Removing the svchost exe virus from a Windows system. How to delete svchost using avz Svchost in the roaming folder how to delete

Date of publication: 07/20/2010

Article updated 12/09/2011

Symptoms:
Your computer suddenly began to freeze and slow down the system. At the same time, you have an antivirus with the latest antivirus databases. Click Ctrl+Alt+Delete and click on the tab Processes. You will see a list of all processes that are running in this moment; at the same time, you will see that one of the processes is consuming a lot of computer resources (although you are not currently using any programs). Here you will see a certain process svchost(there will be several processes with the same name, but you need exactly the one that loads the system at 100%).

Solution:
1) First of all, try simply restarting your computer.
2) If after a reboot this process continues to load the system, then right-click on the process and, in the list that opens, select End process tree. Then restart your computer.
3) If the first two methods did not help you, then go to the folder Windows and find the folder there Prefetch(C:\WINDOWS\Prefetch). Delete this folder ( delete exactly the folder Prefetch; DO NOT accidentally delete the folder itself Windows!!!) Next, follow the second point (i.e. delete the svchost process tree). Restart your computer.

How many processes should there be in total?svchost.exe in the "Processes" tab?
The number of processes with this name depends on how many services are running through svchost. Quantity may depend on Windows versions, properties of your computer, etc. Therefore, there can be from 4 processes (the absolute minimum) to infinity with the name “svchost.exe”. On my 4-core computer with Windows 7 (including the services being launched), there are 12 svchosts in the “Processes” tab.

How to determine which one is a virus?
You can see in the screenshot above that in the “User” column next to each svchost there is the name of the source that launched this very process. In normal form, next to the svchosts it will be written “system”, or “network service”, or “local service”. Viruses launch themselves as “user” (can be written “user” or “administrator”).

What is a process anyway?svchost.exe?
If we talk in simple language, then the svchost process is an accelerator for the launch and operation of services. svchosts are launched through the system process services.exe

What happens if I click on “End process tree” and accidentally end a system process?svchost, and not the virus itself?
Nothing bad will happen. The system will give you an error and restart your computer. After a reboot, everything will fall into place.

What viruses masquerade assvchost.exe?
According to Kaspersky Lab, the following viruses are disguised as svchost.exe: Virus.Win32.Hidrag.d, Trojan-Clicker.Win32.Delf.cn, Net-Worm.Win32.Welchia.a
According to unconfirmed reports, some versions of Trojan.Carberp also disguise themselves as svchost.exe

How do these viruses work?
These viruses, without your knowledge, access special servers, from where they either download something else dangerous, or send information to the server (namely your passwords, logs, etc.)

Processsvchost.exe loads the system, but in the “User” column it says “system". What it is?
Most likely, this means that some service is working hard. Wait a little and this process will stop loading the system. Or it won't stop... There are some viruses (for example: Conficker) that use real svchosts to corrupt your system. This is very dangerous viruses, and therefore you should check your computer with an antivirus (or better yet, several at once). For example, you can download DrWeb CureIt - it will find such viruses and remove them.

Why do you need to terminate the process tree and delete the folder?Prefetch?
If you terminate the process tree of your system-slowing svchost, the computer will reboot immediately. And at startup, when the virus tries to start again, the antivirus (which you must have installed) will immediately detect and remove it. Although there are many modifications. For example, the original source of such a virus may be located in the Prefetch folder. This folder is needed to speed up the operation of services. Removing it will not harm your computer.

Your advice didn't help me. Processsvchost.exe continues to load the system.
First of all, check your computer with an antivirus. Better yet, check your computer with several antiviruses.
I can also advise you to clean out the System Volume Information folder. This folder contains restore points for your computer. Viruses register themselves in this folder, since the system does not allow the antivirus to delete anything from this folder. But this is unlikely to be of use to you. I have not yet heard of such modifications of viruses that pretend to be svchost.exe and are located in the System Volume Information folder.

If you have any more questions, I will be happy to answer them.

Latest tips from the Computers & Internet section:

Council comments:

Thank you very much! Everything is clear and without water. Everything unnecessary processes disappeared. Thank you!

Windows6.1-KB3102810 x86 (x64) - for 7, whose updater eats up a lot of RAM.

