How to remove svchost using avz. Removing the svchost exe virus from a Windows system Svchost exe in the roaming folder is not removed
The problem with a freezing computer is probably familiar to everyone without exception. As a rule, this is blamed on viruses, poorly written programs, as well as simple overheating. From time to time, svchost.exe is the culprit. What kind of process is this, and why does this happen? Let's try to figure it out!
Virus or not?
Firstly, many people immediately succumb to panic. When they see svchost in the Task Manager, they immediately assume that an insidious virus has entered the computer. Installs immediately the latest antivirus(or better yet, two), after which the computer is checked several times. If the user was so zealous that he installed two or three security applications at once, then the system is guaranteed to crash.
We warn you right away: this is not a virus, so do not rush to delete svchost.exe! What is this process then?
General information about the application
This is the name of a very important component responsible for launching the system's dynamic libraries (DLLs). Accordingly, both Explorer (Explorer) of Windows itself and more than one thousand third party applications. This especially applies to games that actively use these libraries via DirectX.
It is located at this address: %SystemRoot%\System32. By reading registry entries at each boot, the application generates a list of services that should be started. It should be noted that several copies of svchost.exe can be running at the same time (you already know what kind of process this is). The important thing is that each process may well contain its own group of services. This was done for maximum comfort in monitoring the operation of the system, as well as to simplify debugging in case of any problems.
All groups that are currently part of this process can be found in the following registry sections:
- HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost;
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service.
All parameters that are available in these sections are visible as separate instances of svchost.exe (we have already explained what this is).
Each registry section that relates to them has a parameter of the form: REG_MULTI_SZ. It contains the names of all services available as part of a specific Svchost group. Each of them contains the name of one or more services, the description of which contains the ServiceDLL key.
This is what the svchost.exe file is.
How to check processes associated with Svchost?
To see all the services that are currently associated with this process, you need to do a few simple things.
- Click on “Start”, and then find the “Run” command in this menu.
- Enter there and then press ENTER.
- After that, copy and paste in the opened emulator command line the following expression: Tasklist /SVC. Use the ENTER key again.
- A list of all processes will be displayed in the form of a list. Attention! Be sure to enter the /SVC key parameter, since it displays the active services. To get extended information about a specific service, use the following command: Tasklist /FI "PID eq process_id" (including quotes).
If you have problems
It often happens that after entering commands, the computer displays something unintelligible, like: “The command cannot be recognized.” Don't rush to enter it again.
As a rule, this happens because you are working from under account, whose rights are simply insufficient to perform this kind of action. It doesn't matter whether you have an administrator account or not. To correct the situation, the command line emulator should be launched in a slightly different way.
To do this, click on the “Start” button, then enter CMD in the “Search” field. A list of found files will open on the right side of the menu. Right-click on the first of them (with the corresponding name), and then select “Run as administrator” in the context menu that appears.
So we have given you the basic information. Now let's look at those malicious programs that can masquerade as a harmless system application.
How to separate the wheat from the chaff?
Look carefully at the process name: it should be written as sVChost! There are some Trojans that masquerade as sVHost that are very common. If you see something like this in your “task manager”, then in this case it is indeed time to completely scan the system for the presence of malicious applications.
Especially “advanced” viruses and Trojans can still masterfully camouflage themselves by having exactly the same name as the real process. But even they can be distinguished with 100% probability by paying attention to the most characteristic signs. Let's look at them.
First of all, real system process never (!) runs as a regular user. Its start can be initiated by SYSTEM, LOCAL SERVICE, and NETWORK SERVICE. What is more important is that it does not start (!) when the system starts using startup tools. Accordingly, the list of programs that start simultaneously with the system should under no circumstances include svchost.exe. What is the process in this case?
If you see something like this, then there is only one reason - a virus.
Checking startup
Don't know how to do this? It's very simple! First, click on the “Start” button and left-click on the “Run” field. Then enter the MSConfig command there. A list of all applications launched at startup will open, which you need to review carefully.
