"97% of CPU used"

On Fri, 27 Jan 2017 14:03:48 +1100, Monty wrote:

On Fri, 27 Jan 2017 11:50:22 +1100, Peter Jason wrote:

On Thu, 26 Jan 2017 18:37:24 -0500, "Jonathan N. Little"
wrote:

Peter Jason wrote:
C:\AppCache\x86\svchost.exe -a cryptonight


Whoa! "C:\AppCache\x86\svchost.exe"? That's not where svchost.exe should
be. You're infected.


Would a System Restore fix it?

Do you have a method for comparing the 'infected' file in your current
system against a collection of backups to see when "svchost.exe" might
have changed in size and hash value?

I use AOMEI Backupper for my backups. This program includes a utility
which can mount an image to a virtual partition for subsequent
browsing with a file manager.

The image file that I am viewing right now is a backup of Windows 10
and is dated 2016-12-14. The virtual partition is listed in my file
manager as drive K:\.

Looking at this backup with Agent Ransack for files named
"svchost.exe" (without quotes) I see four instances dated 2016-07-16
and one dated 2016-03-10. These compares with the files installed on
my PC as of today, comparing file size and hash value.

Checking three other backups all showed the same results for
"svchost.exe". So I know that svchost.exe hasn't changed in the past
six weeks (and I would guess not since I last installed Windows 10).

Are you able to initiate a similar scheme to check your PC?


Thanks. but I have already done the system restore (from a week ago) ,
and so far this has fixed it. However, if it reappears I'll do your
check.

Paul showed how to arrange things to do a System Restore every
startup, so I had about 10 to choose from.

Peter Jason wrote:


Thanks. but I have already done the system restore (from a week ago) ,
and so far this has fixed it. However, if it reappears I'll do your
check.

Paul showed how to arrange things to do a System Restore every
startup, so I had about 10 to choose from.

Real malware, infects all System Restore points, with
virtually 100% certainty. The malware people have certain
minimal requirements for malware - attacking System Restore
is so common, that a helper at BleepingComputer has you
dump (delete) those immediately. They don't wait around
to see whether it might have infected SR.

Since using a Restore point fixed it, my guess would
be it was an "add-on" for some other program. Like, some
developer decided, to pay for his MP3 listing program,
he would run a Coin Miner on your computer, that sort of
idea.

And I don't know, if AV scanners will flag things that
just happened to have some sort of Coin Miner code in
them. A Coin Miner you were expecting, you would not
want it flagged. One installed and detected by heuristic
means (it did something to bypass security), you would
want that flagged. So I don't consider AV scanners to
be necessarily good enough for this. For example, AV scanners
don't flag all adware, and you use an adware program
for that (and since the staff working on adware are
pretty limited in number, it's hard for them to stay
up to date on the stuff).

In any case, it wouldn't hurt to scan your computer anyway.
Just for curiosity sake. If you know what did it, you
won't be installing that a second time.

And as for coverage, AV scanners can peek inside maybe
20-30 different kinds of compression or archives. What
they don't do, is they don't "crack" the password on a
password-protected archive. If you receive a password-protected
archive in an email, this is a dead giveaway someone
wants to give you malware. As it means an AV will have
trouble protecting you. When I run scans here, I have some
harmless stuff which is password protected, and the scanning
log will note the stuff that didn't actually get scanned.
If you're accepting content from other people, the presence
of a password on the archive, isn't "to protect the content",
it's to improve the odds you will be infected if you open it.
The password has two potential purposes.

Paul

On Fri, 27 Jan 2017 01:06:52 -0500, Paul
wrote:

Peter Jason wrote:


Thanks. but I have already done the system restore (from a week ago) ,
and so far this has fixed it. However, if it reappears I'll do your
check.

Paul showed how to arrange things to do a System Restore every
startup, so I had about 10 to choose from.

Real malware, infects all System Restore points, with
virtually 100% certainty. The malware people have certain
minimal requirements for malware - attacking System Restore
is so common, that a helper at BleepingComputer has you
dump (delete) those immediately. They don't wait around
to see whether it might have infected SR.

Since using a Restore point fixed it, my guess would
be it was an "add-on" for some other program. Like, some
developer decided, to pay for his MP3 listing program,
he would run a Coin Miner on your computer, that sort of
idea.

And I don't know, if AV scanners will flag things that
just happened to have some sort of Coin Miner code in
them. A Coin Miner you were expecting, you would not
want it flagged. One installed and detected by heuristic
means (it did something to bypass security), you would
want that flagged. So I don't consider AV scanners to
be necessarily good enough for this. For example, AV scanners
don't flag all adware, and you use an adware program
for that (and since the staff working on adware are
pretty limited in number, it's hard for them to stay
up to date on the stuff).

In any case, it wouldn't hurt to scan your computer anyway.
Just for curiosity sake. If you know what did it, you
won't be installing that a second time.