In short, I figured out why svchost was loading the percentage by 30%, the Spyware Process Detector utility (you can find it on the Internet with a crack) helped to uncover this mysterious process, and it turned out not to be some kind of malware, but an ordinary system process Defrag exe, and it was ratting. In short, I turned off the service Disk defragmentation, svchost no longer occurs. The problem is solved.

I tried everything, and the center disabled updates and Prefetch was deleted, and the process tree was completed, nothing helps, svchost still loads 30%.

Ilya, thank you very much! It helped! I did everything as written. Only on my XP the service is called Automatic Update. After disabling autorun, as soon as I managed to stop the service, this process disappeared and the CPU load subsided. For those who don't care about XP or updates, I recommend this method.

Ivan, thank you very much for your comment) It helped. I denied access and everything returned to normal. Nothing helped before!

I deleted the Prefetch folder, but after a reboot it appears again, just like the problem with the RAM.

on Win XP I solved the problem simply - by disabling system updates. Probably the soft ones are in this way unobtrusively pushing users to leave XP and 7.

Rustam, the article clearly states that this folder is not for system files (which are located in windows folder). Here is a quote from the article "Removing it will not harm your computer." READ THE ARTICLE CAREFULLY, cykablyat!

I looked into the svchost folder, but found there only the root folders of all programs running on the computer. when deleting, a catastrophe could occur, but the main thing is: a complete shutdown of all life-supporting programs, which ultimately would lead to the fact that after a reboot the computer would stop working altogether, and I would have to reinstall Windows. So, I did not risk deleting the entire host folder . I will look for other solutions to problems. And for those who think that disabling the update solves the problem, I’ll say: I did this once, and the virus that got into the computer ate the entire motherboard and the hard drive stopped working. in fact, it starts the laptop, but immediately freezes and does not even respond to ctrl-alt-del. And on the start and shutdown button of the computer. I have to take out the battery... since then the laptop has been retired... not a single workshop will undertake to repair it. some kind of nonsense.....

I demolished this folder - it helped. Thank you!

who can help with svchot? my contact details WhatsApp Viber +7 999 171 60 74 Skype West00073 I will be grateful. I tested the computer with everyone possible ways Does not help

who can help this SWSHOT just tortured me, tried everything. Is there anyone who can solve this issue?

All the methods indicated in the article did not help me, I decided to read the comments and they most often said that it was not a virus but updates and I turned off these updates and everything went away

Thank you!! took down the folder. corrected ;)

I apologize, my mistake. other processes in Sestem32

What if the process that consumes the CPU is located not like all other svchosts in Win32, but in AppDataRoaming?

Thanks, I deleted the folder and everything is fine.

The advice from the comments from Roman on 08/30/2016 helped me, namely the second (additional) method, through Administration!

Thank you everything fell into place!

Can I contact you on Skype?

If you are reading this article, then you have probably already noticed a system process called "svchost.exe". Moreover, he is usually not alone, and he is accompanied by several other processes of the same name:

In a normal situation, the speed of the computer from executing this process does not suffer, and ordinary users do not pay attention to it. The situation is completely different when a process begins to “devour” from half to 100% of the computer’s resources. And not occasionally, but constantly. In this case, a radical solution to the problem is sometimes to roll back the system to the moment when it worked normally. These methods are not only unnecessary, but also not always helpful, so today we will tell you about more simple solutions problems when the svchost.exe process loads the computer's processor to its full capacity.

What is svchost.exe

Let's start with the theory. Svchost.exe- system Windows process, which is responsible for launching various services on a computer (for example, Print service or Windows Firewall). Using it, several services can be running on a computer at the same time, which can reduce the consumption of computer resources by these services. In addition, the process itself can be launched in several copies. This is why there is always more than one svchost.exe process running in the Task Manager.

So why can svchost.exe create a high load on the computer’s processor and memory? On the Internet you can find the opinion that the svchost.exe process is initiated by a virus or is a virus at all. This is wrong. Strictly speaking, some viruses and Trojans can camouflage under it, creating an additional load on computer resources, but they are quite easy to calculate and neutralize.

