After removing malware, unidentified processes using 50% CPU

Toggle sidebar Toggle sidebar
W

Whitizo

Honorable
Sep 20, 2014
56
0
10,630
So I was stupid and got tricked by a fishy download button on a site which did a good job mimicking the installer long enough to fill my PC with junk. I quickly used rougekiller and malwarebytes, along with a windows defender scan to clean it up.

My current issue is every time I launch my PC I have two unidentified processes using a lot of CPU power, causing games to lag and my PC to show dramatic slowdowns. I can close them and there's no issues until my next restart.

I used command prompt and process explorer running in administrator to find out what service or file it's linked to and it cannot find or doesn't seem to be linked to any service. Is it possible there's some malware left behind?

0PucgU0.png


A8Y39VN.png


kiCrx5T.png

 
Solution
K
I am a natural paranoid and so would first assume a virus.
RT click the errant instances you identify and choose file location.
Svchost.exe is located at “C:\windows\system32\svchost.exe”. Any file named “svchost.exe” located in other folder can be considered a malware/Trojan.
If you find the beast, best to delete it. But if it returns , find what runs it on a reboot.
Look in :
Task Manager Startup items
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Here are anti virus apps you might further consider to remove it
https://windowsfish.com/how-to-remove-svchost-virus/
Sort by date Sort by votes
K

karenjoly

Estimable
Apr 13, 2018
1,328
20
3,115
I am a natural paranoid and so would first assume a virus.
RT click the errant instances you identify and choose file location.
Svchost.exe is located at “C:\windows\system32\svchost.exe”. Any file named “svchost.exe” located in other folder can be considered a malware/Trojan.
If you find the beast, best to delete it. But if it returns , find what runs it on a reboot.
Look in :
Task Manager Startup items
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Here are anti virus apps you might further consider to remove it
https://windowsfish.com/how-to-remove-svchost-virus/
 
Upvote 0 Downvote
Solution
geofelt

geofelt

Titan
Oct 9, 2006
54,380
4,185
174,240
run msconfig and look at the startup task list.
Disable any that seem suspicious.
Use google to identify those you do not recognize.
Many in the list are not bad by themselves and can be disabled.
For instance, I would disable tasks that constantly monitor an app for new updates available.
 
Upvote 0 Downvote
richardvday

richardvday

Honorable
Sep 23, 2017
185
30
10,740
svchost.exe is used to run drivers etc basically it runs .DLL files
These are files containing libraries so it IS code but the file itself is not an executable.
I do not know this windowsfish place so I can not comment on what they have there.

Run a reputable anti-virus application, you could try Avira https://www.avira.com/en/free-antivirus-windows
It is FREE(Some popups in notification area not too much) and well regarded software.
When the system itself is infected sometimes you need more invasive measures, boot from a repair CD/DVD/Usb-stick with antivirus to scan and repair your system while the host system is not running. It can be difficult while the host system is running sometimes.

Avira rescue CD https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/655
Contains links for cd image and a program to create the usb bootable flash drive

You boot from it and follow the instructions.

If you dont like Avira you could try something else https://www.techsupportall.com/best-bootable-antivirus-rescue-severely-infected-computer/
 
Upvote 0 Downvote
W

Whitizo

Honorable
Sep 20, 2014
56
0
10,630


Nothing in my startup folder. First thing I checked.
 
Upvote 0 Downvote
W

Whitizo

Honorable
Sep 20, 2014
56
0
10,630


No its very clear that it is some sort of virus trying to mimic svchost
 
Upvote 0 Downvote
W

Whitizo

Honorable
Sep 20, 2014
56
0
10,630


I think you might have answered my prayers. It appears that this instance is in the syswow64 folder.
 
Upvote 0 Downvote
W

Whitizo

Honorable
Sep 20, 2014
56
0
10,630


Thank you for the help. I managed to find what was running on startup in the registry. After a restart the CPU hog wasn't loading up and the malicious svchost is no longer running.

After that I ran a series of programs until finally TDSS killer found something in my syswow64 folder, I removed it. Now the svchost.exe file is still within the syswow64 folder. Is this meant to be here or should I use a tool to fully remove it. Is that safe? The legit svchost is within the /windows/system32 folder.

 
Upvote 0 Downvote
richardvday

richardvday

Honorable
Sep 23, 2017
185
30
10,740


Which is why I gave you an antivirus link, you boot the cd and clean your system but you got it so good job
 
Upvote 0 Downvote
W

Whitizo

Honorable
Sep 20, 2014
56
0
10,630


Yeah sorry I didn't specify that I had already made attempts using anti virus programs and targeting the specific folder and it wasn't finding anything. But another malware scanner eventually found it.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom