As an avid computer user, I've gotten infected by my share of adware, malware, worms, and other pesky, malicious programs that have slipped by my anti-malware and anti-virus protection. Due to this, I learned very quickly how to fix the problems these malevolent bits of code would cause. In this article, I'll be helping you deal with one very annoying bit of malware that uses svchost.exe as a guise to decimate your computer.
This guide is only guaranteed to be useful to you if you suffer from the following:
- You have found a file in your C:\windows\ titled svchost.exe. This file will generally be 20kbs, and if you attempt to delete it you will be notified that it is in use and cannot be deleted.
- If an anti-virus, anti-malware, or other program such as RKill.exe stops or blocks a program from running with the title \\.\globalroot\systemroot\svchost.exe
- An anti-malware or anti-virus program has detected a rootkit known as Rootkit.Boot.Pihar.b
- An anti-malware or anti-virus program has detected a malicious file known to show up in C:\ProgramData\Microsoft\DRM\ with a somewhat random filename, usually consisting of four or five random characters. This file is usually a .tmp. Your anti-virus or anti-malware program will usually label it Win32-Alureon. Warning: Alureon is known to steal usernames and passwords, including bank and creditcard account information. Due to this, it is my best advice to contact a computer specialist for full details on how to repair the possible damage. In addition, you may wish to contact your bank and credit card companies if you have used this information on the infected computer.
However, this article may still be useful for you, as the following information may be applied to remove and protect against other malicious programs.
What is Svchost.exe and What Does It Do?
Generally, svchost.exe is a non-malicious program required for Windows. It's a generic host process name for services that run from dynamic-link libraries. However, I'll put that into plain English for you: A decent while ago Microsoft began moving all their core files into .dll files instead of .exes. This led to less files, saving on space, and letting systems run faster. The problem, however, is that Windows requires an .exe to run these .dll files. Thus, svchost.exe was created to run a number of these processes.
When svchost.exe is doing its job you may find multiple instances of it. However, the only location it should be running from is C:\Windows\System32. In most cases, it will be about 27KB large. Generally, many different forms of malware like to hide themselves as svchost.exe. The case I'm covering is not associated with the blastclnnn.exe variant.
Malware, in general, wreaks havoc on your system, so it is always nice to repair it.
Let's Get Started:
I will include download links to every program I mention directly beside the name of the program. All of the programs I mention are completely safe, 100% free, and have saved my behind on more than one occasion. I highly suggest keeping them around, at least on a thumbdrive, for future infections.
1) Rkill.exe: Download.
Rkill.exe is quite possibly one of the most useful programs I've ever used. Your anti-virus may try to keep it from running due to what it does, so you may have to disable programs such as Avast! Anti-Virus before you run it.
To put it simply, Rkill searches out malicious, or possibly malicious programs, and terminates them, generating a list of terminated processes. It was using Rkill that I first learned of a computer being infected by svchost.
All you need to do is download it and run the .exe. After scanning for malicious processes and terminating them, simply close the window, making sure to note what programs it halted.
2) TDSSKiller.exe: Download is towards the bottom of the page.
TDSSKiller is a wonderful program meant to find and delete the ever-malicious rootkit. Simply download the .zip, extract it onto the infected computer, and run the .exe. Leave all the options set to their defaults and hit scan. After the scan, it will take care of any malicious files itself (if any.) Leave the options for each of them as their default (that being skip) and click continue.
Note: There is a chance that this will prompt a reboot. Go ahead and do so. I'll wait.
3) aswMBR: Download to your desktop.
Just run the .exe and click the scan button. This will give you a good idea of the location of possible rootkits. It will also create a file named MBR.dat on your desktop. Do not delete this! It is a backup copy of your master boot file.
It may also find the Alureon malware I mentioned earlier. Feel free to search it out, ensuring you can view hidden folders, and delete the files at their location.
After installing and updating MBAM, just set it to a full scan of your computer, sit back, and relax. It may take a few hours. MBAM is a great tool to keep around in case of an infection, however, the active protection is only usable by premium members, so ensure to keep that in mind.
5) ESET Online Scanner: In-browser scan, through Internet Explorer only. If in another browser, it should ask you to install the program on your computer. Go ahead and do so, following all the prompts.
When you go to scan, under scan settings, check "Scan archives" and check "Remove Found Threats." Then click advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will download, update itself, and start scanning your computer. This may take awhile.
We're Almost Done!
The last thing you need to do is ensure that your computer's HOST file is repaired, as it is usually damaged by svchost.exe.
