERVICE or NETWORK SERVICE. In order to determine on whose behalf the process was launched, do the following:

• Step 1. Right-click on the free space on the taskbar and in the window that opens, select the line “ Launch Task Manager", or press the combination of buttons on the keyboard at the same time Ctrl + Shift + Esc.

• Step 2. In the window that appears, go to the section “ Processes"and for convenience, sort the processes by name. Find processes " svchost.exe"and look carefully on behalf of which user or service they were activated. If the name of your account appears next to the process, then you are clearly looking at a virus program that is preventing the operating system from functioning correctly.

How to neutralize the svchost.exe virus using standard tools in the Windows 7 operating system?

If you find a malicious program among your processes disguised as svchost.exe, then you can try to get rid of it using standard operating system tools Windows 7. To do this, do the following:

• Step 1. The first step is to disable the service that causes the virus to activate. Open " Task Manager" and find the malicious process in the list svchost.exe. Right-click on it and in the window that appears, select the line “ Go to services».

Figure 1. How to neutralize the svchost.exe virus using standard tools of the Windows 7 operating system?

• Step 2. The window that opens will highlight the services that run the malicious software. You need to remember their names, and then open “ Control Panel" and go to the section " Administration».

• Step 3. In chapter " Administration"you need to go to the tab " Services"and among the complete list, find by name those that activate the virus. In the column " Startup type» set state « Disable" for each of the services, then click the buttons " Apply" And " OK».

• Step 4. Now go back to " Task Manager", right-click on the malicious process and select the line " End the process" After these steps and restarting the computer, the virus will no longer be activated. However, it will still remain on the computer. In order to completely remove it, you need to resort to third-party software.

Preventing the virus from starting by disabling operating system services is only a temporary measure. Even if you manage to find a program infected with a virus and remove it, the system will still contain files created by this program, which are also infected. To get rid of them, you need to resort to the help of specialized programs.

Unfortunately, most modern free antivirus programs are ineffective, and some people simply may not have the money for paid ones. However, there is a free utility " Dr.Web CureIt", which performs a deep scan of the disk, scans files for viruses and successfully “cures” them. You can download it from official website manufacturer according to this link. To get rid of the virus svchost.exe Using this utility, do the following:

• Step 1. Program " Dr.Web CureIt"does not require installation, so just download it from official website and run it. Next, open on your computer “ Task Manager" and find the malicious process. Right-click on it and select the line “ Open file storage location».

• Step 2. The folder containing the virus-infected file will open. At the top of the window you can see the exact address of its location. Remember this address and switch to the window with the utility.

• Step 3. Since the program may miss some infected files during a full scan, it is best to scan the computer in separate directories. We should start with the one in which our infected file is located. To do this, on the main screen of the program, click on the button “ Select objects to scan».

• Step 4. In the window that opens, standard directories for scanning will appear, including RAM, the Windows root directory, documents and much more. You must click on the “ Click to select files and folders", manually find the directory with the infected file, mark it with a checkmark and press the button " OK».

• Step 5. After selecting the directory, click the button Run scan" and wait for the process to complete. If the utility cannot “cure” virus-infected files, it will automatically send them to quarantine. After a spot check of directories, you can perform a full scan of your computer. It is recommended to check your computer with this program at least once a week. " Dr. Web CureIt» is constantly improving and updating virus databases. Therefore, with each update you will have to download the program again from official website .

IMPORTANT: The processes and services depicted in the screenshots are not viral and are taken as an example only. Do not under any circumstances delete or disable them on your computer!

VIDEO: svchost loads the processor. Solution

In Windows 7, the most important process in the OS is Svchost.exe. Very often, PC users with Windows 7 encounter a problem when this process heavily loads the processor. The load on processor cores can reach from 50 to 100 percent. Svchost.exe is host process responsible for launching group services from DDL dynamic libraries. That is, the system, using this host process, starts a group of services without creating unnecessary processes. This approach reduces the load on the processor and RAM. If the system slows down and Svchost.exe heavily loads the processor, this means that the OS is not working properly. This behavior of the system can be caused by malware, as well as problems in the OS itself. To deal with this problem, in this article we will look at all the ways to solve the problem with high CPU load caused by the Svchost.exe process.

First steps to solve the problem with the Svchost.exe process

If you have a situation where the host process Svchost.exe is heavily loading the processor, then you should not immediately think that it is a virus. In addition to the virus, the OS itself may be the culprit of this problem. Below we will look list of problems, and methods to correct them:

Restoring normal processor operation using an antivirus

If the methods described above did not help, then most likely your Windows 7 infected with a virus. Typically, infection with a virus occurs from the outside. That is, via the Internet or via an external data storage device. If you have a good antivirus, then most likely the virus will not pass through. But there are times when antivirus programs do not see new versions of viruses and skip them. If your computer is infected, then the host process Svchost.exe will load the processor up to 100 percent, and in the user name you will see not the system names “LOCAL” and “NETWORK SERVICE”, but a completely different name.

To get rid of a virus in the system, you need run full scan computer in Windows 7 to search for malware. Below we will look at an example of running a full scan of your computer using the Comodo Internet Security antivirus. Also, before running any antivirus to scan the OS, update its antivirus database. Let's move on and launch the antivirus Comodo Internet Security.

