How to Get Rid of the Svchost.EXE Virus

By Shoaib Khan

Scvhost.exe is a form of malware that impersonates a vital process of the Windows operating system known as Svchost.exe. Because the names are so similar---the 'c' comes before 'v' in the malware but not in the Windows process---computer users may overlook scvhost.exe as a normal process, not suspecting that it is actually a worm. What makes it easier for the worm to hide is that there may be multiple entries for the real svchost.exe in the "Processes" tab in "Task Manager." Even if a user notices suspicious activity and checks for running processes, the worm may be overlooked amid several legitimate processes that have virtually the same name.

Step 1

Check for the scvhost.exe malware. A good way to check whether the process is part of the operating system or malware is by looking at the path of the file. For the real svchost.exe, the path is usually "C:\windows\system32\svchost.exe." Any other path is usually indicative of an infection. Go to "Task Manager" by using the "Ctrl-Alt-Del" key combination, click on "Processes" and check the path for all svchost.exe entries.

Step 2

Turn on your computer in Safe Mode. Press the power switch and immediately start tapping the "F8" key as the computer boots. When presented with start-up options, scroll down to "Safe Mode" and hit "Enter."

Step 3

Load the command prompt screen. Wait for the operating system to load, then click on "Start" and then "Run." In the subsequent command box, type in "cmd" and press "Enter." You will see the command prompt window come up with a black background and a blinking cursor.

Step 4

Navigate to "C:\Windows\System32" in the command prompt. Type in "cd c:\windows\system32" and press "Enter." That is, "c-d-space-c-colon-slash-windows-slash-system32". Notice the space between "cd" and "c" in the text input. This will take you inside the folder.

Step 5

Disable individual file attributes. Type in "attrib -h -r -s scvhost.exe" and press "Enter." Next, type "attrib -h -r -s blastclnnn.exe" and press "Enter." Finally, type "attrib -h -r -s autorun.inf" and press "Enter." These commands will disable the hidden, system and read-only attributes of the three named files.

Step 6

Delete the infected files. With attributes changed, you can remove the specified files from the system by typing the instructions in the command prompt. To delete a file, type in "del InfectedFileName" and hit "Enter." For example, for the scvhost.exe file, type "del scvhost.exe" and press "Enter." Delete all three files in the same way.

Step 7

Remove registry entries. Type in "regedit" and press "Enter" to launch the "Registry Editor" tool. In the screen, use the left pane to navigate to "HKEY_CURRENT_USER\Software\Microsoft\Window\CurrentVersion\Run." Use the right pane to select the value "c:\windows\system32\scvhost.exe" and delete it.

Step 8

Use the "Registry Editor" left pane to navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" then scroll down and delete the sub-keys labeled "RpcPatch" and "RpcTftpd."

Step 9

Close down the command prompt by typing "exit" and shut down the registry editor tool. Restart the computer. Open the task manager using the "Ctrl-Alt-Del" key combination and look for scvhost.exe. The process should not be in the list.

Tips & Warnings

  • Always keep your computer protected using an up-to-date anti-virus program.
  • Back up your registry before making changes. This way, if the changes affect computer performance, you will still be able to roll back.