6) Fix it: Click the "Fix it" button, and then just follow the prompts.
And that's all! Your computer should now be clean.
Always make sure that all Java and Adobe programs are kept up-to-date, as they can be easily exploited. Also, ensure that your anti-virus and anti-malware programs are always kept up to date: Even a day's worth of new viruses can severely damage your system! Finally, never click on untrustworthy links or download programs, such as toolbars, unless they are guaranteed to be from trusted companies or individuals, such as Google, Yahoo, Microsoft, or any of the major tech websites that I have linked to for various downloads in this article. (Note: It is not uncommon for harmful software distributors to disguise themselves as Microsoft.)
As a final note, I would like to thank all the programmers that created the programs I've used in this article. Not only have they saved my computer before, but if it were not for them, this guide would not have been possible.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
Alireza on December 16, 2018:
thank you so much
RepublicOfGamers on July 05, 2018:
Thank you now i can be gaming again with high performance malwarebytes premium found the same malware quarantined it restart threat scan same malware quarantine restart threat scan same malware it continued again and again after usig Rkil.exe it removed it once and for all malwarebytes premium no longer found the same malware trojan virus again
Faby on February 21, 2018:
Man, this is pure gold. You saved my PC. I love you.
Varga Istvan on February 03, 2018:
Do not help with anything! Even if he finds something suspicious, he does not solve it! Each time you start, the error svchost.exe does not working !
Savagality on June 06, 2017:
Hoping this works, I own a server that sells a very big exploit; currently have 8k+ people. Haven't been able to get on and check the server lately, This gives me hope though. Will use this as soon as I get home! (:
james madinton on January 28, 2017:
great post thx, it did not find the source of my svchost problems, maybe they are too new, but this list does have very thorough scans. you may want to update the malwarebytes section to turn the "scan for rootkit" option on as it is set off by default.
Dani on November 12, 2016:
thank you so much...
Daniel Van der Mallie (author) from Portsmouth, Ohio, USA. on February 28, 2016:
to Lee22, I just fixed the link. Kaspersky changed the url for it. Hopefully that helps.
Lee22 on August 18, 2015:
Where is the TDSSKiller.exe ??
sdfh on January 06, 2015:
TDSS killer caused my PC to not boot up anymore
Larry Hoezee on November 04, 2014:
This is a useful resource and I've bookmarked it for future reference.
Thanks for the post.
Please also read www.antivirusremovaltool.com/what-is-a-trojan-virus/
If you know of any other antivirus or malware sites you could recomment, please pass that along.
Miriam on September 01, 2014:
ESET did it!! Thank you so much! God bless you!!
hotpockets on July 10, 2014:
Zeraq on June 07, 2014:
Lol that saved my ass.. CPU usage dropped down to 10% below after using Rkill, :P
VS on May 16, 2014:
This did magic !! Thanks !
Leigh-Stuart on May 07, 2014:
It helped immensely, thank you heaps! :-)
Hopeful on April 09, 2014:
Update: Still good 3 days later.
Hopeful on April 05, 2014:
Well, my block only worked until shutdown. Then my computer would not boot properly. Like many others, aswmbr, tdsskiller, and malwarebytes was of no use. ESET online scanner detected a bad rpcss.dll, but was unable to do anything. Maybe repairs are different based upon your infection. I have found success using the following programs and running them all as an administrator - RKill then the installed version of ESET then RogueKiller then HitmanPro. When I downloaded them, I used "Save As" to change the files names hoping the virus/trojan/whatever would not block them. I closed all open programs, closed my internet connection (removed my wifi dongle) and shut down my firewall and antivirus before each install. If something needed to download new definitions, I put up the firewall and antivirus first, went back online to download definitions, removed my wifi dongle after update, shut down the firewall and antivirus, and then proceeded with whatever scans were needed. HitmanPro has a function that can replace corrupted essential files (yea! bye-bye corrupted rpcss). I went through this sequence twice to ensure removal. I also used FileASSASSIN from Malywarebytes to delete a few files that HitmanPro identified, but could not delete. So far, my system starts fine and there are no ads playing in the background. Task Manager has not looked this clean in a long time. Lastly, I installed Malwarebytes Anti-Exploit kit because it is supposed to shield me from future hits. Although their anti-malware software did not find the problem this time, Malwarebytes has been helpful in the past. I have never used them for real-time protection, but am willing to give it a try. Hope someone finds this helpful. By the way, my PC uses Windows Vista. God bless.
