How to Easily Remove the Svchost.exe Virus
As an avid computer user, I've gotten infected by my share of adware, malware, worms, and other pesky, malicious programs that have slipped by my anti-malware and anti-virus protection. Due to this, I learned very quickly how to fix the problems these malevolent bits of code would cause. In this article, I'll be helping you deal with one very annoying bit of malware that uses svchost.exe as a guise to decimate your computer.
This guide is only guaranteed to be useful to you if you suffer from the following:
- You have found a file in your C:\windows\ titled svchost.exe. This file will generally be 20kbs, and if you attempt to delete it you will be notified that it is in use and cannot be deleted.
- If an anti-virus, anti-malware, or other program such as RKill.exe stops or blocks a program from running with the title \\.\globalroot\systemroot\svchost.exe
- An anti-malware or anti-virus program has detected a rootkit known as Rootkit.Boot.Pihar.b
- An anti-malware or anti-virus program has detected a malicious file known to show up in C:\ProgramData\Microsoft\DRM\ with a somewhat random filename, usually consisting of four or five random characters. This file is usually a .tmp. Your anti-virus or anti-malware program will usually label it Win32-Alureon. Warning: Alureon is known to steal usernames and passwords, including bank and creditcard account information. Due to this, it is my best advice to contact a computer specialist for full details on how to repair the possible damage. In addition, you may wish to contact your bank and credit card companies if you have used this information on the infected computer.
However, this article may still be useful for you, as the following information may be applied to remove and protect against other malicious programs.
What is Svchost.exe and What Does It Do?
Generally, svchost.exe is a non-malicious program required for Windows. It's a generic host process name for services that run from dynamic-link libraries. However, I'll put that into plain English for you: A decent while ago Microsoft began moving all their core files into .dll files instead of .exes. This led to less files, saving on space, and letting systems run faster. The problem, however, is that Windows requires an .exe to run these .dll files. Thus, svchost.exe was created to run a number of these processes.
When svchost.exe is doing its job you may find multiple instances of it. However, the only location it should be running from is C:\Windows\System32. In most cases, it will be about 27KB large. Generally, many different forms of malware like to hide themselves as svchost.exe. The case I'm covering is not associated with the blastclnnn.exe variant.
Malware, in general, wreaks havoc on your system, so it is always nice to repair it.
Let's Get Started:
I will include download links to every program I mention directly beside the name of the program. All of the programs I mention are completely safe, 100% free, and have saved my behind on more than one occasion. I highly suggest keeping them around, at least on a thumbdrive, for future infections.
1) Rkill.exe: Download.
Rkill.exe is quite possibly one of the most useful programs I've ever used. Your anti-virus may try to keep it from running due to what it does, so you may have to disable programs such as Avast! Anti-Virus before you run it.
To put it simply, Rkill searches out malicious, or possibly malicious programs, and terminates them, generating a list of terminated processes. It was using Rkill that I first learned of a computer being infected by svchost.
All you need to do is download it and run the .exe. After scanning for malicious processes and terminating them, simply close the window, making sure to note what programs it halted.
2) TDSSKiller.exe: Download is towards the bottom of the page.
TDSSKiller is a wonderful program meant to find and delete the ever-malicious rootkit. Simply download the .zip, extract it onto the infected computer, and run the .exe. Leave all the options set to their defaults and hit scan. After the scan, it will take care of any malicious files itself (if any.) Leave the options for each of them as their default (that being skip) and click continue.
Note: There is a chance that this will prompt a reboot. Go ahead and do so. I'll wait.
3) aswMBR: Download to your desktop.
Just run the .exe and click the scan button. This will give you a good idea of the location of possible rootkits. It will also create a file named MBR.dat on your desktop. Do not delete this! It is a backup copy of your master boot file.
It may also find the Alureon malware I mentioned earlier. Feel free to search it out, ensuring you can view hidden folders, and delete the files at their location.
After installing and updating MBAM, just set it to a full scan of your computer, sit back, and relax. It may take a few hours. MBAM is a great tool to keep around in case of an infection, however, the active protection is only usable by premium members, so ensure to keep that in mind.
5) ESET Online Scanner: In-browser scan, through Internet Explorer only. If in another browser, it should ask you to install the program on your computer. Go ahead and do so, following all the prompts.
When you go to scan, under scan settings, check "Scan archives" and check "Remove Found Threats." Then click advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will download, update itself, and start scanning your computer. This may take awhile.
We're Almost Done!
The last thing you need to do is ensure that your computer's HOST file is repaired, as it is usually damaged by svchost.exe.
6) Fix it: Click the "Fix it" button, and then just follow the prompts.
And that's all! Your computer should now be clean.
Always make sure that all Java and Adobe programs are kept up-to-date, as they can be easily exploited. Also, ensure that your anti-virus and anti-malware programs are always kept up to date: Even a day's worth of new viruses can severely damage your system! Finally, never click on untrustworthy links or download programs, such as toolbars, unless they are guaranteed to be from trusted companies or individuals, such as Google, Yahoo, Microsoft, or any of the major tech websites that I have linked to for various downloads in this article. (Note: It is not uncommon for harmful software distributors to disguise themselves as Microsoft.)
As a final note, I would like to thank all the programmers that created the programs I've used in this article. Not only have they saved my computer before, but if it were not for them, this guide would not have been possible.