Windows 10: Virus Trojan installed with Windows 10 Update - Svchost.exe which used CPU was a Coin Miner

Summary:

• Windows Update slowed down my pc
• with Windows 10 Update, a virus got installed
• Task Manager disabled by virus/trojan
• Svchost.exe taking up CPU ~80%
  
• Svchost.exe was a virus Bitcoin Miner
• the virus/trojan was downloaded with the Windows Update probably thanks to delivery optimization

Notes:

• I also use NAS from Synology
• I use 4 Windows 10 computers at home all had turned on Windows Delivery Optimization, all with an active admin account:
  - my desktop PC - referred in the article Windows 10, used only in private network - had the virus, was updated
  - my laptop Windows 10, used only in private network and public networks - checked, no virus, was not updated
  - parents desktop PC Windows 10, used only in private network - checked, no virus, was not updated
  - parents laptop Windows 10, used only in private network and public networks - not active for a week I don't have access to it
• I haven't downloaded anything from unreliable sources for half a year it wasn't any installation file

Long story long:I've been playing FIFA the whole month. This Thursday I turned off PC and a Windows 10 Update KB4532693

downloaded. The next day when I turned PC back on one more update got downloaded and installed - Security Update for Windows 10 Version 1903 for x64-based Systems KB4524244.



After the update, PC felt slow but I wanted to play FIFA yes, again . It was unplayable - it was laggy. I don't have the newest PC but Fifa and other games never lagged. So, I wanted to see what's wrong and looked in the Task Manager. An error appeared - Task Manager has been disabled by your administrator". That was strange because I have the only account on this PC and that is an admin account.



I tried troubleshooting recommended on Microsoft Forum:



Go to: "User Configuration" -> "Administrative Templates" -> "System" -> "Ctrl+Alt+Del Options" - Verify that "Remove Task Manager" option set to "Disable" or "Not Configured" from "Not Configured" I set it to "Disable" and the task manager was working again!



Here I found an unnamed task taking up ~80% of CPU. In this task properties, I found that it was called "Svchost.exe." On forums, I've read that it sometimes happens after/before the Windows Update - the Svchost.exe using too much CPU because of some updates running in the background. I went to sleep, hoping that tomorrow will be released some "patch that would fix this."



An update was released. Once again I had to troubleshoot the Task Manager but the mysterious Svchost.exe was still taking up CPU. I killed the task with the expectation that some of my Windows functions will crash. But nothing happened. I also found the location of this Svchost.exe task. It was in Windows Temp Files in a hidden folder called "nfyc577A.tmp". I deleted the nfyc577A.tmp and restarted the PC. It was back there. Again taking up CPU.



At this moment I started thinking that this Svchost.exe might not be a connected to Windows programs at all... And what are the only two apps eating up the whole CPU? Anything from Adobe and Coin mining programs. I downloaded Malwarebytes antivirus. And guess what? I was right! What appeared to be Svchost.exe was a BitcoinMiner. I used the recommended settings of Malwarebytes and deleted it. I will attach the Malwarebytes report later.

But... how the hell the virus got into my PC. The last time I downloaded something from relatively "unreliable" sources was a half a year ago and I had Windows updated several times since then. Oh, I had the delivery optimization turned on.


My friend later helped me analyze this report.

From the Malwarebytes log full report here - link to google drive folder with txt file, no need to download we learned that:

Process: 1

RiskWare.BitCoinMiner,


- the virus/trojan had admin right
- was hiding in temp folders
- was mining
- altered settings of Firewall
- disabled the TaskManager


We assume that:
- the virus/trojan was downloaded with the Windows Update thanks to delivery optimization
- updated contained a VBE Script which has downloaded and installed the virus



Final notes:

I hope that this post will help anyone with the same problem I had, and I hope it will help secure the Windows 10.I really don't know how the virus got on my PC, or if it came from another PC via the home network - we can only assume. Also, note that I'm not a software engineer

:)

 

Security Intelligence Update for Windows Defender Antivirus KB2267602 and Trojan JS Coin Miner

This update has not installed and I have been trying for 2 weeks. I also have issues with Trojan JS Coin Miner which seems only to attack when I try to open certain apps. Does anyone know if these are related? Windows Defender and Windows Security haven't
got rid of it. Should I uninstall and install these 2 apps?

 

Svchost virus?

Did your antivirus provider identify the malware? If so, did you seek their advice?

You may want to send a copy of the file to VirusTotal for analysis. VirusTotal

Recommend you scan with the Emsisoft Emergency Kit (a free program): How to find and clean malware infections with Emsisoft Emergency Kit | Emsisoft | Security Blog If
necessary boot into Safe Mode/Safe Mode with Networking to download and run the scanner or use another computer, put the EEK file on a flash drive and insert the flash drive in the infected computer...you can run the scanner from the flash drive. Other scanners
(some of which may be run in Safe Mode or from a flash drive) that may help with this issue are listed in List
of Malware Removal Tools

OR

IF this is what you are seeing, suggest you follow ALL of the steps (until the issue is resolved) in
this free removal guide How To Remove SvcHost.exe Malware (Virus Removal Guide)

But if you have this malware issue sometimes it will be necessary to reset your computer or do a clean install of the OS.

https://support.microsoft.com/en-us/help/12415/windows-10-recovery-options

Clean Install Windows 10

Regards…

http://blog.emsisoft.com/2015/01/27/top-10-ways-pups-sneak-onto-your-computer-and-how-to-avoid-them/

 

Monero XMR CPU miner

It's a trojan which you're having there.

The removal guide (Remove the CPU.exe Monero Miner) I linked explains in detail about this
trojan. The removal guide consists of various/multiple steps.

Please try to concentrate and read the self-help guide and follow it step-by-step.

In case, that you don't feel comfortable doing all that alone, I - again - suggest to ask for free expert help at

https://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

or

you can ask for perhaps not so free Microsoft help here: http://answerdesk.microsoftstore.com

or

you might want to do a clean install which is described in this wiki:
https://answers.microsoft.com/en-us/windows/wiki/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587