Become a Contributor

How to Remove the Svchost.exe Virus?

How to Remove the Svchost.exe Virus?

This is an issue that anyone using any system that runs Windows 2000 or higher has faced more than once, and the errors that accompany svchost.exe can be really frustrating. Techspirited brings to you a simple step-by-step approach to understanding and nullifying this problem.
Padmini Krishna
What is svchost.exe?
Quite contrary to what people generally tend to assume, svchost.exe is not inherently a virus. It stands for 'Service Host', and actually is a program run by Windows as a host process, through which a number of .dll-type services are executed (since the Windows file structure does not allow services from dynamic link libraries to run without a host process). Ideally, it should not occupy more than 27KB of space, and should not be located anywhere else except under the C:\Windows\System32 directory. In case a process with this name that is being executed has different properties, then you have reasons to believe that malicious software is involved.

Sometimes when our computer tends to hang more often than the norm, the more curious amongst us simultaneously hit the Ctrl, Alt, and Delete keys on our keyboard, and open up our Windows Task Manager, to try to get to the root of this matter. Have you ever experienced a moment where you are staring at what seems to be a hundred svchost.exe processes clogging up the entire 'Processes' tab on your Task Manager, and you are at your wits end because you do not have a clue what that means, why so many of them are running at one time, and why those tasks just cannot be killed? That is going to now be a thing of the past, because we are going to walk you through everything you ever need to know about svchost.exe, including how to get rid of it.

As mentioned above, firstly, you need to determine the size, and location of the svchost.exe program running on your system so that you can act accordingly. The size of the file is not a definitive marker that the respective process is a virus. However, it serves the purpose of alerting you about a potential risk.

We can approach this problem from two different angles:

Either, under the circumstances that the numerous svchost.exe processes running are innocuous Windows processes, in which case you can click here,
Or, that your computer is infected with some kind of malware, in which case you can click here.

How To Deal With svchost.exe When it is Not a Virus

Now that you are reassured that your computer has not been infected with some sort of malware, like a virus, worm or a trojan, you can breathe a sigh of relief, and now proceed to straighten out the unsettling part; the fact that you cannot simply kill an svchost.exe process.
Open your Task Manager, and identify the particular instance of svchost.exe, that is taking up more memory than is natural. Right-click on it, and in the drop-down menu, select the 'Go to Service(s)' option.
Clicking on it will redirect you to the Services tab, where you can see in real time which particular services are riding on that particular process, and you can disable, or stop (and hence restart) those particular services so as to free the unnecessary memory that this instance of svchost.exe has engaged.
To disable a particular service, click on the button labeled 'Services' at the bottom of the 'Services' tab of the Task Manager. This will open up a window called Services, that is a subsection of Administrative Tools, under Control Panel. Right-click on the respective service from the list, and click on Properties in the drop-down menu. In the Properties window, change the setting against the property called 'Startup type', which can be found in the first tab ('General') that opens, to 'Disabled'.
If you are well versed with coding using the command line interface, you can always open the command prompt (by typing "cmd" in the Search Box of the Start Menu) and type the following, to get a full list of tasks that are hosted by this process.
C:\>tasklist /SVC
You can also disable services from the command prompt, using the service name provided by the list generated in the command line interface, when you type the above command. For example, suppose you want to disable the Distributed Link Tracking Client, which has the service name, 'TrkWks', this is what you should type in the command prompt.
C:\>sc config trkwks start= disabled
However, we do not recommend the use of the command prompt to get this information, because the names of the services that get listed when this method is used are not easily recognizable, and the conventional name that we can identify with is not revealed by the command prompt in this list.
One can also examine and handle various services running, by using the Process Explorer utility that is provided by Microsoft. It can be easily downloaded, and it is the most convenient way to figure out which process has been engaged by which service. This utility also allows you to kill running tasks.
Be careful before randomly disabling services, as in the case of many of them, their constant running is indispensable to the normal functioning of your computer. You could read the description of the service on the internet before you decide to disable it.
Irrespective of the fact that your computer is probably not currently in any danger, it is better to run a full system scan, at regular intervals, using some reputed anti-virus software so that if and when threats do pop up, they will be nipped in the bud.

How To Deal With svchost.exe When it is a Virus

There are many manifestations of svchost.exe as a virus. In some cases, malware like trojans, viruses and worms disguise themselves as the svchost.exe process in order to avoid detection by anti-virus scanners, and steal confidential information saved on your computer, for example, stored passwords, and you may end up exposing yourself to hackers. Especially, if your computer is playing host to a Win32-Alureon, your bank and credit card information is extremely vulnerable.
Another possibility is that, a virus affects the basic functioning of the essential svchost.exe process, causing an error, and these may cause your computer to keep shutting down. As it is, viruses of all kinds are both very annoying and very dangerous. Hence, if your computer is infected by any of them, you need to do something about it immediately.
There are three very useful utility programs; namely, RKill.exe, TDSSKiller.exe, and Malwarebytes: Anti-Malware, that are free to obtain from the internet, which you should download and run, so as to 'clean up' your computer.
RKill.exe is a utility that scans your computer for malware, and terminates the relevant processes, following which you can scan your computer with your regular anti-virus software, which can delete those processes. It has been developed by Bleeping Computer, and can be downloaded here.
TDSSKiller.exe is an anti-rootkit utility program, that deletes rootkits for Windows. It was developed by Kaspersky, and is extremely handy. You can download it here.
(**A rootkit program is one that hides the presence of malware, and then surreptitiously interferes with system functions.)
Malwarebytes: Anti-Malware is a software primarily designed to function like an anti-virus. However, its specialty is detecting malware, and it can detect infections that regular anti-virus software cannot. All that you need to do is to run the program. It can be downloaded here for free, but do keep in mind that for active protection all the time, one needs to be a premium subscriber.
Additionally, you can use the ESET Online Scanner, a program that allows you to scan your full system while you are online if you are using Internet Explorer as your browser, or else can be downloaded as a utility for free to conduct the scan. You can try it out here.
A number of other useful programs can also be alternatively used, such as RogueKiller.exe, HitmanPro.exe, Emsisoft Emergency Kit, Junkware Removal Tool, AdwCleaner, and aswMBR, the last of which can also detect Alureon malware.
Your computer will certainly be freed from the svchost.exe virus issue if you run the aforementioned utility programs.

It is ideal if one detects and gets rid of malware problems before it is too late, to avoid repenting in future. In the interest of that, one must always keep an active anti-virus software running on his or her system, so as to prevent these bothersome programs from creeping in. And most importantly, one should be careful before approving any downloads, even if it is just a toolbar. Malware developers are making their programs smarter nowadays; they even tend to disguise them as software distributed by companies whom we would implicitly trust, such as Microsoft or Adobe. Also, make sure that your Java and Flash programs are updated so that your computer's security is free from loopholes. We hope these guidelines were helpful to you, and helped clear your doubts about the svchost.exe virus.