M
MartyL7
Summary:
Notes:
Long story long:I've been playing FIFA the whole month. This Thursday I turned off PC and a Windows 10 Update (KB4532693)
downloaded. The next day when I turned PC back on one more update got downloaded and installed - Security Update for Windows 10 Version 1903 for x64-based Systems (KB4524244).
After the update, PC felt slow but I wanted to play FIFA (yes, again
). It was unplayable - it was laggy. I don't have the newest PC but Fifa (and other games) never lagged. So, I wanted to see what's wrong and looked in the Task Manager. An error appeared - Task Manager has been disabled by your administrator". That was strange because I have the only account on this PC and that is an admin account.
I tried troubleshooting recommended on Microsoft Forum:
Go to: "User Configuration" -> "Administrative Templates" -> "System" -> "Ctrl+Alt+Del Options" - Verify that "Remove Task Manager" option set to "Disable" or "Not Configured" (from "Not Configured" I set it to "Disable" and the task manager was working again!)
Here I found an unnamed task taking up ~80% of CPU. In this task properties, I found that it was called "Svchost.exe." On forums, I've read that it sometimes happens after/before the Windows Update - the Svchost.exe using too much CPU because of some updates running in the background. I went to sleep, hoping that tomorrow will be released some "patch that would fix this."
An update was released. Once again I had to troubleshoot the Task Manager but the mysterious Svchost.exe was still taking up CPU. I killed the task with the expectation that some of my Windows functions will crash. But nothing happened. I also found the location of this Svchost.exe task. It was in Windows Temp Files in a hidden folder called "nfyc577A.tmp". I deleted the nfyc577A.tmp and restarted the PC. It was back there. Again taking up CPU.
At this moment I started thinking that this Svchost.exe might not be a connected to Windows programs at all... And what are the only two apps eating up the whole CPU? Anything from Adobe and Coin mining programs. I downloaded Malwarebytes antivirus. And guess what? I was right! What appeared to be Svchost.exe was a BitcoinMiner. I used the recommended settings of Malwarebytes and deleted it. I will attach the Malwarebytes report later.
But... how the hell the virus got into my PC. The last time I downloaded something from relatively "unreliable" sources was a half a year ago and I had Windows updated several times since then. Oh, I had the delivery optimization turned on.
My friend later helped me analyze this report.
From the Malwarebytes log (full report here - link to google drive folder with txt file, no need to download) we learned that:
Process: 1
RiskWare.BitCoinMiner,
- the virus/trojan had admin right
- was hiding in temp folders
- was mining
- altered settings of Firewall
- disabled the TaskManager
We assume that:
- the virus/trojan was downloaded with the Windows Update thanks to delivery optimization
- updated contained a VBE Script which has downloaded and installed the virus
Final notes:
I hope that this post will help anyone with the same problem I had, and I hope it will help secure the Windows 10. I really don't know how the virus got on my PC, or if it came from another PC via the home network - we can only assume. Also, note that I'm not a software engineer
Continue reading...
- Windows Update slowed down my pc
- with Windows 10 Update, a virus got installed
- Task Manager disabled by virus/trojan
- Svchost.exe taking up CPU (~80%)
- Svchost.exe was a virus (Bitcoin Miner)
- the virus/trojan was downloaded with the Windows Update probably thanks to delivery optimization
Notes:
- I also use NAS from Synology
- I use 4 Windows 10 computers at home (all had turned on Windows Delivery Optimization, all with an active admin account):
- my desktop PC - referred in the article (Windows 10, used only in private network) - had the virus, was updated
- my laptop (Windows 10, used only in private network and public networks) - checked, no virus, was not updated
- parents desktop PC (Windows 10, used only in private network) - checked, no virus, was not updated
- parents laptop (Windows 10, used only in private network and public networks) - not active for a week (I don't have access to it) - I haven't downloaded anything from unreliable sources for half a year (it wasn't any installation file)
Long story long:I've been playing FIFA the whole month. This Thursday I turned off PC and a Windows 10 Update (KB4532693)
downloaded. The next day when I turned PC back on one more update got downloaded and installed - Security Update for Windows 10 Version 1903 for x64-based Systems (KB4524244).
After the update, PC felt slow but I wanted to play FIFA (yes, again
). It was unplayable - it was laggy. I don't have the newest PC but Fifa (and other games) never lagged. So, I wanted to see what's wrong and looked in the Task Manager. An error appeared - Task Manager has been disabled by your administrator". That was strange because I have the only account on this PC and that is an admin account. I tried troubleshooting recommended on Microsoft Forum:
Go to: "User Configuration" -> "Administrative Templates" -> "System" -> "Ctrl+Alt+Del Options" - Verify that "Remove Task Manager" option set to "Disable" or "Not Configured" (from "Not Configured" I set it to "Disable" and the task manager was working again!)
Here I found an unnamed task taking up ~80% of CPU. In this task properties, I found that it was called "Svchost.exe." On forums, I've read that it sometimes happens after/before the Windows Update - the Svchost.exe using too much CPU because of some updates running in the background. I went to sleep, hoping that tomorrow will be released some "patch that would fix this."
An update was released. Once again I had to troubleshoot the Task Manager but the mysterious Svchost.exe was still taking up CPU. I killed the task with the expectation that some of my Windows functions will crash. But nothing happened. I also found the location of this Svchost.exe task. It was in Windows Temp Files in a hidden folder called "nfyc577A.tmp". I deleted the nfyc577A.tmp and restarted the PC. It was back there. Again taking up CPU.
At this moment I started thinking that this Svchost.exe might not be a connected to Windows programs at all... And what are the only two apps eating up the whole CPU? Anything from Adobe and Coin mining programs. I downloaded Malwarebytes antivirus. And guess what? I was right! What appeared to be Svchost.exe was a BitcoinMiner. I used the recommended settings of Malwarebytes and deleted it. I will attach the Malwarebytes report later.
But... how the hell the virus got into my PC. The last time I downloaded something from relatively "unreliable" sources was a half a year ago and I had Windows updated several times since then. Oh, I had the delivery optimization turned on.
My friend later helped me analyze this report.
From the Malwarebytes log (full report here - link to google drive folder with txt file, no need to download) we learned that:
Process: 1
RiskWare.BitCoinMiner,
- the virus/trojan had admin right
- was hiding in temp folders
- was mining
- altered settings of Firewall
- disabled the TaskManager
We assume that:
- the virus/trojan was downloaded with the Windows Update thanks to delivery optimization
- updated contained a VBE Script which has downloaded and installed the virus
Final notes:
I hope that this post will help anyone with the same problem I had, and I hope it will help secure the Windows 10. I really don't know how the virus got on my PC, or if it came from another PC via the home network - we can only assume. Also, note that I'm not a software engineer
Continue reading...