In the main antivirus window, go to the bottom tab “ Scanning", which will open a menu from which you can select scanning options.

In our case, you need to select the item “ Full scan" This option will scan the entire hard drive, identify malicious programs and neutralize them. Below is the Comodo Internet Security scan window.

In other antivirus programs, the principle of launching a full PC scan is as similar as possible to what was discussed. Therefore, if you have a problem with the Svchost.exe host process, then feel free to run a full PC scan.

For this example, we chose the Comodo Internet Security antivirus for a reason. This antivirus has a built-in module called KillSwitch(this module is currently included in the free set of utilities COMODO Cleaning Essentials, which you can download).

This module is a task manager that has advanced functionality. For example, KillSwitch can stop the process tree and revert the changes made after that.

Also a feature of KillSwitch is checking running processes for trust. That is, if the process is untrusted, KillSwitch will find it and indicate this in the third column " Grade" This feature of the KillSwitch module will help you quickly identify problems related to Svchost.exe and CPU usage.

It is also worth mentioning when a virus infects the antivirus itself or reliably disguises itself from it, as a result of which the installed antivirus does not see it. In this situation, a boot disk will come to the user’s aid. This disk is a portable Linux-based operating system that boots from it. After booting from this disk, the user will be able to run a PC scan directly from the loaded operating system.

Such a scan should find and neutralize viruses that cause Svchost.exe to load processor cores. Most known viruses The ones that load the CPU with Svchost.exe are:

• « Virus.Win32.Hidrag.d" - is a virus written in C++. Once in the system, he replaces Svchost.exe. After that, it looks for files with the extension “*exe” and infects them. The virus is harmless; it does not harm the system and does not steal information. But constant infection of files with the “*exe” extension greatly loads the processor.
• « Net-Worm.Win32.Welchia.a" - this virus is Internet worm that loads the processor through Internet attacks.
• « Trojan-Clicker.Win32.Delf.cn» - a primitive Trojan that registers a new process Svchost.exe in the system to open a specific page in the browser, thereby loading the system.
• « Trojan.Carberp» - a dangerous Trojan that also disguises itself as Svchost.exe. The main purpose of this virus is search and theft of information from large retail chains.

High CPU usage due to Windows Update

On computers running Windows 7, there is often a situation where the Svchost.exe process loads the processor and memory because of the update center. To check what exactly the update center is loading up the memory and processor, you need to go to “ Task Manager" and use Svchost.exe to navigate to the services that it currently manages. An example of such a transition is shown in the image below.

After such a transition, a window with services should open, where the service “ wuauserv».

It is this service responsible for downloading and installing updates by seven. Fixing this problem is quite simple.

In the Task Manager Services window, you can completely stop “wuauserv” or disable checking for updates in the Control Panel.

But disabling the “wuauserv” service is an ugly way out of this situation.

When this service is disabled, the security of the OS as a whole is compromised, since installation of updates through the update center will be disabled.

You can solve this problem by installing updates manually. In order not to download dozens of updates from the website www.microsoft.com and then take a long time to install them, it is best to use a set of updates UpdatePack7R2. The developer of this set is " simplex", who is also known by this nickname and is a moderator on the www.oszone.net forum. You can download this set from the website http://update7.simplix.info. The latest version is currently available on the website, numbered 12/17/15. After downloading the set, you can begin installing updates. To do this, let's run the installer.

In the window that appears, click the Install button. After this, the update installation process will begin.

This process can take quite a long time and depends on the number of updates already installed. You can update Windows 7 offline in this way all the time, since the author of the project is constantly releasing new sets. You can also restart the update center after the update installation is complete. The memory and CPU usage issue should go away this time as these updates contain a fix.

Other ways to solve the problem with CPU load due to Svchost.exe

In this section, we will describe methods that in some cases help solve the problem with Svchost.exe, and also increase the overall performance and stability of the system. Below is a list with a detailed description of each method:

• Very often it helps to solve the problem of the Svchost.exe process, even when it is infected with a virus, the usual OS rollback using a restore point. But this method can only be used if system protection is enabled.
• When using various installed programs for a long time, the Windows 7 operating system accumulates a lot of garbage on the hard drive. Garbage refers to temporary files created when using various utilities. For example, browser history files. In this case, they will come to the rescue special utilities for cleaning the OS. The most popular among them is the program CCleaner.
• We also recommend defragmentation, which can improve overall system performance. Defragmentation, although it will not solve the problem with the Svchost.exe process, will significantly speed it up, thereby reducing the load on the processor. One of the best defragmenters is the utility Defraggler, which, in addition to its main function, can also defragment system files.
• Cleaning the registry also helps solve our problem. To clean the registry, as in the method above, use the utility CCleaner which is fast will delete old registry keys, preventing Svchost.exe from working correctly.
• Also, for all running processes, including Svchost.exe, working memory is an important factor. At faulty memory The system and running processes may behave unstable. The way out of this situation would be replacing RAM with working memory. You can check your memory for serviceability using the built-in diagnostic tool in Windows 7.

Conclusion

In this article, we covered quite extensively the problem associated with high CPU usage due to the Svchost.exe process. Based on this, our readers will certainly be able to solve this problem and ensure normal operation of the computer.

Video on the topic