Help, Svchost keeps getting detect as virus at every restart

[Rohith_Kumar_Sp]

i don't know what to do , i quarantine it , but after restart when i scan it's still there, i get the same files that were quarantined the last restart again as threats  can't delete the file and after a few mins , it starts using my CPU by exactly 50%, and my cpu's heating to 60c constant, how to get rid of this ?

Edit : I stopped the process and deleted the file , but when i restart , the file create itself again , and it has no purpose ,  while all the other svchost shows as Host process for windows , this one shows as svchost in the description 

out of ideas here 

[cesrai]

@GoodBytes may help.

[Navalstarkiller]

Use safe mode to try and delete everything related to the file and even do registry edits to get rid of it. Then run the scan again and reboot. see if that will fix it. 

[Rohith_Kumar_Sp]

Use safe mode to try and delete everything related to the file and even do registry edits to get rid of it. Then run the scan again and reboot. see if that will fix it. 

it creates the file at restart even if i delete it 

[GoodBytes]

In Task Manager, can you show the column "command line". This will help determine where the svchost is. Now, you already found teh location of svchost which under under the Windows Temp directory, which isn't right 9menaing it is a malware), but I bet you have another program that re-creates that fake svchost.exe if it detects it has been deleted. Looking at the path you can have an easier time identifying it.

[cesrai]

In Task Manager, can you show the column "command line". This will help determine where the svchost is. Now, you already found teh location of svchost which under under the Windows Temp directory, which isn't right 9menaing it is a malware), but I bet you have another program that re-creates that fake svchost.exe if it detects it has been deleted. Looking at the path you can have an easier time identifying it.

How do you do that ?????

@GoodBytes

 

it creates the file at restart even if i delete it 

*sighs* mention the member you quote.

@Rohith_Kumar_Sp

[Rohith_Kumar_Sp]

@GoodBytes 

i restarted, and here's what i found it creates everytime , some .com don't know how the fck it got injected , using malware and mcafee does nothing as it deletes but only to be created again at restart 
 

@cesrai View>Set Columns>Command Line  

[cesrai]

@Rohith_Kumar_Sp @GoodBytes

 

Doesn't show up for me, I'm on windows 10 technical preview.

[Xsilent(X)]

Delete any installed apps programms do a virus scanner with comodo free and malwarebytes then reboot and do a scan again.

[GoodBytes]

@Rohith_Kumar_Sp @GoodBytes

 

Doesn't show up for me, I'm on windows 10 technical preview.

In your case, Right-click on the columns, and click on "Select Columns". A panel will show up, select Command Line

Delete any installed apps programms do a virus scanner with comodo free and malwarebytes then reboot and do a scan again.

That won't do anything, as you have a program generating the exe every time is detects it is not running. That is why we are trying to find it.

[cesrai]

In your case, Right-click on the columns, and click on "Select Columns". A panel will show up, select Command Line

That won't do anything, as you have a program generating the exe every time is detects it is not running. That is why we are trying to find it.

*sighs* Mention the person your quoting, quote notification doesn't work, anyway thanks for the tip.

 

@GoodBytes

[GoodBytes]

i restarted, and here's what i found it creates everytime , some .com don't know how the fck it got injected , using malware and mcafee does nothing as it deletes but only to be created again at restart

Right, and that is fine, it probably bit-coining your system, hence why the CPU is spiking. Else I would say it is a keylogger and that is the domain it is sending back the info. Usually these malwares are bought at the black market for distribution.

Scroll through task manager and see if you have any exe that should not be where it is, or a program that you never installed.

Also, open Task scheduler and check through each folders in the panel for anything suspicious. Already. This is probably where it starts.

Also check your startup programs.

Also, is UAC enabled?

[GoodBytes]

*sighs* Mention the person your quoting, quote notification doesn't work, anyway thanks for the tip.

 

@GoodBytes

I don't know, I check my e-mail and I see 19 e-mails, as I subscribe on all threads I participate in automatically + the pokes I get with "@" tags.

So it seams to be working for me.

So yea, you don't need to poke me every time. I was already summoned to this thread.

[Rohith_Kumar_Sp]

Right, and that is fine, it probably bit-coining your system, hence why the CPU is spiking. Else I would say it is a keylogger and that is the domain it is sending back the info. Usually these malwares are bought at the black market for distribution.

