How to find svchost.exe virus ?

Discussion in 'Computing and Networks' started by pujulde, Jun 28, 2014.

  1. pujulde

    Thread Starter Member

    Jul 24, 2013
    My anti-virus software(avast) show me that there is virus under the C:\Windows\system32\svchost.exe. I encounter with it first time and could not find and delete. I have download the Commodo software tool for testing but found nothing. There is killswitch mode to analyze all svchost.exe services and find out which of them is virus, but it did not help me. Could anyone point me out real way to find it, either it would be manually or with the assistance of software. Thanks in advance.
  2. sirch2

    Well-Known Member

    Jan 21, 2013
    svchost.exe is a utility that runs dll files, so it could be that the virus is not in svchost itself but in the dll it is running.
    pujulde likes this.
  3. Natakel

    Well-Known Member

    Oct 11, 2008
    Avast is pretty good at finding and removing virus threats. If you are worried the net-nasty might still be on your computer, you can try running a program like Malwarebytes. There is a free version for use on home computers.

    Odds are, Avast at least quarantined the virus, and it is no longer active on your system . . . and Avast may have actually caught it before it was active.
  4. Litch


    Jan 25, 2013
    C:\Windows\system32\svchost.exe is a core system file - delete that and windows will cease to operate, at all.

    Are you sure Avast pointed out that it was really the "C:\Windows\system32\svchost.exe" file, and not another file called svchost.exe elsewhere?

    Else, it may have meant that your svchost.exe is infected (the contents of the file has been changed by the virus) in which case you're in a really crappy situation, because if your AV cannot clean it then you'll have to restore the original file by other means (like plugging that hdd into another windows PC and copying the _correct_ version of that file over the top of the infected one).

    Good luck.
    pujulde likes this.
  5. electronis whiz

    Well-Known Member

    Jul 29, 2010
    Yes SVChost is a normal process in some cases i've seen on my old XP netbook. I would google it, some sites will give you some info on it. I saw one site that said it was both good and it is also a virus. Same name 2 different files, there was some way to distinguish them.
    +1 for malware bytes. if you want more info on the process that is running i'd recommend process explorer from sysinternals. has a good deal more info including vendor, etc. if you want to get into it deep and see what it's doing then get process monitor from sysinternals. (both free) or download the entire suite of for free, and extract them to your C drive. I put them in the root of C: so that i can find simply, and some are cmd based that need the directory set to run.
  6. DerStrom8

    Well-Known Member

    Feb 20, 2011
    Get MalwareBytes and Spybot. Run them as administrator and let them do their thing.

    svchost.exe is not the issue, most likely. It is probably the service it is running.
    djsfantasi likes this.
  7. Natakel

    Well-Known Member

    Oct 11, 2008
    Yes, it can be a valid system process . . . but depending on what is running on your computer you can have several instances of svchost running at the same time. Virus files can and do mimic valid system processes, often the svchost in particular. My point in the first post was that Avast caught virus activity in a particular instance of the svchost.exe, and at least quarantined it (which I think is the default setting). Odds are good that whatever virus or malware activity that was running on the machine no longer is. Running a program like Malwarebytes and maybe a full Avast system scan can verify the infection is not active. I'd imagine Avast killed it, though.
    Last edited: Jul 18, 2014
    pujulde likes this.
  8. studiot

    AAC Fanatic!

    Nov 9, 2007
    Depending upon your version of Avast, you can look at record files it creates and see what it did.