Malicious webpage in svchost. How to reveal the virus disguised under the SVCHOST system process. Principle of operation of the process

It is not a secret for any of the Windows users that when you hang or braking a computer, you first need to look at the "Task Manager", in order to complete the processing processes in it. The task, let's say, for first-graders: it seems to be swimming and know what is there and how. However, looking once again in the notorious dispatcher, many users, to their surprise, almost first notice that for overload central processor It leads such a svchost.exe process, which, attention, is not displayed in one, but immediately in 4, or even more lines:

Well, think about what other reaction at this moment can be, except for panic from the thought that the virus settled on the beloved PC? It has never been on the memory that the system processes are duplicated in the Task Manager! However, before in horror, seek a solution, how to quickly remove svchost.exe from a computer, you need to deal with that, and whether it is actually virus or not.

Step No. 1: Receive Viruses

Perhaps it is worth noting that the svchost.exe process itself does not carry any threat to Windows, no matter how it seemed strange. In fact, it is designed to run the services built into the system, services and a variety of programs that use special DLL libraries in their work. However, based on the fact that such system services on the computer often happens quite a lot, the execution of them in one process can be very difficult. That is why svchost.exe is often often launched several times servicing separate services Windows.

It is clear that it doesn't make any sense to delete such processes, since it will simply be enough to restart the computer. In the same time full removal system File svchost.exe can lead to failures in windows work, the emergence of all sorts of mistakes and other problems with Windows. Therefore, by finding a whole fan of svchost.exe in the "Task Manager", it is not necessary to spur with him at once: everything can be much easier.

However, it is also not worth relaxing in this case. The fact is that under svchost.exe, viruses are truly often masked, bringing with them very unpleasant gifts in the form:

  • arbitrary computer output from sleep mode;
  • appearance system error when running applications, opening a drive or reading disk;
  • automatic reboot Windows;
  • unprepared computer shutdown;
  • pC braking due to the download of the CPU by more than 90%;
  • spontaneous opening of applications, etc.

The question arises, but what, in this case, determine where the virus, and where is the normal system process svchost.exe? The answer is simple - look closely to him.

So, the first call to the fact that svchost.exe is a virus, there will be the execution of this process on behalf of the user (in normal it is started on behalf of Local Service, System (system) or Network Service). In order to determine this, it is enough on the keyboard to simultaneously press Ctrl + Shift + ESC, thereby calling the "Task Manager", then select the Processes tab and, in the end, to look at the data specified in the User column for the process svchost.exe:

I note that for the same purpose, if you wish, you can also use a special Process Explorer program, which displays full information about all the processes performed on the computer, including Svchost.exe:

At the same time, determine if there is a threat from svchost.exe, the location of such a file can help. Remember: Normally, it is stored only in one of the 4 folders located on the hard disk, namely in the directory:

  • Windows \\ Prefetch.
  • Windows \\ servicepackfiles \\ i386
  • Windows \\ System32.
  • Windows \\ Winsxs.

Accordingly, if svchost.exe is in some other place, for example, separately in the Windows folder, be sure: you are the most real virus. At the same time, it really can actually help "Task Manager" again. In this case, after it is launched, you will need to click. right-click On line with the name of the svchost.exe process, select the "Properties" item in the opened menu, and then pay attention to the "Location" field:

In addition, the program name itself can be a hint. So, any deviations from writing svchost.exe in the name of the image can be safely regarded as a hidden viral threat. Therefore, if you see in the "Task Manager" processes like svhost.exe, svehost.exe, svxhost.exe, svchos1.exe, svchest.exe, svch0st.exe and other values \u200b\u200bwith erroneous writing, you can safely delete them: these are viruses.

Step number 2: Remove viruses in svchost.exe

It must be said that because of numerous varieties of svchost.exe viruses universal Fashion Their removal from the computer simply does not exist. In particular, a complete verification can help in solving such a problem Windows installed on PC antivirus program. The main thing in this case is before it starts not to forget:

  • disconnect local network and the Internet;
  • complete Suspicious processes svchost.exe in the Task Manager;
  • clear autoload from svchost.exe files. In this case, it is required first to press ÿ + R on the keyboard, to lean the MSConfig task to the appeared utility to "execute", click OK, and then after selecting the "Auto-loading" tab in the window that opens, check the presence of svchost.exe in it:

At the same time, so that the effect of the computer has not been temporary, it is mandatory to take care of the installation and update in Windows Powerful Antivirus and Firewall. Only so you can be sure that the problem with the malicious Trojan file svchost.exe will not return back to the system.