How to remove a virus disguised as the svchost.exe process

Launch Task Manager (using the keyboard shortcut Control+Atl+Delete or from the menu Start > Programs > Accessories > System Tools) and open the "Processes" tab. In the first column you will see the names of the processes, and in the second - an indication on whose behalf it was launched. So, please note that svchost.exe can only be run as users LOCAL SERVICE, SYSTEM (or “system”), and NETWORK SERVICE.

If you notice that the process is running on behalf of your user (for example, on behalf of User), then you have a virus. Since real svchost.exe can only be launched by system services, it cannot be located in “Startup” current user Windows. Therefore, this is where we will try to find a virus disguised as the svchost.exe system process. You can get to Autoload in two ways: through third party program, for example, or standard means Windows.

In order to get into Startup without installing additional programs, open Start and in the program search bar (in Windows XP - in Start > Run) write msconfig, then click OK. The System Configuration window appears. Go to the tab and carefully review the list of programs that start when the system boots. If you find a process in this list svchost.exe, then you can be sure of its viral origin.

Real svchost.exe can be launched only from folder C:\WINDOWS\system32, where "C" is the drive on which Windows is installed. (On a 64-bit operating system, the 32-bit version of svchost.exe is located in the C:\WINDOWS\SysWOW64 folder, and theoretically the process can also be launched from there. However, by default, all system processes, including svchost.exe, are in 64-bit Windows is launched from C:\WINDOWS\system32.) In the screenshot above you can see that the file is located in the WINDOWS folder, and it’s also called “svhost.exe”, not “sv” c host.exe", which directly indicates its viral origin.

The list of the most favorite folders for masking a virus looks something like this:

C:\WINDOWS\ svchost.exe
C:\WINDOWS\config\ svchost.exe
C:\WINDOWS\drivers\ svchost.exe
C:\WINDOWS\system\ svchost.exe
C:\WINDOWS\sistem\ svchost.exe
C:\WINDOWS\windows\ svchost.exe
C:\Users\your-username\ svchost.exe

The virus process file may not only be located in one of the folders listed above (and not in standard folder, where the real svchost.exe is located), but also called differently:

svhost.exe
svch0st.exe
svchost32.exe
svchosts.exe
syshost.exe
svchosl.exe
svchos1.exe

So, you found the svchost.exe virus in Startup. The first thing to do is disable its autorun by unchecking the checkbox next to it in the “Startup item” column. Now you need to end its process through the “Task Manager” (right mouse button on the process > End the process) and delete the file itself. The full path to the file, as in the screenshot above, is always indicated in the “Command” column. It is quite possible that the process file will not allow itself to be deleted - in this case, try first restarting the computer and repeating the operation, or use the program for removing such “undeletable” files Unlocker.

After this, it would be a good idea to also conduct an anti-virus scan of your computer. If you still do not have an antivirus installed on your computer, we recommend that you read our article.

There are no viruses in the system, but svchost.exe still loads the computer?

Have you found and neutralized all viruses on the system, or have you made sure that there are no viruses on your computer, but svchost.exe is still preventing you from working? Try to find out what program or service is using this process. This is easy to do with a simple free program Process Explorer. Very often the svchost.exe process uses the service Windows Update , which automatically installs updates on your computer:

In this case, you can either wait until everything Windows updates will be downloaded and installed, or temporarily disable automatic Windows updates. This can be done via Control Panel In chapter System and Security > Windows Update, opening Parameter settings(in the side menu of the window) and selecting the item in the drop-down list Don't check for updates:

If the shutdown automatic update did not help, then you can check all other Windows services in the same way. You can stop or disable any Windows service through the Services snap-in. It's easy to get into: click Start > click on Computer right click mouse, in the drop-down menu select Management > go to Services and Applications > Services. Having selected the service you are looking for, right-click on it and select Stop. If it was she who created the load on the computer, then after stopping the service the svchost.exe process will stop loading your computer 100%.

The problem with a freezing computer is probably familiar to everyone without exception. As a rule, this is blamed on viruses, poorly written programs, as well as simple overheating. From time to time, svchost.exe is the culprit. What kind of process is this, and why does this happen? Let's try to figure it out!

Virus or not?

