How to Easily Remove the Svchost.exe Virus

As an avid computer user, I've gotten infected by my share of adware, malware, worms, and other pesky, malicious programs that have slipped by my anti-malware and anti-virus protection. Due to this, I learned very quickly how to fix the problems these malevolent bits of code would cause. In this article, I'll be helping you deal with one very annoying bit of malware that uses svchost.exe as a guise to decimate your computer.

This guide is only guaranteed to be useful to you if you suffer from the following:

  • You have found a file in your C:\windows\ titled svchost.exe. This file will generally be 20kbs, and if you attempt to delete it you will be notified that it is in use and cannot be deleted.
  • If an anti-virus, anti-malware, or other program such as RKill.exe stops or blocks a program from running with the title \\.\globalroot\systemroot\svchost.exe
  • An anti-malware or anti-virus program has detected a rootkit known as Rootkit.Boot.Pihar.b
  • An anti-malware or anti-virus program has detected a malicious file known to show up in C:\ProgramData\Microsoft\DRM\ with a somewhat random filename, usually consisting of four or five random characters. This file is usually a .tmp. Your anti-virus or anti-malware program will usually label it Win32-Alureon. Warning: Alureon is known to steal usernames and passwords, including bank and creditcard account information. Due to this, it is my best advice to contact a computer specialist for full details on how to repair the possible damage. In addition, you may wish to contact your bank and credit card companies if you have used this information on the infected computer.

However, this article may still be useful for you, as the following information may be applied to remove and protect against other malicious programs.

What is Svchost.exe and What Does It Do?

Generally, svchost.exe is a non-malicious program required for Windows. It's a generic host process name for services that run from dynamic-link libraries. However, I'll put that into plain English for you: A decent while ago Microsoft began moving all their core files into .dll files instead of .exes. This led to less files, saving on space, and letting systems run faster. The problem, however, is that Windows requires an .exe to run these .dll files. Thus, svchost.exe was created to run a number of these processes.

When svchost.exe is doing its job you may find multiple instances of it. However, the only location it should be running from is C:\Windows\System32. In most cases, it will be about 27KB large. Generally, many different forms of malware like to hide themselves as svchost.exe. The case I'm covering is not associated with the blastclnnn.exe variant.

Malware, in general, wreaks havoc on your system, so it is always nice to repair it.

Let's Get Started:

I will include download links to every program I mention directly beside the name of the program. All of the programs I mention are completely safe, 100% free, and have saved my behind on more than one occasion. I highly suggest keeping them around, at least on a thumbdrive, for future infections.

1) Rkill.exe: Download.

Rkill.exe is quite possibly one of the most useful programs I've ever used. Your anti-virus may try to keep it from running due to what it does, so you may have to disable programs such as Avast! Anti-Virus before you run it.

To put it simply, Rkill searches out malicious, or possibly malicious programs, and terminates them, generating a list of terminated processes. It was using Rkill that I first learned of a computer being infected by svchost.

All you need to do is download it and run the .exe. After scanning for malicious processes and terminating them, simply close the window, making sure to note what programs it halted.

2) TDSSKiller.exe: Download is towards the bottom of the page.

TDSSKiller is a wonderful program meant to find and delete the ever-malicious rootkit. Simply download the .zip, extract it onto the infected computer, and run the .exe. Leave all the options set to their defaults and hit scan. After the scan, it will take care of any malicious files itself (if any.) Leave the options for each of them as their default (that being skip) and click continue.

Note: There is a chance that this will prompt a reboot. Go ahead and do so. I'll wait.

3) aswMBR: Download to your desktop.

Just run the .exe and click the scan button. This will give you a good idea of the location of possible rootkits. It will also create a file named MBR.dat on your desktop. Do not delete this! It is a backup copy of your master boot file.

It may also find the Alureon malware I mentioned earlier. Feel free to search it out, ensuring you can view hidden folders, and delete the files at their location.

4) MalwareBytes: AntiMalware: Download, install, and update.

After installing and updating MBAM, just set it to a full scan of your computer, sit back, and relax. It may take a few hours. MBAM is a great tool to keep around in case of an infection, however, the active protection is only usable by premium members, so ensure to keep that in mind.

5) ESET Online Scanner: In-browser scan, through Internet Explorer only. If in another browser, it should ask you to install the program on your computer. Go ahead and do so, following all the prompts.

When you go to scan, under scan settings, check "Scan archives" and check "Remove Found Threats." Then click advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

ESET will download, update itself, and start scanning your computer. This may take awhile.

