Windows 10: Windows 10 svchost virus

Hi. I have recently started having CPU problems. Apparently, it's because of a trojan virus called svchost.exe. Anytime I use an internet browser (any) I get a message from my web protection that it's blocking the virus but my CPU still gets overloaded. I've tried every trojan remover I could find, they did not work. Malwarebytes identifies it as a web virus and blocks every few seconds. How can I remove this virus from my computer?


Thanks in Advance

:)

 

wINDOWS 10 DOES NOT USE THIS TYPE OF FILE? C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup wHY DO i HAVE THIS FILE APPEARING RUNNING ON MY WINDOWS 10 SYSTEM

wINDOWS 10 DOES NOT USE THIS TYPE OF FILE? C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup wHY DO i HAVE THIS FILE APPEARING RUNNING ON MY WINDOWS 10 SYSTEM

THE FOLLOWING ALSO APPEAR AND IT HAS CRASHED MY SYSTEM 2 TIMES IS IS A VIRUS?



Your message is ready to be sent with the following file or link attachments: svcWINDOWS BLOCK THESE POTENTIAL UNSAFE ATTACHEMENTS: host, svchost, svchost, svchost, svchost, svchost, svchost, svchost.exe.mui, svchost.exe.mui, svchost.exe.mui, svchost.exe.mui,
svchost



svchost

svchost

svchost

svchost

svchost

svchost

svchost

svchost.exe.mui

svchost.exe.mui

svchost.exe.mui

svchost.exe.mui

svchost

 

The svchost.exe

See if this guide helps:
https://malwaretips.com/blogs/svchost-exe-virus-removal/

 

Welcome to the forum. The file is a genuine Windows file when run from Windows folder use task manager and find one that's not running from Windows folder kill it quick then delete it you need to have it ready in another window to delete before it restarts it's often random ware are your files OK docs etc

 

The thing is that it does operate from the windows folder. From system 32 to be exact.

 

.. let's go back to that. Do you perhaps mean svchost.exe is using excessive CPU time?

If so, please post an appropriate screenshot of your task manager. Thanks.

 

This is what I get while using any browser. The browser starts using more CPU when that message pops up (which happens every few seconds).

 

Hi, someone may be able to recognise what's going on if they've seen that, so thanks for the screenshots.

Meanwhile, you've clearly got quite a bit going on, so try a clean boot, then open a browser and see what happens.

That's a German IP address - which whois says is for sale.

Possible references here:
Qadars Banking Malware Fake Flash Update | EFORENSICS
Fake Flash update from phishing site delivers Qadars banking malware – BroadAnalysis

Sounds like you need to scan your system with the appropriate tool, but I'm no expert on that.

*** This looks possible - see 'Contacted Hosts' which lists yours.
You could examine the parameters for update.exe as listed here.
Free Automated Malware Analysis Service - powered by VxStream Sandbox

Do you have a disk image you can use to restore your PC to a point before this started to occur? I doubt a system restore point would help here.

 

victor122,

Let's try opening the hosts file and see if there is something unusual there.

Right-click the Windows Start and select: Command Prompt (Admin)

At the Command Prompt, type the following commands, one at a time, and press ENTER after each::

cd drivers
cd etc
dir


The contents are shown, and below them, the following appears:
C:\Windows\System32\drivers\etc>

At the above, type: notepad hosts

The Notepad text appears.

Please copy the results, and provide in your reply.

(Images are in reversed order!)

 

Here is what I got:
# Copyright (c) 1993-2009 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host# localhost name resolution is handled within DNS itself.# 127.0.0.1 localhost# ::1 localhost

 

Maybe this is better

 

Whilst you could block that IP address in your hosts file as an expedient, it doesn't deal with the underlying issue. You have some program on your PC which is responsible for that.

If you find update.exe is present and might be suspicious, you can upload it to Virustotal
VirusTotal - Free Online Virus, Malware and URL Scanner
and any positive results might point you to an AV provider that could help.

 

victor122,

The hosts file is OK.

Let's do the following:

Download Zemana AntiMalware:
Zemana AntiMalware Download
Save to the Desktop.

Double-click on the file Zemana.AntiMalware.Setup.exe to install.

When the program starts you are presented with a Setup screen, click: Next
Follow the prompts to install.

Once Zemana AntiMalware starts, click: Scan

When finished, it displays a list of all the malware found. Click on Next to remove any malicious files from your computer.

A reboot may be required to remove malware.

When done, click the Graph icon (far upper right), highlight the applicable log file, and click: Open Report

Please post the notepad text report for review.

 

That didn't help but thanks. The trojan seems to be operating from a different program/file now called tor. Happened after i blocked its IP.

 

victor122,

Please use the Farbar Recovery Scan Tool Download
Save FRST to your Desktop.

[Note: You need to run the version compatible with your system: 32 bit or 64 bit]


Double-click FRST to run it.
When the tool opens click Yes to the disclaimer.

Next, press the Scan button.


When done, the tool makes a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes another log: (Addition.txt).

Please provide the results of both reports in your reply. (Attach if you can, if not, then post.)