Firstly, many people immediately succumb to panic. When they see svchost in the Task Manager, they immediately assume that an insidious virus has entered the computer. The latest antivirus (or better yet two) is immediately installed, after which the computer is scanned several times. If the user was so zealous that he installed two or three security applications at once, then the system is guaranteed to crash.

We warn you right away: this is not a virus, so do not rush to delete svchost.exe! What is this process then?

General information about the application

This is the name of a very important component responsible for launching the system's dynamic libraries (DLLs). Accordingly, both Explorer (Explorer) of Windows itself and more than one thousand third party applications. This especially applies to games that actively use these libraries via DirectX.

It is located at this address: %SystemRoot%\System32. By reading registry entries at each boot, the application generates a list of services that should be started. It should be noted that several copies of svchost.exe can be running at the same time (you already know what kind of process this is). The important thing is that each process may well contain its own group of services. This was done for maximum comfort in monitoring the operation of the system, as well as to simplify debugging in case of any problems.

All groups that are currently part of this process can be found in the following registry sections:

• HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost;
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service.

All parameters that are available in these sections are visible as separate instances of svchost.exe (we have already explained what this is).

Each registry section that relates to them has a parameter of the form: REG_MULTI_SZ. It contains the names of all services available as part of a specific Svchost group. Each of them contains the name of one or more services, the description of which contains the ServiceDLL key.

This is what the svchost.exe file is.

How to check processes associated with Svchost?

To see all the services that are currently associated with this process, you need to do a few simple things.

• Click on “Start”, and then find the “Run” command in this menu.
• Enter there and then press ENTER.
• After that, copy and paste in the opened emulator command line the following expression: Tasklist /SVC. Use the ENTER key again.
• A list of all processes will be displayed in the form of a list. Attention! Be sure to enter the /SVC key parameter, as it displays the active services. To get extended information about a specific service, use the following command: Tasklist /FI "PID eq process_id" (including quotes).

If you have problems

It often happens that after entering commands, the computer displays something unintelligible, like: “The command cannot be recognized.” Don't rush to enter it again.

As a rule, this happens because you are working from under account, whose rights are simply insufficient to perform this kind of action. It doesn't matter whether you have an administrator account or not. To correct the situation, the command line emulator should be launched in a slightly different way.

To do this, click on the “Start” button, then enter CMD in the “Search” field. A list of found files will open on the right side of the menu. Right-click on the first of them (with the corresponding name), and then select “Run as administrator” in the context menu that appears.

So we have given you the basic information. Now let's look at those malicious programs that can masquerade as a harmless system application.

How to separate the wheat from the chaff?

Look carefully at the process name: it should be written as sVChost! There are some Trojans that masquerade as sVHost that are very common. If you see something like this in your “task manager”, then in this case it is indeed time to completely scan the system for the presence of malicious applications.

Especially “advanced” viruses and Trojans can still masterfully camouflage themselves by having exactly the same name as the real process. But even they can be distinguished with 100% probability by paying attention to the most characteristic signs. Let's look at them.

Firstly, a real system process is never (!) launched as a regular user. Its start can be initiated by SYSTEM, LOCAL SERVICE, and NETWORK SERVICE. What is more important is that it does not start (!) when the system starts using startup tools. Accordingly, the list of programs that start simultaneously with the system should under no circumstances include svchost.exe. What is the process in this case?

If you see something like this, then there is only one reason - a virus.

Checking startup

Don't know how to do this? Everything is very simple! First, click on the “Start” button and left-click on the “Run” field. Then enter the MSConfig command there. A list of all applications launched at startup will open, which you need to carefully review.

If there are many svchost.exe processes (or even one), then you will definitely have to think about how to remove it from your computer.

What to do if a “spy” is detected?

As we have already said, in this case it is most reasonable to scan the OS with a powerful antivirus program. But before that, it won’t hurt to perform a series simple actions, with the help of which you can completely block any opportunity for the virus to harm you. In general, the svchost.exe virus has spread widely across the RuNet in recent years. As a rule, malware that specializes in stealing user personal data operates under the guise of a normal system process.

First, in the “File location” line, find the specific folder in which the virus file is located. Select it in the list with the left mouse button and click on the “Disable” button. Click “OK”, then go to the directory with the desired file and delete it. All. Can be scanned by antivirus.