DoubleX on April 02, 2014:
It did not work, TDSS detected the first time, removed it, restarted comp, re-scan it with TDSS and nothing, but the virus is still there, seems to adapt to TDSS. Samething with MalwareBytes, scanned, removed, restarted comp and was not able to find the virus anymore, but the virus still pops up and was MalwareBytes was not able to detect it anymore. Rkill simply just did not work.
Going crazy on March 30, 2014:
I've been having the same issue as shorty and hopeful this seems like a newer version of the goddamm annoying Ads playing In the background virus that is not being fixed by any of of the anti virus programs above and a host of other other that ive tried, the only way to disable is for now is going into to task manager and suspending svchost, terminating it just restarts it again after a few minutes, any one know how to fix this problem, tdskiller is not detecting anything and rkill don't even work it crashes after a while even in safe mode mdam detects a malicious website like shorty said but dosnt do anything to stop it, this is driving me nuts
Hopeful on March 30, 2014:
I used Windows Task Manager to look at the services PID and compared them to the PID for the active processes listed in Comodo. When I found a PID in Comodo that was not listed in Task Manager, I terminated and blocked it. The svchost.exe that was using over 400,000 K of memory disappeared and my background audio ads stopped. Hopefully, this will last through a restart.
Shorty on March 24, 2014:
Hi i have installed MBAM and TDSkiller and both cannot detect svchost.exe as malware BUT MBAM keeps giving me a pop up that it has blocked a "Malicious Website" outbound with an ip address from Germany with the ports randomly rotating apart from this i have no other issues. can't i just manually delete this file and "POOF" problem solved? HELP PLEASE ITS DRIVING ME NUTS
thatguy on March 21, 2014:
hi im that guy and im here to put some random comment that will probably not help your case, thank you for your time, take care now and bye
ravi on January 14, 2014:
I still have issues, may be I am missing the obvious please help me
1. RKill terminates 3 processes and they once again start once I restart the problem
2. TDSkiller cured 1 threatand now not finding anything
3. ASWMBR finds threats but doesn't eliminate, how can those be eliminated
4. MBAM found 800+ threats all cured
5. online EST found 70+ threats but failed to eliminate 6 of them.
Benefit is after running all of these my PC becomes reasonably faster but once I restart the problem starts all over again. To top it all there are still 11 Svchost there in task manager and memory leakage is also there.
Josh on January 14, 2014:
Almost bought a new PC, but this worked great. Thanks a lot
sai on December 08, 2013:
it is not downloading
Scotttttt1970 on November 23, 2013:
I got rid of the problem with HitMan pro, and then the Fix it link on this page. Free and Fast.
Anyone on October 22, 2013:
Hey wats the problem? I just cannot download Rkill.
Anymous on October 22, 2013:
My computer was lagging every time when i start it. Now, it's clean and fast like new! THANKS MAN! YOU ARE SUCH A GREAT MAN!
Dymolishn on September 12, 2013:
Another success here. Stumbled upon malware that had random ads running in the background with no windows open...even after reboot from the desktop (as long as I had an internet connection).
I had tried everything under the sun for a day or so. Talked with IT guy I know and spoke with 2 repair shops thinking I would have to pay someone to fix my problem. Noticed that Malwarebytes keep blocking access to certain IP addresses and indicating that the process was "SVCHost.exe". Googled "SVCHost.exe" and found this site. With task manager open watching my my performance consistently at 100% CPU usage, finally managed to download all the necessary recommended programs and ran them in order. Within an hour my problem was resolved. TDSSKiller found the rootkit and cured it. Thanks a mill...I Luuuuuuv you 2 def!!!! You are a Godsend
beverly on July 21, 2013:
Tried these steps but did have some problems. While running aswMBR my computer shut down. I renamed it as instructed on the website and it shut down again. Tried to find "Lost and Confused" in the forum per the authors directions, but could not find that article either. Then when I went to ESET it wanted my IP address, port, username and password. IP address is on auto on my computer. Tried to find that info and enter it and it still would not let me do the scan. Other programs did find some items through and computer seems to be better than it was. At least all those voices I was hearing are gone (they were so bad if I did not mute my computer, they played all the time). I am no rocket scientist and this information was pretty simple, just had trouble with a couple of the websites working correctly. Thanks so much!! If anyone has any advice on the two I could not get to work, it would be appreciated.
krad650 on July 08, 2013:
Don't stop running all the recommended exe's in this article just because one of them found a threat.
