Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


svchost using all possible CPU it can, and unable to search anti-malware soft.

  • Please log in to reply
1 reply to this topic

#1 AkiraJkr


  • Members
  • 1 posts
  • Gender:Male
  • Local time:08:22 AM

Posted 06 August 2018 - 08:17 PM

I've been having this problem since past yesterday, when someone used my PC and ended up installing some kinda phone rescue for ios thing, and when I got to use it again, I saw a bunch of malware installed, which included a downloader and something on my toolbar, which I had removed on my own since there was nothing blocking me of doing so.

The other day, I noticed my CPU usage was extremely high for no reason at all times, and when I checked, it was a svchost doing that, which confused me alot, I opened it on Process Explorer to find out only one thread was causing all that CPU usage, even when I am not even touching my computer that just started. https://i.imgur.com/jtZ6rII.png
Noticing that, I attempted to start malwarebytes- which ends with failure, as it opens for a split second and is instantly closed. Then I repeated the same with adwcleaner...JRT...all of them are blocked in the same way....except rkill- Which is unable to stop the blocking.
I moved to safe mode, which doesn't have that extremely high cpu usage, and I was able to start everything normally. I could scan with Malwarebytes, use adwcleaner, and they always, no matter how much times I try, keep finding threats.
I am currently at loss of what to do and considering reinstalling Windows completely due to this, as my computer is extremely laggy, has programs I frequently use blocked, does not permit me to search for them on the internet and causes problems to unrelated things like Better Discord.

Below I'll leave a list of the logs generated.

Rkill: https://pastebin.com/fCkGKgAQ

JRT: https://pastebin.com/d2XmP1zd

FRST.txt: https://pastebin.com/Bxs97CUZ
Addition.txt: https://pastebin.com/qB03y1Xs

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,171 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:22 AM

Posted 07 August 2018 - 07:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

Windows defender is Disabled. You should make sure that it's now Enabled.
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Yahoo! Powered (HKLM\...\{A91E41DE-F99E-905E-481E-E0DE989E335E}) (Version: - ) <==== ATENÇÃO

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


HKU\S-1-5-21-3837961420-2562891052-3601350365-1000\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
HKU\S-1-5-21-3837961420-2562891052-3601350365-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\fran\AppData\Local\Ugzmedia\czstiskf.dll ATENÇÃO
S2 SetupARService; "C:\Program Files\Realtek\Audio\SetupAfterRebootService.exe" [X]
S2 ZmI4YjI2NmZlOTg3ZTZh; C:\Program Files\ZmI4YjI2NmZlOTg3ZTZh\NTdmYzRhMW.exe [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

HKU\S-1-5-21-3837961420-2562891052-3601350365-1000\...\ChromeHTML: ->  <==== ATENÇÃO
CustomCLSID: HKU\S-1-5-21-3837961420-2562891052-3601350365-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InprocServer32 -> C:\Users\fran\AppData\Local\Ugzmedia\czstiskf.dll => Nenhum Arquivo
ContextMenuHandlers1: [JsZipShlExt] -> {5C551008-A347-4DB3-AF48-014076FD2B46} =>  -> Nenhum Arquivo
ContextMenuHandlers1: [JZContextMenuExt] -> {5C551008-A347-4DB3-AF48-014076FD2B46} =>  -> Nenhum Arquivo
ContextMenuHandlers2: [JsZipShlExt] -> {5C551008-A347-4DB3-AF48-014076FD2B46} =>  -> Nenhum Arquivo
ContextMenuHandlers4: [JsZipShlExt] -> {5C551008-A347-4DB3-AF48-014076FD2B46} =>  -> Nenhum Arquivo
FolderExtensions: [ShellFolder for CD Burning] -> {fbeb8a05-beee-4442-804e-409d6c4515e9} => C:\Users\fran\AppData\Local\Ugzmedia\czstiskf.dll -> Nenhum Arquivo
Task: {72EDE7F3-C4C9-4704-A5FF-7AF788546917} - System32\Tasks\{BE3F49DE-8EDC-8B04-32AF-F3E336153703} => C:\Program Files\Common Files\otywqnE.exe [1601-01-03] (Microsoft Corporation)
Task: {9BAF29AB-1D7E-47C4-BFA9-1CF1E2829A28} - System32\Tasks\{3E8E2CB0-0E56-9CC0-5439-004F55370099} => C:\Users\fran\AppData\Roaming\BecoTWugo.exe <==== ATENÇÃO
Task: {9C7CB417-A0E6-4DED-AB84-132E5088849D} - System32\Tasks\{1D0D40FE-667C-18AF-36B9-F4D51EDC666A} => C:\Windows\system32\zYFXe.exe [1601-01-03] (Microsoft Corporation)
Task: {BEF4B9F6-7797-45ED-9488-FA65FFD9525E} - System32\Tasks\{F1AA7BC7-434B-5518-13E7-DBE4F994206E} => C:\Users\fran\AppData\Local\wATegEbaiHvJ.exe
AlternateDataStreams: C:\ProgramData:NT [40]
AlternateDataStreams: C:\ProgramData:NT2 [432]
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x86.sys [84370]
AlternateDataStreams: C:\Users\All Users:NT [40]
AlternateDataStreams: C:\Users\All Users:NT2 [432]
AlternateDataStreams: C:\Users\Todos os Usuários:NT [40]
AlternateDataStreams: C:\Users\Todos os Usuários:NT2 [432]
AlternateDataStreams: C:\ProgramData\Application Data:NT [40]
AlternateDataStreams: C:\ProgramData\Application Data:NT2 [432]
AlternateDataStreams: C:\ProgramData\Dados de aplicativos:NT [40]
AlternateDataStreams: C:\ProgramData\Dados de aplicativos:NT2 [432]
AlternateDataStreams: C:\Users\fran\Dados de aplicativos:NT [40]
AlternateDataStreams: C:\Users\fran\Dados de aplicativos:NT2 [432]
AlternateDataStreams: C:\Users\fran\AppData\Roaming:NT [40]
AlternateDataStreams: C:\Users\fran\AppData\Roaming:NT2 [432]
AlternateDataStreams: C:\Users\Todos os Usuários\Application Data:NT [40]
AlternateDataStreams: C:\Users\Todos os Usuários\Application Data:NT2 [432]
AlternateDataStreams: C:\Users\Todos os Usuários\Dados de aplicativos:NT [40]
AlternateDataStreams: C:\Users\Todos os Usuários\Dados de aplicativos:NT2 [432]

C:\Program Files\Common Files\otywqnE.exe


Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please run Malwarebytes and delete all the entries found.

Let me know what problem persists.

Please post the log in this topic.
Do not use a 3rd party site.

Edited by nasdaq, 07 August 2018 - 07:28 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users