The process is very CPU intensive. Why does this happen and what should I do?

So we are back to the beginning of our article. Do you remember that sometimes due to svchost.exe (what kind of process this is, we have already explained in detail) the computer begins to slow down and “hang”? Why is this happening? And how can you overcome this phenomenon without reinstalling the system?

The simplest way

There is a fairly simple and effective recommendation that helps in many cases. Open the “Task Manager”, look for the svchost process there, then right-click on it and select “Priority/Low”. It should be noted that this must be done with each process of the same name that is in the “Task Manager”.

We remind you once again: if you see the svchost.exe file (you already know what it is), under no circumstances rush to delete it, suspecting it is a virus!

Windows Update Service

Often on Windows XP the problem with almost 100% and svchost is caused by the fact that the update service does not work correctly. On some computer resources an explanation has been found for this phenomenon.

The issue is an incorrect update checking mechanism. Considering the number of patches released for this system, a small error in memory allocation turned into serious problem: the computer not only works slowly, but you can easily search for “patches” for days, alternately freezing at the same time.

How to disable the problematic service?

To temporarily disable Windows Update, go to the “Control Panel” and find the “System and Security” item there. It is there that the desired “Windows Update” is located, in which we are interested in the “Turn on or off automatic updates” item. Check the box next to “Do not check for updates.” Click on OK and reboot the machine.

If after this everything is fine, and the processor is not in a “dead” state most of the time, then the culprit of all the problems was indeed the update service. In the event that the problem continues to occur after this, return Windows Update to the initial state, after which we continue to look for the culprit of all misfortunes.

Internet Browser

However, take your time. In many cases the culprit is Internet Explorer. Remember how at the very beginning of the article we discussed the importance of svchost for Explorer? But “Internet Browser” is important integral part file manager Windows family OS.

Problems with it very often begin when the IE version is very outdated. For example, Microsoft itself has not recommended using Windows XP since the sixth version for a very long time. Internet version Explorer.

Accordingly, in this case it is quite simple. Use the one mentioned above Windows service Update. Download and install everything Latest updates for your operating system version, install new version I.E. It is possible that this measure will help you.

Games

Observe which applications the processor is overloaded after trying to launch. In addition, you should be wary of “svchost.exe application error” messages, which are an almost 100% indicator that some third-party application is to blame for the system’s inappropriate behavior.

Most often, this program is a game downloaded by its happy owner from some “left” site. Those who have made modifications to the program code, removing protection from it, rarely test their creation for full compatibility with certain systems, their DLLs, etc. So there is nothing to be surprised in this case.

"Bat"

In rare cases, owners of old versions of The Bat mail program encounter this problem, which for one reason or another many people continue to use. Try uninstalling the application. After this, install the latest version of the utility, and then look at the computer’s behavior again.

Drivers

Very often, when transferring a system to another disk after some serious mistakes V file system, and also after a virus attack, users are faced with an OS that is completely frozen due to svchost. exe. “How to remove this malicious process?” - think novice users.

We warn you again: deletion this file will lead to dire consequences and complete inoperability of the system, so before taking extreme measures, it is better to read our next advice.

There is information that the svchost.exe process, the error of which spoils so many nerves for users, may not work correctly due to incorrectly installed or “crooked” drivers. Very often it turns out that the cause is programs for video cards and sound cards. The drivers for these are complex and unpredictable, so if possible, remove them and then install the latest (or most stable) versions.

Windows Defender

Owners of Windows Vista/7 should pay attention to the program " Windows Defender", included in the standard data delivery package operating systems. It serves to prevent entry into the system malware, but sometimes she herself behaves no better.

Problems arise if the installed third-party antivirus software for some reason it does not deactivate the “Defender”. This is especially true for all Eset Nod products, which have been extremely popular with many domestic users in the recent past.

To correct this situation, click on the “Start” button, go to “Control Panel”, and then find “Defender” in it. In its main window there is an item “Run scan when idle.” Uncheck it, click OK. In some cases this measure turns out to be useful.

We hope you found out what the svchost.exe program is. We talked in detail about its purpose, as well as methods for eliminating problems with it. Typically, the troubleshooting methods we provide work. All you need to do is strictly follow the instructions in the article.

