Jump to content

svchost.exe in sysWOW64 being a bitcoin mining stuff HELP!!


Recommended Posts

soo my dad did some thing to my computer and it got a idk virus or some thing anyway.. i  install bitdefender and it delete MOST of the infected file but i think it still have a infected file on my computer, at first there a infected .exe in my picture folder and in localappdata and localappdatatemp and i manually delete it all but.. there is one more problem there was a svchost.exe in sysWOW64 folder and i try deleting it but it need permission so i search it online and found out that if i delete it my computer will not boot so.. what do i need to do to get this svchost thing out of my computer but not by delete it just stop it because it use half of my cpu and there's TWO OF THEM.  

god.jpeg

me (2).jpeg

me (1).jpeg

Link to post
Share on other sites

Hello. My name is Maurice. I will guide you.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

    Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
    Show-Hidden-Folders-Files-Extensions
    https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

    Disable-Fast-Startup
    https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

I would like a report set for review. This is a report only. This is the first beginning step so I can see what is what on this particular machine.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply.

Please no more screen grabs unless I specifically as for them. Know that I will be guiding you and we will be using known reliable security scanners to check the system. Please leave Task Manager alone. The scanners will find the potential malware. In addition, I will likely have later on, a custom script to cleanup any actual malware. Do not try to self-medicate on your own. Do not make changes on your own without checking with me first. Sincerely.

Link to post
Share on other sites

Humhh. What version of Windows is this ?  Is this machine not on Windows 10 or 11 ?? Let us get a generic diagnostic report.You can simply download & save a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Go to Downloads folder. RIGHT-click on FRST64 and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

  •  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
  • Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
  • Close Notepad IF those show up on Notepad.
  • Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.
  • ONLY attach the files. Do not "paste" the actual contents of file or reports within the main body of any reply. Please.
Link to post
Share on other sites

Hello. Thanks for the FRST reports. 😀 It looks like you tried Hitmanpro on your own. What else ? Bitdefender ?

Do not try any further "self medication". Dont try manual removals on your own. It appears that this machine does not have Malwarebytes, which is a great security & anti-malware tool.

Malwarebytes can detect and remove most malware with no further actions required for free.

Please download, install, update Malwarebytes
https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

and do a Threat Scan with Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038984773
and post back the log as shown below.
Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

I look forward to have this scan report.

I would recommend getting a readout report as to update status of some key apps.

  • IF you used EDGE browser, Temporarily disable Microsoft SmartScreen to download the next software below 
  • Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Edited by Maurice Naggar
amended for 2nd report
Link to post
Share on other sites

Per the SecurityCheck program, there many out of date & insecure programs, also, too many version of Python.
If you are not a developer, if you have no idea why Python is on here, then Uninstall all versions of Python.

Notepad++ (64-bit x64) v.8.4.4  Warning! Download Update

TeamViewer v.15.44.6  Warning! Download Update

Oracle VM VirtualBox 6.1.38 v.6.1.38  Warning! Download Update

Microsoft Visual Studio Code (User) v.1.82.0  Warning! Download Update

Python 3.7.9 (64-bit) v.3.7.9150.0  Warning! uninstall
Python 3.8.9 (32-bit) v.3.8.9150.0  Warning! uninstall
Python 3.11.3 (64-bit) v.3.11.3150.0 Warning! Download Update

Wireshark 4.0.5 64-bit v.4.0.5  Warning! Download Update

Google Drive v.1.0  Warning! Download Update

7-Zip 21.07 (x64) v.21.07  Warning! Download Update
Uninstall old version and install new one.

WinRAR 6.10 (64-bit) v.6.10.0     Warning! Download Update
WinRAR 6.00 (32-bit) v.6.00.0  Warning! uninstall

Discord v.1.0.9004  Warning! Download Update

uTorrent Web v.1.3.0  Warning! Ad-supported P2P-client.

Radmin Viewer 3.5.2 v.3.52.1.0000  Warning! RAT!.
  
Java 8 Update 341 (64-bit) v.8.0.3410.10  Warning! Download Update
Uninstall old version and install new one (jre-8u381-windows-x64.exe).

Java 8 Update 341 v.8.0.3410.10  Warning! Uninstall.

Java SE Development Kit 8 Update 191 v.8.0.1910.12  Warning! Uninstall

Audacity 3.1.3 v.3.1.3  Warning! Download Update

iTunes v.12.11.3.17  Warning! Download Update
^Please use Apple Software Update tool.^

Adobe Creative Cloud v.5.9.0.372  Warning! Download Update  

Mozilla Firefox 56.0 (x86 en-US) v.56.0  Warning! Download Update

Restoro v.2.1.0.5  Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall .

Bonjour v.3.1.0.1  Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

Glary Utilities 5.211 v.5.211.0.240 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it  Computer experts no longer recommend this program.

SpyHunter 5 v.5.12.23.275  Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it 
IF you did not pay for a licenes, be very sure to uninstall this.

Ashampoo WinOptimizer 26 v.26.00.13  Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.

LightCleaner version 2.9 v.2.9  Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it 

Further replies will follow.

Link to post
Share on other sites

Reply 2

IF you are done with HitmanPro, or if you do not have a paid license for HitmanPro, then Uninstall it. Having it active may interfere with cleanup procedures.

First some housekeeping, and then one Scan.  There will be more later after all this.
Start Malwarebytes. Click Settings ( gear ) icon. Next, let us make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

  • now Click the General tab.
  • Under Application updates, click the Check for updates button.

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.