From the description, it sounds like the antivirus is identifying the active portion of the malware running within QEMU’s virtualization and blocking/quarantining, but given that it is returning, this indicates that the persistence method has not been removed. Identifying its persistence mechanism may not be straightforward and I think this thread is the wrong place to attempt it. I have therefore contacted the OP directly to offer my assistance through a more suitable medium.
From: Qemu-discuss <firstname.lastname@example.org> On Behalf Of gunnar.wagner
Sent: 12 September 2020 09:19
Subject: Re: uninstalling
now when that is clarified .... can we suggest any solution?
@Narcis Garcia ... can you tell us more about your the operating system your computer is running on? what may help us to suggest a possible solution.
On 12.09.20 06:09, Christopher William Snowhill wrote:
It sounds as if the user has installed a trojan monero miner, either through not updating their machine like is recommended, or from installing pirated audio production software from bittorrent trackers or shady web sites, which have been bundling such miner virtual machines for at least two years now. They boot a Linux virtual machine that gobbles up at least an entire cpu core mining for an anonymous pool, and therefore probably isn't traceable. It used to be that the variant, LoudMiner, used qemu with hvf on macOS, and VirtualBox on Windows, but now it seems variants are branching out to using qemu with intel haxm on Windows machines.
On Fri, Sep 11, 2020, at 2:09 AM, Narcis Garcia via wrote:
How is "Host services 64.exe" related to Qemu?
El 10/9/20 a les 20:51, Liz C ha escrit:
> I’ve never installed your app but I have it in my computer (I don’t
> know why). My antivirus says that Host services 64.exe is a troyan
> virus. I uninstalled it many times and deleted everything but it keeps
> showing after a few days. How can I deleted forever? I don’t have
> nothing against you but I don’t want this app.