In addition, it does not hurt to update the system on time.

Computer users want their machines to work as quickly as possible and not slow down. In search of “brakes,” they turn to the task manager to detect resource-intensive processes and unload them from memory. Often svchost.exe is visible in the list of processes. This program runs in many copies, and consumes a lot of RAM.

The natural question is: is it a virus or other malicious software if it overloads the computer like this? And another question: is it possible to delete svchost.exe and do without it. Usually the answer is negative to both questions: it is not a virus and it is almost impossible to do without it. But first things first…

svchost.exe is a system process in Windows starting from version 2000. This is the main process that helps run dynamic library services. If you delete the svchost.exe file, the computer will work... only several times slower than usual. The situation is not so paradoxical: although the system service takes up a lot of RAM, without it the ROM load would only be higher. The CPU load will also be high.

svchost.exe virus

But still, sometimes it is necessary to delete svchost.exe. More precisely, not himself, but viruses and Trojan horses masquerading as this application. It is easy to distinguish them: although the original system process also creates many copies, the malware is located in any directory except the system one.

It is also useful to know that you can see such a program in the task manager if you pay attention to running it as a user. In some cases, viruses use a genuine system service to cause damage.

There is no need to raise an alarm and worry about the fact that svchost.exe runs in ten copies. There are many dynamic services in the system; one process may not be enough for all of them. Then several copies are turned on at once, each with its own identifier. But we must also look at its origin carefully.

The real process runs from the folders: ServicePackFiles\i386, system32, Prefetch, winsxs\ (all inside C:\WINDOWS). If you notice that svchost.exe was launched from somewhere else, then this is a bad sign (as is the situation with a name that differs “just a little” from the original).

In such cases, run a full antivirus scan until you get rid of the malware.

The system file svchost quite often becomes a target for hacker attacks. Moreover, virus writers disguise their malware under its software “appearance.” One of the most prominent representatives of the “false svchost” viruses is Win32.HLLP.Neshta (Dr.Web classification).

This “impostor” copies itself into a Windows directory, infects files with the “exe” extension and takes away system resources ( RAM, Internet traffic). However, he is capable of other nasty things. There are known cases of infection when the virus svchost loads the computer's RAM by 98-100%, disconnects the Internet channel, and disrupts the functioning of the local network.

svсhost files - good and evil, or who is who

The whole difficulty of neutralizing viruses of this type is that there is a risk of damaging/deleting a trusted Windows file with the same name. And without it, the OS will not work; you will have to reinstall it. Therefore, before we begin the cleaning procedure, let’s get acquainted with the special signs of a trusted file and a “stranger”.

True Process

Manages system functions, which are launched from dynamic libraries (.DLL): checks and loads them. Listens to network ports and transmits data through them. In fact it is official Windows application. Located in the C directory: → Windows → System 32. In OS versions XP/7/8, in 76% of cases it has a size of 20,992 bytes. But there are other options. You can find out more about them on the recognition resource filecheck.ru/process/svchost.exe.html (link - “29 more options”).

Has the following digital signatures (in the task manager, the “Users” column):

• SYSTEM;
• LOCAL SERVICE;
• NETWORK SERVICE.

hacker fake

May be located in the following directories:

• C:\Windows
• C:\My Documents
• C:\Program Files
• C:\Windows\System32\drivers
• C:\Program Files\Common Files
• C:\Program Files
• C:\My Documents

In addition to alternative directories, hackers use almost identical names, similar to the system process, to disguise the virus.

For example:

• svch0st (digit “zero” instead of letter “o”);
• svrhost (instead of “c” the letter “r”);
• svhost (no "s").

There are countless versions of the “free interpretation” of the name. Therefore, it is necessary to pay special attention when analyzing existing processes.

Attention! The virus may have a different extension (other than exe). For example, “com” (Neshta virus).

So, knowing the enemy (the virus!) by sight, you can safely begin to destroy it.

Method number 1: cleaning with Comodo Cleaning Essentials utility

Cleaning Essentials is an antivirus scanner. Used as an alternative software tool for cleaning the system. It comes with two utilities for detecting and monitoring Windows objects (files and registry keys).