If there are many svchost.exe processes (or even one), then you will definitely have to think about how to remove it from your computer.
What to do if a “spy” is detected?
As we have already said, in this case it is most reasonable to scan the OS with a powerful antivirus program. But before that, it won’t hurt to perform a number of simple steps with which you can completely block the virus from any opportunity to harm you. In general, the svchost.exe virus has spread widely across the RuNet in recent years. As a rule, malware that specializes in stealing user personal data operates under the guise of a normal system process.
First, in the “File location” line, find the specific folder in which the virus file is located. Select it in the list with the left mouse button and click on the “Disable” button. Click “OK”, then go to the directory with the desired file and delete it. All. Can be scanned by antivirus.
The process is very CPU intensive. Why does this happen and what should I do?
So we are back to the beginning of our article. Do you remember that sometimes due to svchost.exe (what kind of process this is, we have already explained in detail) the computer begins to slow down and “hang”? Why is this happening? And how can you overcome this phenomenon without reinstalling the system?
The simplest way
There is a fairly simple and effective recommendation that helps in many cases. Open the “Task Manager”, look for the svchost process there, then right-click on it and select “Priority/Low”. It should be noted that this must be done with each process of the same name that is in the “Task Manager”.
We remind you once again: if you see the svchost.exe file (you already know what it is), under no circumstances rush to delete it, suspecting it is a virus!
Windows Update Service
Often on Windows XP the problem with almost 100% and svchost is caused by the fact that the update service does not work correctly. Some computer resources have found an explanation for this phenomenon.
The problem is that the update checking mechanism is incorrect. Considering the number of patches that have been released for this system, a small error in memory allocation has turned into a serious problem: the computer not only runs slowly, but you can easily search for “patches” for days, alternately freezing at the same time.
How to disable the problematic service?
To temporarily disable Windows Update, you should go to the “Control Panel”, find the “System and Security” item there. This is where the desired “Center” is located. Windows updates", in which we are interested in the item "Enabling and disabling automatic update" Check the box next to “Do not check for updates.” Click on OK and reboot the machine.
If after this everything is fine, and the processor is not in a “dead” state most of the time, then the culprit of all the problems was indeed the update service. In the event that the problem continues to occur even after this, we return Windows Update to its original state, after which we continue to look for the culprit of all the misfortunes.
Internet Browser
However, take your time. In many cases the culprit is Internet Explorer. Remember how at the very beginning of the article we discussed the importance of svchost for Explorer? But “Internet Browser” is important integral part file manager Windows family OS.
Problems with it very often begin when the IE version is very outdated. For example, Microsoft itself has not recommended using Windows XP since the sixth version for a very long time. Internet version Explorer.
Accordingly, in this case it is quite simple. Use the one mentioned above Windows service Update. Download and install everything latest updates for your operating system version, install new version I.E. It is possible that this measure will help you.
Games
Observe which applications the processor is overloaded after trying to launch. In addition, you should be wary of “svchost.exe application error” messages, which are an almost 100% indicator that some third-party application is to blame for the system’s inappropriate behavior.
Most often, this program is a game downloaded by its happy owner from some “left” site. Those who made modifications to program code, removing protection from it, rarely test their creation for full compatibility with certain systems, their DLLs, etc. So there is nothing to be surprised in this case.
"Bat"
In rare cases, owners of old versions of The Bat mail program encounter this problem, which for one reason or another many people continue to use. Try uninstalling the application. After this, install the latest version of the utility, and then look at the computer’s behavior again.
Drivers
Very often, when transferring a system to another disk after some serious errors in file system, and also after a virus attack, users are faced with an OS that is completely frozen due to svchost. exe. “How to remove this malicious process?” - think novice users.
Let us warn you once again: deleting this file will lead to dire consequences and complete system inoperability, so before taking extreme measures, it is better to read our next advice.
There is information that the svchost.exe process, the error of which spoils so many nerves for users, may not work correctly due to incorrectly installed or “crooked” drivers. Very often it turns out that the cause is programs for video cards and sound cards. The drivers for these are complex and unpredictable, so if possible, remove them and then install the latest (or most stable) versions.