Scroll through task manager and see if you have any exe that should not be where it is, or a program that you never installed.

Also, open Task scheduler and check through each folders in the panel for anything suspicious. Already. This is probably where it starts.

Also check your startup programs.

Also, is UAC enabled?

@GoodBytes

No, i hate UAC popping up ,i've disabled it , i have to check all the folders in that task scheduler ? damn , my start up is clear according to Msconifg or tune up startup utility 

Edit : I checked all tasks man , everything seems to be in order or i dont know what i should be looking for in it , first time using task scheduler 

[GoodBytes]

No, i hate UAC popping up ,i've disabled it , i have to check all the folders in that task scheduler ? damn , my start up is clear according to Msconifg or tune up startup utility

Well, if you had UAC enabled, then you would most likely not have this problem. UAC should be enabled, and it should not be annoying, as you should not be doing system level changes continuously. To access C:\Windows\Temp you need admin rights. So right now, the program takes advantage that not only it has true admin, but it can do what it wants.

If you had UAC enabled, than then running that document, image, or what ever you opened to get infected, would need to request Admin privileges, where you hit not. And assuming you allowed it by mistake, then once delete in C:\Windows\Temp by your anti-malware, the other program that is running cannot recreate it as it doesn't have the rights to this location. So sure it could pick a different location (but usually they are not well programed and thought out most malware) or ask you for admin rights every-time you start the computer (which you can eventually hit no). The only by-pass is that the infection changes the permissions of the C:\Windows\Temp folder to all user access, which you can correct, or task scheduler. It is not full proof, but it makes making malware and viruses, a whole lot of a pain in the ass.

[Rohith_Kumar_Sp]

Well, if you had UAC enabled, then you would most likely not have this problem. UAC should be enabled, and it should not be annoying, as you should not be doing system level changes continuously. To access C:\Windows\Temp you need admin rights. So right now, the program takes advantage that not only it has true admin, but it can do what it wants.

If you had UAC enabled, than then running that document, image, or what ever you opened to get infected, would need to request Admin privileges, where you hit not. And assuming you allowed it by mistake, then once delete in C:\Windows\Temp by your anti-malware, the other program that is running cannot recreate it as it doesn't have the rights to this location. So sure it could pick a different location (but usually they are not well programed and thought out most malware) or ask you for admin rights every-time you start the computer (which you can eventually hit no). The only by-pass is that the infection changes the permissions of the C:\Windows\Temp folder to all user access, which you can correct, or task scheduler. It is not full proof, but it makes making malware and viruses, a whole lot of a pain in the ass.

@GoodBytes , so i should delete that file somehow and Enable UAC? 

[Sicarius]

It is common for malware to inject itself into legitimate proccesses nowadays, it helps to prevent detection and explorer.exe is the most commonly used; but svchost can be used too. Seeing as it is a trojan you more than likely have a RAT of some kind. Cleaning them is not easy but I do know of another forum that has a special area dedicated to this with professionals on hand to help. If you want the link PM me mate.

 

Now, as for what I can tell you. Download Wireshark here https://www.wireshark.org/and install it. Then run a scan on your interface (ethernet or wireless; whatever you use) and let it run for at least an hour. (shut ALL applications down, espcially FTP clients and email clients/services). When this is done and you have left a minimum of an hour stop the scan and in the search bar up top type 'FTP' and see if anything comes up, do the same for SMTP, POP3, IMAP, MAPI and SFTP. If anything comes up with these searches screenshot them and post them here.

 

If you are wondering; what we are doing here is scanning your network interface for any email or FTP activity. RAT's and botnets almost always have some form of keylogger and in order to send logs to the attacker they are often sent via email or FTP, this is why we are scanning for these protocols as if you have no apps open and there is activity there is a chance that you are being logged by something.

[GoodBytes]

@GoodBytes , so i should delete that file somehow and Enable UAC?

Enable UAC first (if it's not broken), and try and remove it again.

As I said most malware are badly done, so effort in hiding things aren't great. Can you post me a picture of the main location of the task scheduler. They usually just put them there.

Also, using CCleaner look at the startup programs, can you give me a screen shot of the list? (they put the file path, which is what I am interested in).