Did you happen if you enter the task manager of your operating system, detect multiple copies of the same file called svchost.exe? What is this file and is it capable of harmful to your computer? Can I have to delete it? About this and about many other issues related to this file, we will talk in this article.

Definition

Svchost.exe is the common name of the main process for services that run from dynamic libraries in the Windows OS line. Each service that refers to the svchost.exe file starts on personal Computer your copy of this file. Thus, several dozen copies can be displayed in the task manager at once. Such a system is invented in order to save as much free space in the device's memory.

Is this file safe?

The svchost.exe file itself is an important component of the operating system and a threat of a threat in itself. However, often malicious code, picked up on the network, is masked for this file. The calculation is made that the file with this name will be harder to detect and you will restily delete it by counting the system.

Where is this file?

Recognize whether a virus is a particular process with the name SVCHOST, just enough. First of all, it is necessary to know where the present may be located, safe file. svchost.exe:

  • C: \\ Windows \\ System32
  • C: \\ Windows \\ servicepackfiles \\ i386
  • C: \\ Windows \\ Prefetch
  • C: \\ Windows \\ Winsxs \\ Any folder in this section.

If you found the svchost file on any other way, know - you are dealing with a virus. Exceptions are only antiviral and some other programs that also create the folders of the same name, but the threats for your computer are not presented.

How to see which services are running using svchost?

Consider this issue on the example of Windows 7.

  1. Hold the Ctrl + Alt + Del key simultaneously and select "Run Task Manager".
  2. Click the Processes tab and select "Display All Users Processes".
  3. In the list that opens, you can see how many copies of the file running on your computer in this moment And on behalf of which user. It is necessary to know that the svchost.exe system file can be run only on behalf of Local Service, System, Network Service or System. If the file is called by the name of the local machine, you are dealing with the virus.
  4. To see which service launched a specific copy of the file, click on this copy from the list of the right mouse button and select "Go to Services" or select a copy from the list with the left mouse button and open the neighboring tab "Services".
  5. To find out what is one or another service and what functions it performs on a computer, click on the "Service ..." button in the lower right corner of the window that opened.

How to remove a virus masking for svchost?

If you have suspicion that your computer is infected with a virus that is masked for the svchost file, the best solution will download a program specifically designed to delete files from a computer of this type. An example of such a program can serve as Security Task Manager or AVZ anti-virus utility. After removing suspicious files, you will need to overload the computer and conduct a complete check of the system to viruses. Only after that you can be completely sure that you got rid of the virus, and this file is no longer threatening the security of the computer.

Svchost.exe is the name of the system process, which is masked whole line viruses. As a result of this malicious software, the Internet connection can be lost or serious system failure. Therefore, it is important to know how to remove the SVCHOST EXE before the computer will stop working.

Detection

Detect the svchost.exe virus on the computer is quite difficult. The problem is that SVCHOST is a systemic windows moduleWith which services are launched. Disabling these services can lead to errors and incorrect work Systems.

The various viruses only assign this name to themselves, hiding among truly useful processes in the Task Manager.

Attention! The fact of the presence of the SVCHOST.EXE process in the "Task Manager" does not speak about the infection of the computer with a virus! Such processes must be launched, since the system cannot correctly work correctly!

But as among the existing processes, identify the malicious, if they have the same name for everyone? You must refer to the "Username" field, where it is indicated who is the initiator of the process startup.

System modules are launched on behalf of "System", "Local Service" or "NetWork Service". If you see that the svchost.exe process is started on behalf of the user, know - before you the virus acting under the cover.

Removal

Unfortunately, a virus masking for a system module can be completely removed only in two ways: a complete reinstalling system or registry cleaner.

Programs that allow you to remove the URL MAL virus, it will not help here. It will not cope with the task of this kind and spyhunter - utility using which you can remove ADS by OFFERSWIZARD.

It makes no sense to reinstall separately: this is an extreme measure when other methods are already triggering and declared invalid.

It is better to immediately move to the registry cleaner, but first you can try to install a more powerful anti-virus package or use your Dr.Web Cureit utility that helps remove Trovi COM and cope with other similar viral applications.

Excellent, if you can do both - check the system using an antivirus with updated signatures, and then run Dr.Web Cureit and scan it with it hDD Repeated

Do not forget to check the Windows Startup List.

