Jump to content

Svchost.exe outside system32, but virus scanners says it's clean

KHRZ
 Share

Recommended Posts

KHRZ

KHRZ

Posted
Posted

I noticed my laptop fans were loud when it shouldn't be heavily loaded, I checked task manager and there was an svchost at 25% CPU (a full core). I checked it's location, which wasn't system32 but user\AppData\Roaming\Microsoft\Windows\svchost.exe. Also the file size is 619kB, not 27kB like in system32. I checked online and people are saying windows doesn't have any svchost outside sistem32, it must be malware. But both malwarebytes and spybot says it's clean when I scan it. Though malwarebyes found a registry entry called something PUP.iminient that I removed. I still have the svchost file though. Is it just harmless without the registry entries? Can I find out what it does?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

There must be a reason the file is there. Not sure we'll be able to tell you exactly what process put it there but we can help you to remove it and ensure the system is clean.

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thanks

Link to post
Share on other sites
KHRZ

KHRZ

Posted
  • Author
Posted

Amazingly, I good old notepad might have solved the mystery. Near the end of the large program body is this:

DeregisterEventSource ・ReportEventW  }RegisterEventSourceW  ADVAPI32.dll  6 WSAIoctl  WS2_32.dll  ・HeapAlloc 1TerminateProcess  BUnhandledExceptionFilter  SetUnhandledExceptionFilter IsDebuggerPresent ・RtlVirtualUnwind  ・RtlLookupFunctionEntry  ・RtlCaptureContext OGetSystemTimeAsFileTime HeapFree  HeapReAlloc ~WideCharToMultiByte ・GetConsoleCP  ・GetConsoleMode  pGetCommandLineA TRaiseException  ・RtlPcToFileHeader ・RtlUnwindEx EncodePointer DecodePointer ?FlsGetValue @FlsSetValue >FlsFree ・SetLastError  =FlsAlloc  HeapSize  \GetCPInfo SGetACP  GetOEMCP  IsValidCodePage ・GetModuleFileNameA  HeapSetInformation  ・HeapCreate  LCMapStringA  LCMapStringW  ・SetHandleCount  9GetStartupInfoA DeleteCriticalSection  SetStdHandle  #GetProcessHeap  ・WriteConsoleA ・GetConsoleOutputCP  ・WriteConsoleW KFreeEnvironmentStringsA GetEnvironmentStrings LFreeEnvironmentStringsW GetEnvironmentStringsW  GetCurrentProcessId ・LoadLibraryA  InitializeCriticalSectionAndSpinCount kGetTimeZoneInformation  =GetStringTypeA  @GetStringTypeW  ・GetLocaleInfoA  R CompareStringA  U CompareStringW  SetEnvironmentVariableA                 ⅷQ    bz       Xz \z `z sz   jhPrimeminer.exe OPENSSL_Applink  

 

 

Apparently it was mining primecoins... not sure if I should be relieved, could also have been doing naughtier things?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept