FG

How I analyzed svchost high CPU utilization problem

Freshabout 19 hours ago
Mar 15, 20265620 views
Confidence Score0%
0%

Problem

My machine was attacked by a trojan that manifested itself as a service in the netsvcs svchost process. This process can be identified using Process Explorer as 'svchost -k netsvcs'. The symptoms I had indicating my machine had been infected were: 1. Using ethereal I could see non-stop HTTP traffic…

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix – Awaiting Verification

Mitigate svchost High CPU Utilization Due to Trojan Infection

High Risk

The svchost process running under the 'netsvcs' group can be exploited by malware, such as trojans, which masquerade as legitimate services. This leads to abnormal CPU utilization as the malware performs malicious activities, such as generating excessive network traffic.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Identify the Malicious Service

    Use Process Explorer to identify the specific instance of svchost.exe that is consuming high CPU. Look for the 'svchost -k netsvcs' entry and note the PID.

    bash
    tasklist /FI "IMAGENAME eq svchost.exe" /FO LIST
  2. 2

    Terminate the Malicious Process

    Once identified, terminate the process using its PID to stop the malicious activity immediately.

    bash
    taskkill /PID <PID> /F
  3. 3

    Scan for Malware

    Run a full system scan using a reputable antivirus or anti-malware tool to detect and remove any remaining trojan or malware components.

    bash
    C:\Program Files\YourAntivirus\antivirus.exe /scan /full
  4. 4

    Check Startup Services

    Inspect the startup services and scheduled tasks to ensure that the trojan does not re-infect the system upon reboot. Disable any suspicious entries.

    powershell
    Get-Service | Where-Object { $_.StartType -eq 'Automatic' }
  5. 5

    Monitor Network Traffic

    Use a network monitoring tool like Wireshark to analyze outgoing traffic and ensure no further suspicious activity is occurring.

    bash
    sudo tcpdump -i any -nn -s0 -v

Validation

Confirm that CPU utilization returns to normal levels and that no suspicious svchost processes are running. Additionally, ensure that the network traffic stabilizes and no unauthorized connections are established.

Sign in to verify this fix

Environment