Press Win + R, enter the "msconfig" command and go to the "Auto-loading" tab. Check that there is no SVCHOST EXE in the list of configuration items. When a virus is detected, remove the checkbox from it, and then delete from the list.

If the specified actions did not help, go to the registry cleaner.

Work with registry

Open system registry Using the "Regedit" command. Here you will have to change and delete a number of records, so be patient.

Go for consistently HKEY_LOCAL MACHINE → Software → Microsoft → WINDOWS → CURRETVERSION → RUN. Find the "PowerManager" \u003d "% windir% svchost.exe" key and delete it.

Now you need to delete other records related to the virus. Go to HKLM → Software → Microsoft → Windows NT → CurrentVersion → Winlogon. Find the "userinit" key and check its value. Give it to the form "C: \\ Windows \\ System32 \\ userinit.exe". To do this, click on the key right-click and select "Change".

Use the search feature (Ctrl + F) and find other records with the value of "SVCHOST". Remove them all.

As you see, with registered records We'll have to suffer a little. Therefore, if it is possible - reinstall the system or try to roll back its former state using the control point of the recovery.

If you read this article, you probably have already paid attention to the system process named "Svchost.exe". And usually it is not alone, and the company makes it a few more of the same processes:

In a normal situation, the speed of the computer from the execution of this process does not suffer, and ordinary users do not pay attention to it. The situation is quite different when the process begins to "devour" from half to 100% of the computer resources. And not episodically, but constantly. A radical solution of the problem in this case sometimes becomes or roll back the system by the time it worked fine. These ways are not only unnecessary, but also do not always help, so today we will tell you about more simple solutions Problems when the svchost.exe process loads the computer processor "on complete".

What is svchost.exe

Let's start with the theory. Svchost.exe. - Systemic windows processwho is responsible for launching various services on a computer (for example, Print service or Windows Firewall ). Using it, several services can be launched on the computer simultaneously, which allows you to reduce computer resource consumption by these services. In addition, the process itself can be launched in several copies. That is why the "Task Manager" always launched more than one Svchost.exe process.

So because of what svchost.exe can create high load on the processor and computer memory? On the network you can find the opinion that the svchost.exe process is initiated by the virus or is at all the virus. This is not true. Strictly speaking, some viruses and trojans can masking Under it, creating an additional load on the computer resources, but they are quite easy to calculate and neutralize.

How to remove a virus disguised as the svchost.exe process

Run the Task Manager (using the key combination Control + ATL + Delete or from the menu Start\u003e Programs\u003e Standard\u003e Service) And open the Processes tab. In the first column you will see the names of the processes, and in the second - the indication, from whose name it was launched. So, pay attention to the fact that svchost.exe can only be launched on behalf of the Local Service, System (or "system") users, as well as Network SERVICE.

If you notice that the process is running on behalf of your user (for example, on behalf of the user), then before you - the virus. Since the real svchost.exe can only be launched by system services, it cannot be in the "autoload" of the current windows User.. Therefore, we will try to find a virus disguised as the Svchost.exe system. You can get into autoload in two ways: through party program, for example, or standard means Windows.

In order to get into autoload without installation additional programsOpen Start and in the program search string (in Windows XP - in Start\u003e Perform) Write msconfig, then click OK. The system configuration window appears. Click the tab and carefully view the list of programs running when booting the system. If you find the process in this list svchost.exe.You can not doubt his viral origin.

Present svchost.exe. Can be launched only From the folder C: \\ Windows \\ System32where "C" is a disk on which Windows is installed. (In 64-bit operating system The 32-bit version of svchost.exe is located in the C: \\ Windows \\ SYSWOW64 folder, and the theoretically process can also be launched from it. However, by default, all system processes, including svchost.exe, in 64-bit windows run from C: \\ Windows \\ System32.) In the screenshot above it is seen, the file is located in the Windows folder, and also called "svhost.exe", and not "SV c.host.exe ", which directly talks about his viral origin.

The list of the most favorite folders for masking the virus looks like this:

C: \\ Windows \\svchost.exe.
C: \\ Windows \\ Config \\svchost.exe.
C: \\ Windows \\ Drivers \\svchost.exe.
C: \\ Windows \\ System \\svchost.exe.
C: \\ Windows \\ Sistem \\svchost.exe.
C: \\ Windows \\ Windows \\svchost.exe.
C: \\ Users \\ Your username \\svchost.exe.