We're Almost Done!

The last thing you need to do is ensure that your computer's HOST file is repaired, as it is usually damaged by svchost.exe.

6) Fix it: Click the "Fix it" button, and then just follow the prompts.

And that's all! Your computer should now be clean.

Some Tips:

Always make sure that all Java and Adobe programs are kept up-to-date, as they can be easily exploited. Also, ensure that your anti-virus and anti-malware programs are always kept up to date: Even a day's worth of new viruses can severely damage your system! Finally, never click on untrustworthy links or download programs, such as toolbars, unless they are guaranteed to be from trusted companies or individuals, such as Google, Yahoo, Microsoft, or any of the major tech websites that I have linked to for various downloads in this article. (Note: It is not uncommon for harmful software distributors to disguise themselves as Microsoft.)

As a final note, I would like to thank all the programmers that created the programs I've used in this article. Not only have they saved my computer before, but if it were not for them, this guide would not have been possible.

Comments 67 comments

Ducky 4 years ago

This worked. We spent three days trying to fix my computer because we couldn't find everything sorted out into exactly what we needed. This method helped out a lot and my computer didn't end up an over-sized paperweight.

Rake 4 years ago

When you computer has to restart after running the TDSSKILLER.exe should I rerun rkill?

NecroNeurology profile image

NecroNeurology 4 years ago from Portsmouth, Ohio, USA. Author

You shouldn't have to, but it might help if you're still having trouble. Rkill is great for finding out if something might be lurking in the back of your system.

biome 4 years ago

While running aswMBR, the program only runs for so long then stops at the same place (c:\users). It does not matter if run immediately after Rkill, or in safe mode. This even after renaming it to iexplore.exe. identical performance in both cases. Rkill found a svchost and stopped it.

Jeeves 4 years ago

Thanks so much for your help. I was panicking after I installed 3 different anti virus software, only to find out none of them removed the virus. This method works surprisingly enough!

Chalfant 4 years ago

I simply ran the online ESET scanner and it removed the virus.

Chris 4 years ago

Thanks a bunch, I had to kill the svchost.exe manually so I could keep my computer up long enough to get rkill but after that it was simple. I had tried on and off for a day using mbam avg and other products with no luck. Great post

TheLexusMom 4 years ago

HUGE "MUAH!" thank you !!!!

Randy M 4 years ago

After 1 month..... THIS FIXED IT.... AWESOME PROGRAMS... THX

Randy 4 years ago

to be honest... tdkiller was the application that finally killed it.

Jess 4 years ago

I'm trying this method out and am currently at the "ESET Online Scanner" step. I'm trying to download it on Internet Explorer, but it only gets up to 4% then it says "Can not get update. Is proxy configured?" above the status bar. What does this mean? How do I fix it?

Bluntski 4 years ago

This worked after 2-3 weeks of trying to remove it with various programs this few simple step process did wonders and fixed it under 30 minutes. THANK YOU!

Sam 4 years ago

Thanks a lot. Wasted my time downloading Speedy PC pro.

And credit goes fully to TDSSkiller.exe for curing the 100% CPU usage problem :D And also to you I guess xP

Datoad2000 3 years ago

Thanks so much for these instructions, I believe it was the TDSkiller that found the prob but I have downloaded all of it. You saved me from having to take it to a family member that "Knows everything" Your da man!

djdaniel150 profile image

djdaniel150 3 years ago from St Louis

svchost.exe is not a virus, it's a program used in windows in part to manage "dynamic link libraries." I'm not sure why you thought this was a virus?

NecroNeurology profile image

NecroNeurology 3 years ago from Portsmouth, Ohio, USA. Author

In response to DjDaniel150: There is a virus that disguises itself as svchost. It's decently common.

djdaniel150 profile image

djdaniel150 3 years ago from St Louis

I agree, viruses do attempt to disguise themselves as normal windows processes, fair enough. This was a really big problem back in the Windows XP days as well. Its gotten better, but the issue still persists today. Thanks for sharing your post :)

Tabbey75 3 years ago

To be honest, I started at the top of the list and worked my way down, other than the fact that I tried MalwareBytes before even looking for this site. That being said TDSSKiller is what worked for me. My daughter came home from college and her computer would not boot. Started with Security Essentials, failed, wend to Windows Defender Offline, failed, MalwareBytes found it, said it removed it, reboot, rescan, refind. *sigh* rkill did the same thing. TDSSKiller found it, said it killed it, and now none of the programs can find anything. I am calling it a win. Thank you so much for your help!!

hannah 3 years ago

thank you so much, this worked and I have been trying for quite a while now to remove this virus. almost bought a new laptop. thank you!