I kept getting popups from my AV program that it blocked a Trojan attack every time after startup. The AV security history ID'd the IP number and that the attack resulted from /DEVICE/HARDDISKVOLUME3/WINDOWS/SYSWOW64/SVCHOST.EXE. Rkill found one threat but it wasn't until I ran ESET that it also found and disposed of 8 more, all variants of WIN32/KRIPTIK.BHFM Trojan.
So far, so good. Thanks for all the help.
Ivan on July 08, 2013:
tnx my computer is fast again :-)
you saved me...
zivija stari :-)
christine on July 06, 2013:
never mind when i printed out instructions it cut off some of the words had to go back to site to reread.....lol
christine on July 06, 2013:
it says download the tdsskiller.zip to computer .exe......where is that
jmd4 on July 03, 2013:
Beware of possible unexpected consequences following these or any other procedures involving executables that you didn't write and test yourself !!
I've had a consumptive svchost.exe for months now and I thought this was going to be a quick solution. Well, it was an eventual solution, for which I thank the author, but it was a bumpy road. Rkill found the rootkit problem in my recycle bin (where Windows Defender had also reported it, but in a directory I couldn't see; Defender however was unable to remove it despite claiming success). Rkill did its thing and found "ZEROACCESS rootkit symptoms" in my recycle bin, "fixed" things, and Windows thenceforth complained that my recycle bin was corrupted; attempts to empty it failed, and attempts to manually delete it also failed ("access denied", even with admin privileges in a DOS window). I eventually renamed $Recycle.bin (which surprisingly it let me do), and a new $Recycle.bin was created the next time I deleted a file. I still can't delete the renamed recycle bin, but I can live with that.
Incidentally, I'm almost positive that I contracted this problem when updating my Adobe Flash player (to version 11 I think it was) at the behest of youtube, which claimed it otherwise couldn't properly display certain videos. It resulted in the flash player crashing right and left, and so I reverted back one version (which was still a newer version than what I had before) and everything was ok with Flash player and youtube, but then the trouble with svchost.exe started, and the dates on the unremovable files in the old recycle bin support this.
So finally I can use the internet without having to manually kill the one svchost process every 90 seconds. I was on the verge of writing a scheduled script to do it.
eddy on June 30, 2013:
i think it worked hopefully I wont have anymore problems thank a lot
jam on June 23, 2013:
i tried all the steps involved.. many viruses were found but the svchosts still exists... not 1 but 11 of them in the task manager
jam on June 22, 2013:
the TDSSKiller displayed that there were no threats found .. and all the svchosts are still there.. getting displayed in the task manager :( any help will really be appreciated.
alfadebi on June 02, 2013:
Great step by step instructions. Resolved multiple problems in several steps. Nice to have a functioning computer again. THANK YOU!!!
Jay.C on May 28, 2013:
it did work to me at the step 2 (TDSSKiller)
Eagle Sun2009 on May 25, 2013:
Super! My computer actually was seriously compromised with a Svchost.exe virus and It was freezing whenever I turned on my computer. The problem originated from using unsafe web based video conversion services. Using your approaches, I was able to clean up my computer and it is back to normal now. You save a lot of my work and time. Thank you so much for your contributions that make my life a lot easier.
Brian on May 20, 2013:
Where can I download tdsskiller.exe?
Bogdan on April 24, 2013:
Paul H on April 11, 2013:
Was about to give in and take my laptop to a repair shop until I found this page. TDSSKiller.exe is what did it for me.
My thanks to the author!!!
Brad Goetsch on April 03, 2013:
Worked like a charm!! Thanks
Philip Figueroa on March 26, 2013:
Where is the download link for TDSSkiller?
Gabriel on March 20, 2013:
Thanks a lot, you are a genius, you saved me. It really works, great work, thanks again!
Tako on March 15, 2013:
The first one says i have to buy it
Prasan on March 13, 2013:
Amazing.. u saved me.. Thank you
ace10is from Milliken, Colorado on March 07, 2013:
This helped a lot with numerous errors on my laptop. I now have sound, which I didn't have before.
However, I still get the: internal window: svchost.exe - Application Error
The instruction at "0x7c92a159" referenced memory at "0x19e4783f". The memory could not be "read".
Steve on February 23, 2013:
THANK YOU VERY MUCH!!! I've been trying to figure out for days how to keep svchosts -k netsvcs from continually trying to make hundreds of TCP connections per minute to weird destinations, using up 1.8GB of my 2GB memory and nearly 100% CPU. Rkill and TDSSkiller did the trick. THANK YOU THANK YOU THANK YOU!