The virus process file can not only be in one of the above folders (and not in standard folderwhere there is a real svchost.exe), but also called differently:

svhost.exe.
svch0st.exe.
svchost32.exe
svchosts.exe.
sYSHOST.EXE.
svchosl.exe.
svchos1.exe.

So, you found a svchost.exe virus in autoload. The first thing to do is to turn off its autorun, removing the donkey opposite it in the "Startup element" column. Now you need to complete its process through the "Task Manager" (Right Mouse Button on Process\u003e Complete the process) And delete the file itself. The full path to the file, as in the screenshot above, is always indicated in the "Command" column. It is possible that the process file will not delete itself, - in this case, try to reboot the computer and repeat the operation, or use the program to remove similar, "unsalted" unlocker files.

After that, it will not be superfluous to conduct an anti-virus test of the computer. If the antivirus has not yet been installed on your computer, we recommend you to familiarize yourself with our article.

There are no viruses in the system, but svchost.exe still "ship" computer?

Did you find and detect all viruses in the system or made sure that there are no viruses on the computer, and svchost.exe still interferes with work? Try to find out which program or service uses this process. It's easy to do with a simple free program Process Explorer. Very often the SVCHOST.EXE process uses the service Windows Update. Automatically installing updates to a computer:

In this case, you can either wait when all Windows updates will be downloaded and installed or temporarily disable the automatic Windows Update. This can be done through Control Panel In chapter System and Security\u003e Windows Update CenterOpening Settings Parameters (in side menu windows) and selecting in the drop-down list item Do not check availability:

If shutdown automatic update It did not help, then you can also check all other Windows services. Stop or disable any windows service It is possible through the "service" snap. Get into it easily: click Start\u003e Click on A computer right-click in the open menu select Management\u003e Go to Services and Applications\u003e Services. Selecting the desired service, click on it right mouse button and select Stop. If the load on the computer created it, then after stopping the service, the svchost.exe process will stop downloading your computer 100%.

System file SVCHOST often becomes a target for hacker attacks. Moreover, the viruses will mask their malware under his program "appearance". One of the most vivid representatives of the viruses of the "Lia-Svchost" category - Win32.hllp.neshta (Dr.Web classification).

This "impostor" copies itself to the Windows directory, infects files with the extension "EXE" and takes system resources (rAM, Internet traffic). However, it is capable of other nastiness. Infection cases are known when viral SVCHOST loads a computer RAM by 98-100%, disables the Internet channel, disrupts the functioning of the local network.

SVSHOST files are kind and evil, or who is who

All complexity of neutralization of this type of viruses is that there is a risk of damaging / deleting a trusted Windows file with an identical name. And without it, the OS will not work, it will have to reinstall. Therefore, before proceeding with the cleaning procedure, you will get acquainted with the special signs of the trusted file and the "stranger".

True process

Manager system functionsthat run from dynamic libraries (.dll): checks and loads them. Listens network ports, transmits data on them. In fact, it is service windows Application. Located in the directory with: → Windows → System 32. The versions of the XP / 7/8 versions in 76% of cases have a size of 20, 992 bytes. But there are other options. More information with them can be found on the recognized resource filecheck.ru/process/svchost.exe.html (link - "Another 29 options").

It has the following digital signatures (in the task manager "Users" column):

  • System;
  • LOCAL SERVICE;
  • NETWORK SERVICE.

Hacker fake

May be in the following directories:

  • C: \\ Windows
  • C: \\ My Documents
  • C: \\ Program Files
  • C: \\ Windows \\ System32 \\ Drivers
  • C: \\ Program Files \\ COMMON Files
  • C: \\ Program Files
  • C: \\ My Documents

In addition to alternative directory, hackers, almost identical, similar to the system, names, names are used as a masking of the virus.

For example:

  • svch0st (digit "zero" instead of the Litera "O");
  • sVRHOST (instead of "C" letter "R");
  • sVHOST (no "C").

Versions of the "free interpretation" name countless. Therefore, it is necessary to exercise increased attention when analyzing the existing processes.

Attention! The virus can have another extension (different from EXE). For example, "COM" (Neshta virus).

So, knowing the enemy (virus!) In the face, you can safely begin to destroy it.

Method number 1: Cleaning Comodo Cleaning Essentials utility

Cleaning Essentials - anti-virus scanner. Used as an alternative software By cleaning the system. It includes two utilities for detecting and monitoring Windows objects (files and registry keys).