NecroNeurology profile image

NecroNeurology 3 years ago from Portsmouth, Ohio, USA. Author

@Jess, I've done a bit of digging on the issue you seemed to be having. (Sorry for the late response, by the way. Just started back on here recently, due to work and school eating up all my time.)

This forum post seems to hold the solution to your problems:

Hopefully that helps a bit. (All credit goes to the original authors in that forum.)

CharlesP1234 3 years ago

How do i get the TDSSKiller to kill the svchost.exe

Steve 3 years ago

THANK YOU VERY MUCH!!! I've been trying to figure out for days how to keep svchosts -k netsvcs from continually trying to make hundreds of TCP connections per minute to weird destinations, using up 1.8GB of my 2GB memory and nearly 100% CPU. Rkill and TDSSkiller did the trick. THANK YOU THANK YOU THANK YOU!

ace10is profile image

ace10is 3 years ago from Milliken, Colorado

This helped a lot with numerous errors on my laptop. I now have sound, which I didn't have before.

However, I still get the: internal window: svchost.exe - Application Error

The instruction at "0x7c92a159" referenced memory at "0x19e4783f". The memory could not be "read".

Prasan 3 years ago

Amazing.. u saved me.. Thank you

Tako 3 years ago

The first one says i have to buy it

Gabriel 3 years ago

Thanks a lot, you are a genius, you saved me. It really works, great work, thanks again!

Philip Figueroa 3 years ago

Where is the download link for TDSSkiller?

Brad Goetsch 3 years ago

Worked like a charm!! Thanks

Paul H 3 years ago

Was about to give in and take my laptop to a repair shop until I found this page. TDSSKiller.exe is what did it for me.

My thanks to the author!!!

Bogdan 3 years ago

THX MAN!!!!!!!!!

Brian 3 years ago

Where can I download tdsskiller.exe?

Eagle Sun2009 profile image

Eagle Sun2009 3 years ago

Super! My computer actually was seriously compromised with a Svchost.exe virus and It was freezing whenever I turned on my computer. The problem originated from using unsafe web based video conversion services. Using your approaches, I was able to clean up my computer and it is back to normal now. You save a lot of my work and time. Thank you so much for your contributions that make my life a lot easier.

Jay.C 3 years ago

Wow... awsooooooooooooooooooooooooooome!!!

it did work to me at the step 2 (TDSSKiller)

alfadebi 3 years ago

Great step by step instructions. Resolved multiple problems in several steps. Nice to have a functioning computer again. THANK YOU!!!

jam 3 years ago

the TDSSKiller displayed that there were no threats found .. and all the svchosts are still there.. getting displayed in the task manager :( any help will really be appreciated.

jam 3 years ago

i tried all the steps involved.. many viruses were found but the svchosts still exists... not 1 but 11 of them in the task manager

eddy 3 years ago

i think it worked hopefully I wont have anymore problems thank a lot

jmd4 3 years ago

Beware of possible unexpected consequences following these or any other procedures involving executables that you didn't write and test yourself !!

I've had a consumptive svchost.exe for months now and I thought this was going to be a quick solution. Well, it was an eventual solution, for which I thank the author, but it was a bumpy road. Rkill found the rootkit problem in my recycle bin (where Windows Defender had also reported it, but in a directory I couldn't see; Defender however was unable to remove it despite claiming success). Rkill did its thing and found "ZEROACCESS rootkit symptoms" in my recycle bin, "fixed" things, and Windows thenceforth complained that my recycle bin was corrupted; attempts to empty it failed, and attempts to manually delete it also failed ("access denied", even with admin privileges in a DOS window). I eventually renamed $Recycle.bin (which surprisingly it let me do), and a new $Recycle.bin was created the next time I deleted a file. I still can't delete the renamed recycle bin, but I can live with that.

Incidentally, I'm almost positive that I contracted this problem when updating my Adobe Flash player (to version 11 I think it was) at the behest of youtube, which claimed it otherwise couldn't properly display certain videos. It resulted in the flash player crashing right and left, and so I reverted back one version (which was still a newer version than what I had before) and everything was ok with Flash player and youtube, but then the trouble with svchost.exe started, and the dates on the unremovable files in the old recycle bin support this.