And as for coverage, AV scanners can peek inside maybe
20-30 different kinds of compression or archives. What
they don't do, is they don't "crack" the password on a
password-protected archive. If you receive a password-protected
archive in an email, this is a dead giveaway someone
wants to give you malware. As it means an AV will have
trouble protecting you. When I run scans here, I have some
harmless stuff which is password protected, and the scanning
log will note the stuff that didn't actually get scanned.
If you're accepting content from other people, the presence
of a password on the archive, isn't "to protect the content",
it's to improve the odds you will be infected if you open it.
The password has two potential purposes.

Paul

Thanks, it's still gone, but more time will tell.
I always do a MS "full scan" overnight. Is there a better AV scanner?

Peter Jason wrote:
On Fri, 27 Jan 2017 01:06:52 -0500, Paul
wrote:

Peter Jason wrote:

Thanks. but I have already done the system restore (from a week ago) ,
and so far this has fixed it. However, if it reappears I'll do your
check.

Paul showed how to arrange things to do a System Restore every
startup, so I had about 10 to choose from.
Real malware, infects all System Restore points, with
virtually 100% certainty. The malware people have certain
minimal requirements for malware - attacking System Restore
is so common, that a helper at BleepingComputer has you
dump (delete) those immediately. They don't wait around
to see whether it might have infected SR.

Since using a Restore point fixed it, my guess would
be it was an "add-on" for some other program. Like, some
developer decided, to pay for his MP3 listing program,
he would run a Coin Miner on your computer, that sort of
idea.

And I don't know, if AV scanners will flag things that
just happened to have some sort of Coin Miner code in
them. A Coin Miner you were expecting, you would not
want it flagged. One installed and detected by heuristic
means (it did something to bypass security), you would
want that flagged. So I don't consider AV scanners to
be necessarily good enough for this. For example, AV scanners
don't flag all adware, and you use an adware program
for that (and since the staff working on adware are
pretty limited in number, it's hard for them to stay
up to date on the stuff).

In any case, it wouldn't hurt to scan your computer anyway.
Just for curiosity sake. If you know what did it, you
won't be installing that a second time.

And as for coverage, AV scanners can peek inside maybe
20-30 different kinds of compression or archives. What
they don't do, is they don't "crack" the password on a
password-protected archive. If you receive a password-protected
archive in an email, this is a dead giveaway someone
wants to give you malware. As it means an AV will have
trouble protecting you. When I run scans here, I have some
harmless stuff which is password protected, and the scanning
log will note the stuff that didn't actually get scanned.
If you're accepting content from other people, the presence
of a password on the archive, isn't "to protect the content",
it's to improve the odds you will be infected if you open it.
The password has two potential purposes.

Paul

Thanks, it's still gone, but more time will tell.
I always do a MS "full scan" overnight. Is there a better AV scanner?

Well, sites like AV-Comparatives might have been mentioned in
the past.

One problem with those sites, is mapping the name of the product
in a graph, to something you can buy. That's a real limitation.

AV products can combine heuristic ("software is hooking a system
resource") or signature based methods. Some AV products are
signature only. Heuristic products attempt to detect "new threats",
before a signature can be issued for them. Once a signature is
available, then it becomes an "old threat".

The AV products also compensate for security patches. They can
cover a certain exposure until a patch is issued. That's if the
AV perhaps receives algorithmic changes on a regular basis.

So when you're shopping, you consider:

1) The threat surface. "How bad am I at picking up malware".
All that the AV can do, is "harden" the machine. No protection
is perfect.
2) Use AV-Comparatives, to spot the ones that use more than
one method.
3) Combine non-AV products with AV products, to handle
other kinds of nuisance issues. An occasional adware
scan with one product, combined with AV scanning.
4) While there are still rootkits out there, from a frequency
perspective, they're not as popular as regular malwares
(say the stuff that uses an Adobe Flash exploit). The malware
writers, use whatever makes them money. Your crypto-currency
thing, was an attempt to mint money using the CPU.

Maybe the Microsoft product would be fine, if you were
a practitioner of safe hex, you never opened email attachments
without some kind of ceremony and so on.

However, if you receive 200 emails a day, you have to assume
sooner or later you're going to slip up. Be in a hurry, open
the wrong .txt.scr.exe attachment. And that's when that more-expensive
multi-pronged AV pays off.

Bad AV products, will attempt to wow you with pointless
features. Like maybe they offer "cloud storage" as well as AV.
This is a form of "tick box marketing". An attempt to take
your eye off the ball. What you're looking for, os products
that concentrate on doing a good job on the threat. Not
stuff that just has "pretty icons". And an AV-comparative
report, can help you spot the ones that put the energy
into technical issues. It takes a couple hundred staff
to properly work on new threats and issue good updates
during the day. Analysis doesn't take ten minutes. Some
"nation state" malwares, take months of research, the usage
of special tools and so on. And that costs money. And the
staff with that skill level, the good ones, aren't all
that common.

Product quality varies with time. A product that was "close
to bulletproof" four years ago, may have slipped. This is why,
you don't stay married to one AV product forever. You have to
look at the reports to spot trends.

Paul