Windows Defender
Owners Windows Vista/7 You should pay attention to the Windows Defender program, which is included in the standard data package operating systems. It serves to prevent entry into the system malware, but sometimes she herself behaves no better.
Problems arise if the installed third-party antivirus software for some reason it does not deactivate the “Defender”. This is especially true for all Eset Nod products, which have been extremely popular with many domestic users in the recent past.
To correct this situation, click on the “Start” button, go to “Control Panel”, and then find “Defender” in it. In its main window there is an item “Run scan when idle.” Uncheck it, click OK. In some cases this measure turns out to be useful.
We hope you found out what the svchost.exe program is. We talked in detail about its purpose, as well as methods for eliminating problems with it. Typically, the troubleshooting methods we provide work. All you need to do is strictly follow the instructions in the article.
In addition, it does not hurt to update the system on time.
Threat name
Executable file name:
Threat type:
Affected OS:
Trojan Svchost
hlhtxo.exe
Spyware/Trojan
Win32 (Windows XP, Windows Vista, Windows Seven, Windows 8)
Trojan Svchost infection method
Trojan Svchost copies its file(s) to yours hard drive. Typical file name hlhtxo.exe. Then it creates a startup key in the registry with the name Trojan Svchost and meaning hlhtxo.exe. You can also find it in the process list with the name hlhtxo.exe or Trojan Svchost.
If you have additional questions regarding Trojan Svchost, please fill out and we will contact you shortly.
Download the removal utility
Download this program and remove Trojan Svchost and hlhtxo.exe (download will start automatically):
* SpyHunter was developed by the American company EnigmaSoftware and is capable of removing Trojan Svchost in automatic mode. The program was tested on Windows XP, Windows Vista, Windows 7 and Windows 8.
Functions
The program is able to protect files and settings from malicious code.
The program can fix browser problems and protects browser settings.
Removal is guaranteed - if SpyHunter fails, free support is provided.
24/7 anti-virus support is included in the package.
Download the Trojan Svchost removal utility from the Russian company Security Stronghold
If you are not sure which files to delete, use our program Trojan Svchost removal utility.. Trojan Svchost removal tool will find and completely remove Trojan Svchost and all problems associated with the Trojan Svchost virus. A fast, easy-to-use Trojan Svchost removal tool will protect your computer from the Trojan Svchost threat that harms your computer and violates your privacy. Trojan Svchost removal tool scans your hard drives and registry and removes any manifestation of Trojan Svchost. Regular antivirus software is powerless against malicious programs such as Trojan Svchost. Download this simplified removal tool specifically designed to solve problems with Trojan Svchost and hlhtxo.exe (the download will start automatically):
Functions
Removes all files created by Trojan Svchost.
Removes all registry entries created by Trojan Svchost.
The program can fix browser problems.
Immunizes the system.
Removal is guaranteed - if the Utility fails, free support is provided.
24/7 antivirus support via GoToAssist is included in the package.
Our support team is ready to solve your problem with Trojan Svchost and remove Trojan Svchost right now!
Leave detailed description your problem with Trojan Svchost in the section. Our support team will contact you and provide you with step by step solution Trojan Svchost problems. Please describe your problem as accurately as possible. This will help us provide you with the most effective method Trojan Svchost removal.
How to remove Trojan Svchost manually
This problem can be resolved manually by removing registry keys and files associated with Trojan Svchost, removing it from the startup list and de-registering all associated DLL files. In addition, missing DLL files must be restored from the OS distribution if they were damaged Trojan Svchost.
To get rid of Trojan Svchost, you need:
1. Terminate the following processes and delete the corresponding files:
Warning: you need to delete only files whose checksums are in the list of malicious ones. Your system may have necessary files with the same names. We recommend using this to solve the problem safely.