So finally I can use the internet without having to manually kill the one svchost process every 90 seconds. I was on the verge of writing a scheduled script to do it.

christine 3 years ago

it says download the to computer .exe......where is that

christine 3 years ago

never mind when i printed out instructions it cut off some of the words had to go back to site to

Ivan 3 years ago

tnx my computer is fast again :-)

you saved me...

zivija stari :-)

krad650 3 years ago

Don't stop running all the recommended exe's in this article just because one of them found a threat.

I kept getting popups from my AV program that it blocked a Trojan attack every time after startup. The AV security history ID'd the IP number and that the attack resulted from /DEVICE/HARDDISKVOLUME3/WINDOWS/SYSWOW64/SVCHOST.EXE. Rkill found one threat but it wasn't until I ran ESET that it also found and disposed of 8 more, all variants of WIN32/KRIPTIK.BHFM Trojan.

So far, so good. Thanks for all the help.

beverly 3 years ago

Tried these steps but did have some problems. While running aswMBR my computer shut down. I renamed it as instructed on the website and it shut down again. Tried to find "Lost and Confused" in the forum per the authors directions, but could not find that article either. Then when I went to ESET it wanted my IP address, port, username and password. IP address is on auto on my computer. Tried to find that info and enter it and it still would not let me do the scan. Other programs did find some items through and computer seems to be better than it was. At least all those voices I was hearing are gone (they were so bad if I did not mute my computer, they played all the time). I am no rocket scientist and this information was pretty simple, just had trouble with a couple of the websites working correctly. Thanks so much!! If anyone has any advice on the two I could not get to work, it would be appreciated.

Dymolishn 3 years ago

Another success here. Stumbled upon malware that had random ads running in the background with no windows open...even after reboot from the desktop (as long as I had an internet connection).

I had tried everything under the sun for a day or so. Talked with IT guy I know and spoke with 2 repair shops thinking I would have to pay someone to fix my problem. Noticed that Malwarebytes keep blocking access to certain IP addresses and indicating that the process was "SVCHost.exe". Googled "SVCHost.exe" and found this site. With task manager open watching my my performance consistently at 100% CPU usage, finally managed to download all the necessary recommended programs and ran them in order. Within an hour my problem was resolved. TDSSKiller found the rootkit and cured it. Thanks a mill...I Luuuuuuv you 2 def!!!! You are a Godsend

Anymous 3 years ago

My computer was lagging every time when i start it. Now, it's clean and fast like new! THANKS MAN! YOU ARE SUCH A GREAT MAN!

Anyone 3 years ago

Hey wats the problem? I just cannot download Rkill.

Scotttttt1970 profile image

Scotttttt1970 2 years ago

I got rid of the problem with HitMan pro, and then the Fix it link on this page. Free and Fast.

sai 2 years ago

it is not downloading

Josh 2 years ago

Almost bought a new PC, but this worked great. Thanks a lot

ravi 2 years ago

I still have issues, may be I am missing the obvious please help me

1. RKill terminates 3 processes and they once again start once I restart the problem

2. TDSkiller cured 1 threatand now not finding anything

3. ASWMBR finds threats but doesn't eliminate, how can those be eliminated

4. MBAM found 800+ threats all cured

5. online EST found 70+ threats but failed to eliminate 6 of them.

Benefit is after running all of these my PC becomes reasonably faster but once I restart the problem starts all over again. To top it all there are still 11 Svchost there in task manager and memory leakage is also there.

thatguy 2 years ago

hi im that guy and im here to put some random comment that will probably not help your case, thank you for your time, take care now and bye

Shorty 2 years ago

Hi i have installed MBAM and TDSkiller and both cannot detect svchost.exe as malware BUT MBAM keeps giving me a pop up that it has blocked a "Malicious Website" outbound with an ip address from Germany with the ports randomly rotating apart from this i have no other issues. can't i just manually delete this file and "POOF" problem solved? HELP PLEASE ITS DRIVING ME NUTS

Hopeful 2 years ago

I used Windows Task Manager to look at the services PID and compared them to the PID for the active processes listed in Comodo. When I found a PID in Comodo that was not listed in Task Manager, I terminated and blocked it. The svchost.exe that was using over 400,000 K of memory disappeared and my background audio ads stopped. Hopefully, this will last through a restart.