[Sicarius]

Just looked at your screenie and you have been infected with a bit/lite coin miner. Your machine is acting as a slave for the attacker by mining crypto currency to generate them money; it is almost inevitable you also have a RAT as most people who infect with crypto miners use RAT's to manage and control their bots.

[Rohith_Kumar_Sp]

@Sicarius @GoodBytes so i enabled UAC and restarted it after deleting that file , no new file was created in temp, and there's no Svchost process running in task manager , wut ? does this mean it's not running or not showing up on my task manager ? 

[Sicarius]

@Sicarius @GoodBytes so i enabled UAC and restarted it after deleting that file , no new file was created in temp, and there's no Svchost process running in task manager , wut ? does this mean it's not running or not showing up on my task manager ? 

Everything looks good there, I do suggest you do as I said before though. I am 100% sure you have been infected with a miner however, they're not too easy to remove but it can be done. The issue you then have is you always run the risk of never knowing if you fully removed all malware as crypters can hide most malware nowadays. If this were me I'd do a complete re-install of Windows; but that may not be an option for you. Do as I said above and after that we can look at some other options.

[GoodBytes]

And there you go

See how UAC is not a waste, and helps you be more protected?

Now your problem is not solved, as you have that program that tries to run the malware every time you startup your system. It just fails to do so.

If it doesn't show on the Task Manager, then it not running*. Why a "*"? Because they are infection that, if you don't have a UEFI system with an OS that fully support UEFI (Windows 8 and above), with Secure Boot. It can change the boot system and boot the virus first, gaining supervisor mode of the CPU (you can only have 1), and then start Windows. Under this mode, the virus has full access to your memory, your security software and Windows. It can change/ignore CPU instructions from your anti-virus to make it act like everything is fine and no virus exists, and is completely hidden from Windows from knowing as it is not a program that Windows runs. Very scary. The good news, is that today this is exactly rare, and not widespread distributes due to the high complexity of developing such infection. But action is taken now so that you don't have a black market selling one that was made, as by the time it becomes an issue, everyone should be under UEFI based system, hopefully. Only companies with very slow upgrade cycles are at risk, but too bad for them., they are probably still Windows XP.

Anyway, in your case based on the screen shots, I don't get why you have 4 Google updater. I would remove all of them. And added to these 4 ones, you have a 5th one at startup.

I am sure one of them is legit as your Chrome, but it is easy for a malware with admin rights to just replace the Google Updater exe with it's malware. I mean it is easiest way to hide it. Great number of people have Chrome. The most popular web browser in the world. Perfect hiding spot.

Also, I don't see how Nvidia ShowdowPlay is Microsoft related? Suspicious?

And you have other things I don't know. I don't get why you have so many things.

This is what I have:

Where the first item is my own software, and second is IM.

But as Sicarius mentioned, I would completely re-install Windows. I do this for any infection I get. The main reason is that virus infection can only be removed by the anti-virus, Sstem files that werre modified by the virus or malware remains changed. The security software can't fix it. So any damaged done by the system, is done.

[Sicarius]

The OP has PM'ed me for the link the the forum I was talking about. They are very good in there and probably have a much higher chance of removing it than we do (May be wrong about you; not trying to be presumptuous ). Anyway OP let us know how things go!

[Rohith_Kumar_Sp]

Where the first item is my own software, and second is IM.

But as Sicarius mentioned, I would completely re-install Windows. I do this for any infection I get. The main reason is that virus infection can only be removed by the anti-virus, Sstem files that werre modified by the virus or malware remains changed. The security software can't fix it. So any damaged done by the system, is done.

@GoodBytes

wait ,

I need my Mcafee , realtek , USB3Mon 3rd party usb 3.0 driver, WD drivers, APC ups monitor, Killer network manager since it's my MSI network controller driver , fastboot and quick charge for obvious reasons , and as soon as you enable capture desktop in shadowplay it connects to microsoft i think (the screen goes black and comes back), i can't seem to remove any , how do you have only 2 ? 

[JeffreyEagan]

@GoodBytes 

i restarted, and here's what i found it creates everytime , some .com don't know how the fck it got injected , using malware and mcafee does nothing as it deletes but only to be created again at restart 

 

@cesrai View>Set Columns>Command Line  

That "svchost" is obviously a mini bitcoin miner. That's actually kinda funny, to be honest. Never seen that before.