It would help if you would provide the following information:
• Which ransomware it was you tried to remove. In other words.. the name.
• Your operating system
• A copy of your most recent MBAM log. (After running Rkill)
Since System Restore wasn't designed as a "malware" removal tool, let's make sure the "offending process" is no longer running. I'm omitting how to run the tools under certain sets of circumstances, due to the fact you haven't reported any. If you encounter a problem running Rkill, let us know.
After downloading the 3 updated Rkill links, reboot into Safe Mode with Networking and run Rkill as indicated below.
You only need to launch one of the file versions, in order for Rkill to work. (Right-click and "Run as Administrator" if using Vista or Win7) If you have no success running Rkill.exe, try the next. When Rkill runs you will see a command prompt window similar to this. When one DOES work (immediately) run a scan with Malwarebytes' Anti-Malware. Do NOT reboot after running Rkill.
Rkill's purpose is to terminate offending / malicious processes. You will find further instructions and download links at the RKill Download Center. Also see, "RKill - What it does and What it Doesn't - A brief introduction to the program "
See if either of these two scanners have anything additional to report:
ESET's Online Scanner - Their FAQ and Help sections should answer any questions you might have. (Temporarily disable your A/V prior to running the scan)
Kaspersky's TDSSKiller - Instructions are listed below. (Additional instructions can be found here)
You may also find Process Explorer to be of help.
Best of luck..
It started with a ransomware program that I got rid of using "system restore", only the malware left something behind that keeps using the CPU and slowing *everything* down. A Malwarebytes scan removes two files, both called svchost.exe, that it says are malware. Run the scan again after a reboot and the offending files are back. My understanding is that svchost.exe is a legit file (used by windows in the registry) that the malware maskerades as. I assume some program is reloading both svchost.exe files. *If* this really is what is causing my problems is there a way to find the "reloader" or some other means of fixing this.....other then reformatting the drive and reloading windows?