Going crazy 2 years ago

I've been having the same issue as shorty and hopeful this seems like a newer version of the goddamm annoying Ads playing In the background virus that is not being fixed by any of of the anti virus programs above and a host of other other that ive tried, the only way to disable is for now is going into to task manager and suspending svchost, terminating it just restarts it again after a few minutes, any one know how to fix this problem, tdskiller is not detecting anything and rkill don't even work it crashes after a while even in safe mode mdam detects a malicious website like shorty said but dosnt do anything to stop it, this is driving me nuts

DoubleX 2 years ago

It did not work, TDSS detected the first time, removed it, restarted comp, re-scan it with TDSS and nothing, but the virus is still there, seems to adapt to TDSS. Samething with MalwareBytes, scanned, removed, restarted comp and was not able to find the virus anymore, but the virus still pops up and was MalwareBytes was not able to detect it anymore. Rkill simply just did not work.

Hopeful 2 years ago

Well, my block only worked until shutdown. Then my computer would not boot properly. Like many others, aswmbr, tdsskiller, and malwarebytes was of no use. ESET online scanner detected a bad rpcss.dll, but was unable to do anything. Maybe repairs are different based upon your infection. I have found success using the following programs and running them all as an administrator - RKill then the installed version of ESET then RogueKiller then HitmanPro. When I downloaded them, I used "Save As" to change the files names hoping the virus/trojan/whatever would not block them. I closed all open programs, closed my internet connection (removed my wifi dongle) and shut down my firewall and antivirus before each install. If something needed to download new definitions, I put up the firewall and antivirus first, went back online to download definitions, removed my wifi dongle after update, shut down the firewall and antivirus, and then proceeded with whatever scans were needed. HitmanPro has a function that can replace corrupted essential files (yea! bye-bye corrupted rpcss). I went through this sequence twice to ensure removal. I also used FileASSASSIN from Malywarebytes to delete a few files that HitmanPro identified, but could not delete. So far, my system starts fine and there are no ads playing in the background. Task Manager has not looked this clean in a long time. Lastly, I installed Malwarebytes Anti-Exploit kit because it is supposed to shield me from future hits. Although their anti-malware software did not find the problem this time, Malwarebytes has been helpful in the past. I have never used them for real-time protection, but am willing to give it a try. Hope someone finds this helpful. By the way, my PC uses Windows Vista. God bless.

Hopeful 2 years ago

Update: Still good 3 days later.

Leigh-Stuart 2 years ago

Great walk-through.

It helped immensely, thank you heaps! :-)

VS 2 years ago

This did magic !! Thanks !

Zeraq 2 years ago

Lol that saved my ass.. CPU usage dropped down to 10% below after using Rkill, :P

hotpockets 2 years ago


Miriam 2 years ago

ESET did it!! Thank you so much! God bless you!!

Larry Hoezee 24 months ago

This is a useful resource and I've bookmarked it for future reference.

Thanks for the post.

Please also read

If you know of any other antivirus or malware sites you could recomment, please pass that along.


sdfh 21 months ago

TDSS killer caused my PC to not boot up anymore

Lee22 14 months ago

Where is the TDSSKiller.exe ??

NecroNeurology profile image

NecroNeurology 8 months ago from Portsmouth, Ohio, USA. Author

to Lee22, I just fixed the link. Kaspersky changed the url for it. Hopefully that helps.

Mike cryst 5 weeks ago

If your search continuously get redirected towards then your computer has cached a browser hijacker. It is a dubious domain which is owned by Erez Belinin. This malicious domain is controlled by two server and Researcher have found that if your computer is infected by this threat and during that period if you search anything then your search will be rerouted towards the It may look like a genuine search engine but when you search using it, then the result which it provide is full of advertisement. This nasty domain has already infected many computer around the world.

This browser hijacker first injects its executable codes in your system startup in order to run its malicious process without your consent. After that it replaces the default search engine with alwaysisobarcom. It also modify the new-tabs links and the homepage in to make your search redirect towards shopping site or some social media site. This browser hijacker will inject a number of advertisement and commercial promotion on those web-pages that you open in your browser. After that you will get lots of ads, pop-up, banners every time when visit any site. Not only this, it also degrades the browsers speed and slow down your system performance.

This nasty domain is distributed through shareware and freeware program. The developer of freeware hide the browser hijacker in there application so when you install those freeware the threat will also get installed without your consent. So it is strongly recommended to read all the term and condition before installing any program and go through the custom installation method. These type of threat also remains hidden in phishing website, so you should also avoid visiting those site which look suspicious or unknown. But, in order to get rid of all the issues you must have to remove alwaysisobarcom completely form your system.

After searching on Interent i found helpful to remove the threat.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.

    Click to Rate This Article