2. Delete the following folders:
3. Delete the following registry keys and/or values:
Warning: If registry key values are specified, you should delete only the specified values and leave the keys themselves intact. We recommend using this to solve the problem safely.
4. Reset browser settings
Trojan Svchost can sometimes affect your browser settings, such as changing search and home page. We recommend that you use the free "Reset Browsers" feature in "Tools" in the program to reset all browsers at once. Please note that before this you need to delete all files, folders and registry keys belonging to Trojan Svchost. To reset browser settings manually, use these instructions:
For Internet Explorer
If you are using Windows XP, click Start, And Open. Enter the following in the field Open without quotes and press Enter: "inetcpl.cpl".
If you are using Windows 7 or Windows Vista, click Start. Enter the following in the field Search without quotes and press Enter: "inetcpl.cpl".
Select a tab Additionally
Under Reset settings Internet browser Explorer, click Reset. And click Reset again in the window that opens.
Select checkbox Delete personal settings to delete history, restore search and home page.
After Internet Explorer has completed the reset, click Close in the dialog box.
Warning: Reset browser settings V Tools
For Google Chrome
Find the folder Google installations Chrome at: C:\Users\"username"\AppData\Local\Google\Chrome\Application\User Data.
In a folder User Data, find the file Default and rename it to DefaultBackup.
Launch Google Chrome and it will be created new file Default.
Google Chrome settings reset
Warning: In case this doesn't work, use the free option. Reset browser settings V Tools in the Spyhunter Remediation Tool program.
For Mozilla Firefox
Open Firefox
From the menu, select Help > Problem Solving Information.
Click the button Reset Firefox.
After Firefox finishes, it will show a window and create a folder on your desktop. Click Complete.
Warning: This way you will lose your passwords! We recommend using the free option Reset browser settings V Tools in the Spyhunter Remediation Tool program.
Computer users want their machines to work as quickly as possible and not slow down. In search of “brakes,” they turn to the task manager to detect resource-intensive processes and unload them from memory. Often svchost.exe is visible in the list of processes. This program runs in multiple copies, and RAM consumes a lot.
The natural question is: is it a virus or other malicious software if it overloads the computer like this? And another question: is it possible to delete svchost.exe and do without it. Usually the answer is negative to both questions: it is not a virus and it is almost impossible to do without it. But first things first...
svchost.exe is a system process in Windows starting from version 2000. This is the main process that helps dynamic library services run. If you delete the svchost.exe file, the computer will work... only several times slower than usual. The situation is not so paradoxical: although system service It takes up a lot of RAM; without it, the ROM load would only be higher. The CPU load will also be high.
svchost.exe virus
But still, sometimes it is necessary to delete svchost.exe. More precisely, not himself, but viruses and Trojan horses masquerading as this application. It is easy to distinguish them: although the original system process also creates many copies, the malware is located in any directory except the system one.
It is also useful to know that you can see such a program in the task manager if you pay attention to running it as a user. In some cases, viruses use a genuine system service to cause damage.
There is no need to raise an alarm and worry about the fact that svchost.exe runs in ten copies. There are many dynamic services in the system; one process may not be enough for all of them. Then several copies are turned on at once, each with its own identifier. But we must also look at its origin carefully.
The real process runs from the folders: ServicePackFiles\i386, system32, Prefetch, winsxs\ (all inside C:\WINDOWS). If you notice that svchost.exe was launched from somewhere else, then this is a bad sign (as is the situation with a name that differs “just a little” from the original).
In such cases, run a full antivirus scan until you get rid of the malware.
Operating room work Windows systems– a complex process that is only possible with the proper functioning of all software components. MacOS is no less complex, but in it users do not have the ability to monitor system processes. On Windows see all executable files you can in the “Task Manager”, and inexperienced users some of them can be scary. A prime example of a file that is causing concern is svchost.exe. Quite often in Windows, svchost.exe loads memory or CPU, and there is a feeling that it is a virus. Is this really true? Let's figure it out.
Svchost.exe: what is this process, what functions does it have and why is it needed?