Where to download and how to install?

1. Open comodo.com (the official website of the manufacturer) in your browser.

Advice! It is better to download the utility distribution kit on a “healthy” computer (if possible), and then run it from a USB flash drive or CD.

2. On home page hover over the “Small & Medium Business” section. In the submenu that opens, select the Comodo Cleaning Essentials program.

3. In the download block, in the drop-down menu, select the bitness of your OS (32 or 64 bit).

Advice! The bit depth can be found through system menu: open “Start” → enter “System Information” in the line → click on the utility with the same name in the “Programs” list → look at the “Type” line.

4. Click the “Free Download” button. Wait until the download completes.

5. Unpack the downloaded archive: right-click on the file → “Extract all...”.

6. Open the unpacked folder and double-click on the “CCE” file with the left button.

How to configure and clean the OS?

1. Select “Custom scan” mode.

2. Wait a little while the utility updates its signature databases.

3. In the scanning settings window, check the box next to drive C. And also enable checking of all additional elements (“Memory”, “Critical Areas..”, etc.).

4. Click "Scan".

5. Upon completion of the scan, allow the antivirus to remove the detected impostor virus and other dangerous objects.

Note. In addition to Comodo Cleaning Essentials, you can use other similar antivirus utilities to clean your PC. For example, Dr. Web CureIt!.

Helper utilities

The Cleaning Essentials treatment package includes two auxiliary tools designed for real-time system monitoring and manual malware detection. They can be used if the virus cannot be neutralized during the automatic scanning process.

Application for quick and comfortable work with registry keys, files, services and services. Autorun Analyzer determines the location of the selected object and, if necessary, can delete or copy it.

For automatic search svchost.exe files in the “File” section, select “Find” and specify the file name. Analyze the found processes, guided by the properties described above (see “Hacker fake”). If necessary, remove suspicious objects via context menu utilities.

Monitors running processes, network connections, physical memory and CPU load. To catch a fake svchost using KillSwitch, follow these steps:

1. On the System tab, open the Processes section.
2. Analyze all activated svchost processes:
   • right click on the file;
   • select "Properties";
   • look at its current directory. If it is different from C:\Windows\system32\, it is most likely that the object being examined is a virus.

If malware is detected:

1. Additionally, look at the “Rating” column (safe) and the signature in its field.
2. If these properties also do not match the characteristics of the trusted system file, activate the context menu again (right-click). And then run the “Suspend” and “Delete” functions in sequence.
3. Continue checking, the virus may have created and launched copies of itself. It is also imperative to get rid of them!

Method No. 2: using system functions

Checking startup

1. Click "Start".
2. Dial in search bar msconfig and press Enter.
3. In the System Configuration window, go to the Startup tab.
4. View the commands (Command column) that run elements when Windows startup, and their location (directories, registry keys in the “Location” column):
   • Disable all directives containing svchost (click the checkbox next to the entry). This is 100% a virus. System process with the same name is never registered in startup.
   • Open the malware directory (listed in “Location”) and delete it. To neutralize a key in the registry, use the standard regedit editor: “Win ​​+ R” → regedit → Enter.

Analysis of active processes

1. Press "Ctrl + Alt + Del".
2. Click on the “Processes” tab.
3. Check the properties of all active svchosts (name, extension, size, location). When analyzing, rely on the data from the filecheck.ru service and the characteristics given in this article.

Right-click on the image name. From the menu, select Properties.

If a virus is detected:

• in the properties of the object, find out its location (copy or remember);
• click “End process”;
• go to the malware directory and remove it using the standard function (right-click → Delete).

If it is difficult to determine: trusted or virus?

Sometimes it is difficult to say for sure whether svchost is real or fake. In such a situation, it is recommended to carry out additional detection using the free online scanner Virustotal. This service uses 50-55 antiviruses to scan an object for viruses.

1. Open virustotal.com in your browser.
2. Click Select File.
3. IN Windows Explorer open the directory of the process that you want to check, select it by clicking, and then click “Open”.
4. To start scanning, click “Check!” The file will be uploaded from the PC to the service and scanning will begin automatically.
5. Review the test results. If most antivirus programs detect an object as a virus, it must be removed.