Possible malware disguised as svchost.exe

zAsdf0

Commendable
Nov 22, 2016
4
0
1,510
So I recently came across high usage on memory and cpu for a svchost.exe. I also noticed my pc becoming a lot slower, though I have no idea how to remove it. I'm fairly certain that I have malware on my pc, though everything seem fine until this thing popped up. No programs I have used in the past have been deemed useful.

I have tried ending the process, but before I can do anything its up and running again.

(details about the program in task manager.)
http://imgur.com/a/OwOXD
 

BadActor

Estimable
Herald
I would say it is malware masquerading as a system process. The description is in Russian, which is highly suspect. If you're running Windows 7, try downloading and running ComboFix. It's very effective on tough malware. If running another Windows, run MalwareBytes, SuperAntiSpyware, and one or two online virus scanners.

https://www.bleepingcomputer.com/download/combofix/

https://www.malwarebytes.com/mwb-download/

http://www.superantispyware.com/download.html

http://housecall.trendmicro.com/
 

zAsdf0

Commendable
Nov 22, 2016
4
0
1,510


I used malwarebytes doing a full scan, which didn't solve my issue, and a custom scan leading to the directory of the file location given by the task manager, which didn't solve my issue as well.

Neither malwarebytes nor avast could pick it up as a 'threat' yet it constantly uses 50% of my (weak) cpu.

Though I did find an interesting discovery when running the program in sandbox mode from avast: http://imgur.com/NwJ6t7E

So a CPU miner, but the next problem is: How do I remove it?
 

zAsdf0

Commendable
Nov 22, 2016
4
0
1,510
Alright boys, I found a *temporary* solution. I had used various programs to see if something could pick it up as a threat, though I was unsuccessful. After frustration of uninstalling these useless programs, I thought "Just block the server IP." By theory that should stop the data being sent to me, rendering the program useless. Success! The only way, I can think of, that that the program will start working again is a code implemented into the program to redirect to different servers, so far nothing has happened.

Unless I get a program that can quarantine any file I want, stop it from running and delete it. This is going to be my 'goto solution'. (If anyone knows about such a program please notify me, that'd be great.)

Proof: http://imgur.com/a/9eSOW

 

zAsdf0

Commendable
Nov 22, 2016
4
0
1,510


Will check it out, thanks!