CharlesP1234 on January 16, 2013:
How do i get the TDSSKiller to kill the svchost.exe
Daniel Van der Mallie (author) from Portsmouth, Ohio, USA. on January 07, 2013:
@Jess, I've done a bit of digging on the issue you seemed to be having. (Sorry for the late response, by the way. Just started back on here recently, due to work and school eating up all my time.)
This forum post seems to hold the solution to your problems: http://forums.pcpitstop.com/index.php?/topic/198206-lost-and-confused/page__st__20
Hopefully that helps a bit. (All credit goes to the original authors in that forum.)
hannah on December 31, 2012:
thank you so much, this worked and I have been trying for quite a while now to remove this virus. almost bought a new laptop. thank you!
Tabbey75 on December 17, 2012:
To be honest, I started at the top of the list and worked my way down, other than the fact that I tried MalwareBytes before even looking for this site. That being said TDSSKiller is what worked for me. My daughter came home from college and her computer would not boot. Started with Security Essentials, failed, wend to Windows Defender Offline, failed, MalwareBytes found it, said it removed it, reboot, rescan, refind. *sigh* rkill did the same thing. TDSSKiller found it, said it killed it, and now none of the programs can find anything. I am calling it a win. Thank you so much for your help!!
Daniel from St Louis on December 11, 2012:
I agree, viruses do attempt to disguise themselves as normal windows processes, fair enough. This was a really big problem back in the Windows XP days as well. Its gotten better, but the issue still persists today. Thanks for sharing your post :)
Daniel Van der Mallie (author) from Portsmouth, Ohio, USA. on December 09, 2012:
In response to DjDaniel150: There is a virus that disguises itself as svchost. It's decently common.
Daniel from St Louis on December 08, 2012:
svchost.exe is not a virus, it's a program used in windows in part to manage "dynamic link libraries." I'm not sure why you thought this was a virus?
Datoad2000 on November 18, 2012:
Thanks so much for these instructions, I believe it was the TDSkiller that found the prob but I have downloaded all of it. You saved me from having to take it to a family member that "Knows everything" Your da man!
Sam on October 26, 2012:
Thanks a lot. Wasted my time downloading Speedy PC pro.
And credit goes fully to TDSSkiller.exe for curing the 100% CPU usage problem :D And also to you I guess xP
Bluntski on October 24, 2012:
This worked after 2-3 weeks of trying to remove it with various programs this few simple step process did wonders and fixed it under 30 minutes. THANK YOU!
Jess on October 22, 2012:
I'm trying this method out and am currently at the "ESET Online Scanner" step. I'm trying to download it on Internet Explorer, but it only gets up to 4% then it says "Can not get update. Is proxy configured?" above the status bar. What does this mean? How do I fix it?
Randy on October 19, 2012:
to be honest... tdkiller was the application that finally killed it.
Randy M on October 19, 2012:
After 1 month..... THIS FIXED IT.... AWESOME PROGRAMS... THX
TheLexusMom on October 18, 2012:
HUGE "MUAH!" thank you !!!!
Chris on October 02, 2012:
Thanks a bunch, I had to kill the svchost.exe manually so I could keep my computer up long enough to get rkill but after that it was simple. I had tried on and off for a day using mbam avg and other products with no luck. Great post
Chalfant on August 14, 2012:
I simply ran the online ESET scanner and it removed the virus.
Jeeves on July 31, 2012:
Thanks so much for your help. I was panicking after I installed 3 different anti virus software, only to find out none of them removed the virus. This method works surprisingly enough!
biome on July 30, 2012:
While running aswMBR, the program only runs for so long then stops at the same place (c:\users). It does not matter if run immediately after Rkill, or in safe mode. This even after renaming it to iexplore.exe. identical performance in both cases. Rkill found a svchost and stopped it.
Daniel Van der Mallie (author) from Portsmouth, Ohio, USA. on June 27, 2012:
You shouldn't have to, but it might help if you're still having trouble. Rkill is great for finding out if something might be lurking in the back of your system.
Rake on June 25, 2012:
When you computer has to restart after running the TDSSKILLER.exe should I rerun rkill?
Ducky on June 10, 2012:
This worked. We spent three days trying to fix my computer because we couldn't find everything sorted out into exactly what we needed. This method helped out a lot and my computer didn't end up an over-sized paperweight.