Where to download and how to install?

1. Open in the browser Comodo.com (the official site of the manufacturer).

Tip! Distribution utility is better downloaded on a "healthy" computer (if there is such an opportunity), and then run from a USB flash drive or CD.

2. on main page Mouse over the SMALL & Medium Business section. In the submenu that opens, select Comodo Cleaning Essentials.

3. In the boot unit, in the drop-down menu, select the discharge of your OS (32 or 64 BIT).

Tip! The bitmap can be found through the system menu: Open the "Start" → Enter the "System Information" in the string → Click on the utility with the same name in the "Programs" list → View "Type" string.

4. Click the "Freamed" button. Wait for the download to complete.

5. Unpack the downloaded archive: Right-click on the file → "Extract everything ...".

6. Open the unpacked folder and click 2 times the left button on the CCE file.

How to set up and clean the OS?

1. Select Custom Scan mode (selective scan).

2. Wait a little while the utility updates its signature databases.

3. In the scan settings window, check the box in front of the S. disk as well as check all additional elements ("Memory", "Critical Areas ..", etc.).

4. Click "Scan".

5. Upon completion of the inspection, allow an antivirus to remove the found virus-impostor and other dangerous objects.

Note. In addition to Comodo Cleaning Essentials, other similar antivirus utilities can be used to treat PCs. For example, Dr. Web Cureit!.

Auxiliary utilities

The Cleaning Essentials package package includes two auxiliary tools designed to monitor the real-time system and detecting malware manually. They can be used if the virus fails to be neutralized during the automatic check.

The application for quick and convenient work with registry keys, files, services and services. Autorun Analyzer determines the location of the selected object, if necessary, can delete or copy it.

For automatic search Svchost.exe files in the "File" section, select "Find" and set the file name. Analyze the processes found, guided by the properties described above (see "Hacker Fake"). If necessary, remove suspicious objects through the context menu of the utility.

Monitor running processes, network connections, physical memory and the load on the CPU. To "catch" a fake SVCHOST using Killswitch, follow these steps:

  1. On the System tab, open the Processes section.
  2. Analyze all SVCHOST activated processes:
    • right click on the file;
    • select "Properties";
    • look at its current directory. If it is different from C: \\ Windows \\ System32 \\, most likely that the object being studied is a virus.

In case of detection of malware:

  1. Additional view in its field Count "Evaluation" (Safe - Safe) and Signature.
  2. If these properties also do not correspond to the characteristics of a trusted system file, activate the context menu (click right-click). And then successively run the "Suspend" and "Delete" functions.
  3. Continue checking, perhaps the virus has created and launched its copies. From them, too, necessarily need to get rid of!

Method number 2: Using system functions

Checking startup

  1. Click "Start".
  2. Dial in the MSCONFIG search line and press "ENTER".
  3. In the "System Configuration" window, go to the "Autavar" tab.
  4. Browse the commands (Column "Command"), triggering elements when launch WindowsAnd their location (directories, registry keys in the "Location" column):
    • All directives containing SVCHOST disable (remove the click of the checkbox near the recording). This is a 100% virus. The system process with the same name is never written in autoload.
    • Open the Galfire Directory (indicated in the "Location") and delete it. To neutralize the key in the registry, use the regular editor REGEDIT: "Win + R" → Regedit → Enter.

Analysis of active processes

  1. Press "Ctrl + Alt + Del".
  2. Click on the Processes tab.
  3. Check the properties of all active SVCHOST (name, extension, size, location). When analyzing, focus on the fileCheck.ru service and the characteristics shown in this article.

Right with the name of the image. In the menu, select "Properties".

In case of virus detection:

  • in the properties of the object, find out its location (copy or remember);
  • click "Complete Process";
  • go to the Galfire Directory and delete it using a standard function (click right-click → Delete).

If it is difficult to determine: trusted or virus?

Sometimes it is definitely difficult to say whether Svchost is a real or fake. In such a situation, it is recommended to conduct additional detection on the free online scanner "Virustotal". This service for checking the object for viruses uses 50-55 antiviruses.

  1. Open in the browser Virustotal.com.
  2. Click "Select File".
  3. IN windows Explorer Open the process directory you want to check, select it with a click, and then click Open.
  4. To start scanning, click "Check!". The file will boot from PC to the service and automatically start scanning.
  5. Check out the results of the inspection. If most antiviruses detect an object as a virus, it must be deleted.