Ways to remove svchost.exe
Boot in safe mode
Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them.
Remove Processes from Task Manager
Press Ctrl+Shift+Esc to open Task Manager. See in the list of the processes for a processe/s named "svch0st.exe" select if found and press the End Process button, confirm and then close the Task Manager.
Optionally you can use Windows Defender to see the path of a currently running program/ process and its publisher, so as to differentiate malware processes from windows genuine processes.
Removing entry from windows startup
The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible, therefore you can check / uncheck any entry from windows startup any number of times.
After the system configuration window is open, Click on the Startup tab, that will list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer so that you can see the full path of the program. Locate and uncheck "svch0st.exe" Press Apply , Press Close/Ok , Select "Restart the computer" at the next prompt.
View Hidden Files
Before you could delete svch0st.exe and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders
Delete Files
These are the locations where svch0st.exe was found
%Windir%\svch0st.exe
Variation1) %System%\SVCH0ST.exe site contacted hacker1.50share.cn see report
Variation2) This variation disables Task Manager and registry tools see report
Variation3) This variation includes a keylogger and also can take over the computer. It adds these files
%Windir%\SP00LSV.EXE
%Windir%\SVCH0ST.EXE (notice there is 0-zero instead of O in both the names) see report (Variation4) This variation adds one more file
%Windir%\system\svch0st.exe (notice the folder location, it is not in system32 folder)
"%ProgramFiles%\Common Files\taskmmgr.exe" (notice the filename there is an extra 'm' in it)
You can find analysis reports of more variations of this virus on this link
There are several files created by this virus in the Temp folder. Instead of listing their names, I suggest you to run a temp files cleaner, like CCleaner, to remove them automatically.
%Windir% By default C:\Windows\ %System% is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (in Windows NT/2000), or C:\Windows\System32 (in Windows XP).
%Temp% is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (in Windows NT/2000/XP).
Run CCleaner
After deleting svch0st.exe and its associated files , as there will be leftover entries in the windows regitry. CCleaner is a free temp files/registry cleaner, that will automatically clean the registry as well as remove the temp files .
Edit Registry
If you are comfortable in using the regedit command. The registry keys are given in the reports in the "Delete Files" section.
Done !!
