However, virus writers could not miss such a convenient opportunity, and there was a virus with the same name, in connection with which an inexperienced user is difficult to identify it in task Manager and even to detect its presence in the system. An alarming symptom of the presence of this virus in the system may be only the error message associated with svchost.exe that tells the user that "the memory could not be read". In this case, you should immediately take steps to remove svchost:

1. Open registry editor (type regedit in the Run window or command prompt), locate the key [HKLMSoftwareMicrosoftWindowsCurrentversionrunservices] "PowerManager"="%WinDir%svchost.exe" and then delete it.

2. Open the module management Windows services (start — control Panel — administrative tools — Services), find the PowerManager service and stop it (click the service name, right-click and select "Stop" from the context menu, or position the cursor on the name of the service and click "Stop" on the left side of the window).

3. Open task Manager and end the process of Trojan programs.

4. Delete the files:



  • %System%svchostc.exe

  • %System%svchosts.exe

  • %WinDir%svchost.exe

  • %WINDIR%svchost.com

  • %Windir%SYSHOST.DLL

  • %WinDir%msrt32.dll

  • %WinDir% \ sysini.ini

  • %WinDir%msin32.dll

  • %WinDir%nostar.ini

  • %Temp%c1.txt

  • %Temp%c2.txt

  • %Temp%c3.txt

  • %WINDIR%svchost.com

  • %Windir%SYSHOST.DLL

  • %WinDir%msrt32.dll

  • Be careful: the "real" svchost located in the folder %WINDIR%system32. It must not be removed.


5. To permanently delete svchost, you need to remove auto run Trojan programs from the registry. Start registry editor, locate the key [HKLMSoftwareMicrosoftWindowsCurrentversionrun] "svchost" = "%WinDir%svchost.exe" and then delete it.

6. Find the key [HKCRexefileshellopencommand]. Change the value from %WINDIR%svchost.com "%1" %* to "%1" %*

7. Find the key [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinLogon] and change the value of "Userinit"="%System%userinit.exe,,%Windir%svchost.exe%" "Userinit"="%System%userinit.exe,"

8. Find the key [HKLMSoftwareMicrosoftWindowsCurrentversionrun] and remove the options "Systems" = "%WinDir%svchost.exe" and "Online Service"="%WinDir%svchost.exe"