Virus (Trojan) installed with Windows 10 Update - Svchost.exe which used CPU was a Coin Miner

M

MartyL7

Summary:

  • Windows Update slowed down my pc
  • with Windows 10 Update, a virus got installed
  • Task Manager disabled by virus/trojan
  • Svchost.exe taking up CPU (~80%)
  • Svchost.exe was a virus (Bitcoin Miner)
  • the virus/trojan was downloaded with the Windows Update probably thanks to delivery optimization


Notes:


  • I also use NAS from Synology
  • I use 4 Windows 10 computers at home (all had turned on Windows Delivery Optimization, all with an active admin account):
    - my desktop PC - referred in the article (Windows 10, used only in private network) - had the virus, was updated
    - my laptop (Windows 10, used only in private network and public networks) - checked, no virus, was not updated
    - parents desktop PC (Windows 10, used only in private network) - checked, no virus, was not updated
    - parents laptop (Windows 10, used only in private network and public networks) - not active for a week (I don't have access to it)
  • I haven't downloaded anything from unreliable sources for half a year (it wasn't any installation file)



Long story long:
I've been playing FIFA the whole month. This Thursday I turned off PC and a Windows 10 Update (KB4532693)

downloaded. The next day when I turned PC back on one more update got downloaded and installed - Security Update for Windows 10 Version 1903 for x64-based Systems (KB4524244).



After the update, PC felt slow but I wanted to play FIFA (yes, again :D). It was unplayable - it was laggy. I don't have the newest PC but Fifa (and other games) never lagged. So, I wanted to see what's wrong and looked in the Task Manager. An error appeared - Task Manager has been disabled by your administrator". That was strange because I have the only account on this PC and that is an admin account.



I tried troubleshooting recommended on Microsoft Forum:



Go to: "User Configuration" -> "Administrative Templates" -> "System" -> "Ctrl+Alt+Del Options" - Verify that "Remove Task Manager" option set to "Disable" or "Not Configured" (from "Not Configured" I set it to "Disable" and the task manager was working again!)



Here I found an unnamed task taking up ~80% of CPU. In this task properties, I found that it was called "Svchost.exe." On forums, I've read that it sometimes happens after/before the Windows Update - the Svchost.exe using too much CPU because of some updates running in the background. I went to sleep, hoping that tomorrow will be released some "patch that would fix this."



An update was released. Once again I had to troubleshoot the Task Manager but the mysterious Svchost.exe was still taking up CPU. I killed the task with the expectation that some of my Windows functions will crash. But nothing happened. I also found the location of this Svchost.exe task. It was in Windows Temp Files in a hidden folder called "nfyc577A.tmp". I deleted the nfyc577A.tmp and restarted the PC. It was back there. Again taking up CPU.



At this moment I started thinking that this Svchost.exe might not be a connected to Windows programs at all... And what are the only two apps eating up the whole CPU? Anything from Adobe and Coin mining programs. I downloaded Malwarebytes antivirus. And guess what? I was right! What appeared to be Svchost.exe was a BitcoinMiner. I used the recommended settings of Malwarebytes and deleted it. I will attach the Malwarebytes report later.

But... how the hell the virus got into my PC. The last time I downloaded something from relatively "unreliable" sources was a half a year ago and I had Windows updated several times since then. Oh, I had the delivery optimization turned on.



My friend later helped me analyze this report.

From the Malwarebytes log (full report here - link to google drive folder with txt file, no need to download) we learned that:

Process: 1

RiskWare.BitCoinMiner,


- the virus/trojan had admin right
- was hiding in temp folders
- was mining
- altered settings of Firewall
- disabled the TaskManager


We assume that:
- the virus/trojan was downloaded with the Windows Update thanks to delivery optimization
- updated contained a VBE Script which has downloaded and installed the virus



Final notes:

I hope that this post will help anyone with the same problem I had, and I hope it will help secure the Windows 10. I really don't know how the virus got on my PC, or if it came from another PC via the home network - we can only assume. Also, note that I'm not a software engineer

Continue reading...
 

Similar threads

Back
Top Bottom