There is a basis for the widespread belief that svchost.exe is a virus, but in reality, most often, this process does not pose any threat. If you understand the functional responsibilities assigned to this file, it is necessary to connect dynamic DLLs for programs and services that cannot work without them. Each program uses its own svchost file, which can be located in different folders of the Windows operating system. 
Most often, the svchost.exe file can be found at the following addresses:
- C:\WINDOWS\system32
- C:\WINDOWS\Prefetch
- C:\WINDOWS\winsxs\ amd64_microsoft-window
- C:\WINDOWS\ServicePackFiles\i386
If the svchost.exe file is located in other folders, this is a reason to sound the alarm, but it is far from an indication that it is a virus. This rule also applies in the opposite direction; if svchost.exe is even located in one of the above folders, it may well turn out to be virus software.
It is very easy to determine in which folder the currently active svchost.exe processes are located. To do this, follow these steps:
In the Windows 8 and Windows 10 operating systems, you can view the list of services that use the svchost.exe process through the Task Manager. This is easy to do - you need to right-click on the suspicious process and select “Go to services”. It is worth noting that the names of many services are unlikely to tell the average computer user anything.
The svchost.exe process may not be a virus, and if it loads the system, then 2 scenarios should be considered here:
- The computer is infected with a virus that sends spam, mines cryptocurrency for its creators, or transfers other data to attackers;
- Due to inattention, the user does not notice that the malicious process is only hiding under the guise of the svchost.exe system library, but in fact it is not one.
If your computer is infected with a virus, and because of this the svchost.exe process loads Windows 10 or an earlier version of the operating system, then you should check your computer popular antiviruses. Be sure to install a Firewall, which will ensure your computer's network security.
In the second case, you should recognize the malicious file svchost.exe, which is not such, and then delete it.
How to distinguish svchost.exe virus from a system file
If the svchost.exe process is using up memory or CPU, then you should verify the authenticity of the file it refers to. To do this, carefully check the name of the executing process. Below we present several tricks of attackers who replace the svchost.exe process with another one, but similar in name. The following schemes are most often used to disguise the virus:
Listed above are only the most common options for masking the virus, but there may be others. Make sure that the process is called svchost.exe and that all letters are written in Latin letters.
If you find a process that masquerades as svchost.exe, but is not one, you should delete it. This is quite easy to do if you use the AVZ program.
How to remove svchost.exe using AVZ program
The well-known anti-virus utility AVZ is capable of detecting and removing unwanted programs, including viruses. It is distributed free of charge and has many useful functions. The advantage of the AVZ program is that it does not need to be installed on the system drive. AVZ can be launched from a flash drive, external hard drive or directly from the downloaded archive.
To remove the svchost.exe file using the AVZ utility, you must perform the following steps:
begin SearchRootkit(true, true); SetAVZGuardStatus(True); QuarantineFile("path to virus ",""); DeleteFile("path to virus"); BC_ImportAll; ExecuteSysClean; ExecuteWizard("TSW",2,3,true); BC_Activate; RebootWindows(true); end. Instead of the words “Path to the virus” highlighted in red, you must specify the location of the svchost virus process. Above, we have already described how to determine where the virus file is located, which is masquerading as svchost.exe. Copy the path to it (or write it manually) and paste it instead of the words highlighted in red. Attention: Quotes cannot be removed from the script - only letters highlighted in red.
After successfully removing the file that pretended to be svchost.exe, we strongly recommend that you scan your computer for viruses. There is a high probability that one of the programs generates new files that automatically run in processes and pretend to be svchost.exe.
Date of publication: 07/20/2010Article updated 12/09/2011
Symptoms:
Your computer suddenly began to freeze and slow down the system. At the same time, you have an antivirus with the latest antivirus databases. Click Ctrl+Alt+Delete and click on the tab Processes. You will see a list of all processes that are currently running; at the same time, you will see that one of the processes is consuming a lot of computer resources (although you are not currently using any programs). Here you will see a certain process svchost(there will be several processes with the same name, but you need exactly the one that loads the system at 100%).
Solution:
1) First of all, try simply restarting your computer.
2) If after a reboot this process continues to load the system, then right-click on the process and, in the list that opens, select End process tree. Then restart your computer.
3) If the first two methods did not help you, then go to the folder Windows and find the folder there Prefetch(C:\WINDOWS\Prefetch). Delete this folder ( delete exactly the folder Prefetch; DO NOT accidentally delete the folder itself Windows!!!)
Next, follow the second point (i.e. delete the svchost process tree). Restart your computer.
How many processes should there be in total?svchost.exe in the "Processes" tab?
The number of processes with this name depends on how many services are running through svchost. Quantity may depend on Windows versions, properties of your computer, etc. Therefore, there can be from 4 processes (the absolute minimum) to infinity with the name “svchost.exe”. On my 4-core computer with Windows 7 (including the services being launched), there are 12 svchosts in the “Processes” tab.
How to determine which one is a virus?
You can see in the screenshot above that in the “User” column next to each svchost there is the name of the source that launched this very process. In normal form, next to the svchosts it will be written “system”, or “network service”, or “local service”. Viruses launch themselves as “user” (can be written “user” or “administrator”).
What is a process anyway?svchost.exe?
In simple terms, the svchost process is an accelerator for the launch and operation of services. svchosts are launched through the system process services.exe
What happens if I click on “End process tree” and accidentally end a system process?svchost, and not the virus itself?
Nothing bad will happen. The system will give you an error and restart your computer. After a reboot, everything will fall into place.
What viruses masquerade assvchost.exe?
According to Kaspersky Lab, the following viruses are disguised as svchost.exe: Virus.Win32.Hidrag.d, Trojan-Clicker.Win32.Delf.cn, Net-Worm.Win32.Welchia.a
According to unconfirmed reports, some versions of Trojan.Carberp also disguise themselves as svchost.exe
How do these viruses work?
These viruses, without your knowledge, access special servers, from where they either download something else dangerous, or send information to the server (namely your passwords, logs, etc.)
Processsvchost.exe loads the system, but in the “User” column it says “system". What is it?
Most likely, this means that some service is working hard. Wait a little and this process will stop loading the system. Or it won't stop... There are some viruses (for example: Conficker) that use real svchosts to corrupt your system. These are very dangerous viruses, and therefore you should check your computer with an antivirus (or better yet, several at once). For example, you can download DrWeb CureIt - it will find such viruses and remove them.
Why do you need to terminate the process tree and delete the folder?Prefetch?
If you terminate the process tree of your system-slowing svchost, the computer will reboot immediately. And at startup, when the virus tries to start again, the antivirus (which you must have installed) will immediately detect and remove it. Although there are many modifications. For example, the original source of such a virus may be located in the Prefetch folder. This folder is needed to speed up the operation of services. Removing it will not harm your computer.
Your advice didn't help me. Processsvchost.exe continues to load the system.
First of all, check your computer with an antivirus. Better yet, check your computer with several antiviruses.
I can also advise you to clean out the System Volume Information folder. This folder contains restore points for your computer. Viruses register themselves in this folder, since the system does not allow the antivirus to delete anything from this folder. But this is unlikely to be of use to you. I have not yet heard of such modifications of viruses that pretend to be svchost.exe and are located in the System Volume Information folder.
If you have any more questions, I will be happy to answer them.
Latest tips from the Computers & Internet section:
Council comments:
I deleted the Prefetch folder and everything was OK! thank you, XPi system
userOK, you're right svchost.exe is one of the main processes. But there is a certain type of virus that masquerades as it. After all, svchost is just a name. Besides, terminating the process tree does not harm anything. Windows is enough good system, and most of system files restores automatically.
what are you teaching children??????????svchost.exe in the family of operating systems Microsoft Windows(2000, XP, Vista, Seven) - the main process (English Host process) for services loaded from dynamic libraries. Using a single process to run multiple services can significantly reduce the cost of RAM and CPU time.
