Solved

svghost.exe using 100% CPU usage

Posted on 2004-10-11
12
1,959 Views
Last Modified: 2013-12-04
On our WinXP and Win2000 workstations there is a file (spyware probably) that is draining CPU usage and jamming our internet connection. The file's name is svghost.exe.

I ran every spyware program known to man (with the latest updates) but with no success of it cleaning the workstation from this pest.

I have tried to manually clean the CPU by booting in safe mode and deleting the svghost file and removing all references to the file in the startup log and registry. But it keeps regenerating itself within 15 minutes of deleting it. I ahve turned off system restore as well.

I have contacted my Spyware vendors and inquired about this file to see if they knew it existed and received the usual "we'll look in to it" response.

Is there a way, via script or batch file, to kill this fill when and if it executes? Or is there a way to prevent it from being reinstalled after it is deleted?

Thanks
0
Comment
Question by:mleach
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 500 total points
ID: 12278937
Hi

Have you tried disconnecting a pc from the network, then trying your manual removal (keeping it disconnected from the network) and seeing if it comes back then? Just checking really to see if it is actually being propagated across the network which is distinctly possible. If this does work then I suggest you do this with each pc in turn  ie isolate from network, remove the pest, and not reconnect anything until all is clear.

Or - failing that (as there may be other hidden entries that are spawining this) have you tried  online virus scans on it (like Panda, Trend Housecall etc)? and which spyware removal tools have you tried?

Deb :))
0
 

Author Comment

by:mleach
ID: 12279049
Thanks.

I'll try to disconnect from the internet to see if it comes back.

I have tried Panda and Housecall with no success.

The Spyware removal tools I have tried are:

Ad-aware
PestPatrol
Seach & Destroy
Hi-jack this
CWShredder

I have also checked to see if there were programs installed under the Add/Remove Programs of the Control Panel with no success as well.

I'll advise if disconnecting from the internet helps.

0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12279374
Can you email this file to grinler@yahoo.com and I will try to tell you what it is and how to uninstall it.

When you send it, please put a link to this message in the email
0
 

Author Comment

by:mleach
ID: 12279543
I'll send it to you. Thanks.
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12280706
Please check the registry under the RUn key for any culprits and delte them from there it will stop running.
HKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/Run
HKEY_LOCAL _USER/software/microsoft/windows/currentversion/Run

Thats were any culprits lie..
If you can get on the internet then try a virus check @ http:\\housecall.trendmicro.com

0
 

Author Comment

by:mleach
ID: 12280864
Thanks but I've tried all of that (see above comments)
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 20

Expert Comment

by:Debsyl99
ID: 12281287
Hi

I meant isolate a machine from the entire network full stop - not just the internet. Literally pull the patch lead out, attempt your manual removal and leave it to run for a while well beyond the time the problem recurs. I'm just trying to help establish if this is an issue specific to the machine in isolation or transmitted/propagated across the network. The only way to find out is to pull the network plug so to speak. Also what software exactly do you have installed on these machines?

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12281670
Ok - does this look familiar?
http://home.cyberdefender.com/risk/html/20041002005600svghost.exe.log.html
and
http://www.pcreview.co.uk/thread-4161.php

From the above link:
"""dude! I had 2 instances of svghost.exe running, it's some sort of backdoor prog... check your hidden files in windows directory. My file was named "kernell" and had 200 files of different names. but looking at the properties of them they all had the same info. and they were ALL applications (the same app)

I tried to delete the file then 5 minutes later it would come back. It did this EVERY time I tried to delete it. It was full of porn cracks, game cracks, etc etc (or so the file names implied).

Then I ran a search for apps on my puter and found 2 stray apps (with different names but the same app info) in the windows dir. one I could not delete (it says it was being run by windows) and the other I could.

so i then again... deleted the hidden file (with all the apps in it) the one stray app, ran the task manager, found the svghost, ended the task, then I could delete the app that I could previously not delete and emptied the recycle bin (done very quickly before it coud build the hidden file... agan). And that seemed to have gotten rid of it.

I have no idea what the app was trying to do, but my puter had been running funny till I got rid of all that crap.

Hope that helps
Diabolicboy""""

I think this sounds like a worm as mentioned in the first thread. Have you tried
1) Complete Isolation from network then
2) Restart in safe mode (disable system restore on windows xp first) then
3) Making sure all files and folders are not hidden using tools in folder options (unhide system files etc - reset all folders like current folder etc)
4) Rerun hijackthis, spyware tools, examine all running processes and services for validity etc
5) Delete all offending files referenced in registry - also look for rogue apps in all potential start-run keys and file folders
6) If this is successful repeat procedure on all pc's prior to reconnecting to network.
7) Ensure that all OS's are fully patched (with possible exception of XP SP2!)

Deb :))
0
 

Author Comment

by:mleach
ID: 12286692
I am going to try the Gaobot Removal tool from Norton to see if this helps.

Thanks
0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12288016
It looks to be Backdoor.SDBot.Gen

http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=177


You may want to try this removal tool:

http://vil.nai.com/vil/stinger/
0
 

Author Comment

by:mleach
ID: 12338075
After using Trendmicro's Housecall it found 3 or 4 trojans and worms. After removing these our Symantec Enterprise Edition Anti-Virus found W32.Spybot.Worm the next day. The file associated with this worm was svghost.exe.

Thanks for the help.
0
 

Expert Comment

by:scoinzen
ID: 14600612
There are two main variant of the SVGHOST.EXE, RBOT worm and SPYBOT worm. You can download cleaning package from www.trandmicro.com/downloads/dcs.asp.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now