Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

svghost.exe using 100% CPU usage

Posted on 2004-10-11
12
Medium Priority
?
2,049 Views
Last Modified: 2013-12-04
On our WinXP and Win2000 workstations there is a file (spyware probably) that is draining CPU usage and jamming our internet connection. The file's name is svghost.exe.

I ran every spyware program known to man (with the latest updates) but with no success of it cleaning the workstation from this pest.

I have tried to manually clean the CPU by booting in safe mode and deleting the svghost file and removing all references to the file in the startup log and registry. But it keeps regenerating itself within 15 minutes of deleting it. I ahve turned off system restore as well.

I have contacted my Spyware vendors and inquired about this file to see if they knew it existed and received the usual "we'll look in to it" response.

Is there a way, via script or batch file, to kill this fill when and if it executes? Or is there a way to prevent it from being reinstalled after it is deleted?

Thanks
0
Comment
Question by:mleach
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 1500 total points
ID: 12278937
Hi

Have you tried disconnecting a pc from the network, then trying your manual removal (keeping it disconnected from the network) and seeing if it comes back then? Just checking really to see if it is actually being propagated across the network which is distinctly possible. If this does work then I suggest you do this with each pc in turn  ie isolate from network, remove the pest, and not reconnect anything until all is clear.

Or - failing that (as there may be other hidden entries that are spawining this) have you tried  online virus scans on it (like Panda, Trend Housecall etc)? and which spyware removal tools have you tried?

Deb :))
0
 

Author Comment

by:mleach
ID: 12279049
Thanks.

I'll try to disconnect from the internet to see if it comes back.

I have tried Panda and Housecall with no success.

The Spyware removal tools I have tried are:

Ad-aware
PestPatrol
Seach & Destroy
Hi-jack this
CWShredder

I have also checked to see if there were programs installed under the Add/Remove Programs of the Control Panel with no success as well.

I'll advise if disconnecting from the internet helps.

0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12279374
Can you email this file to grinler@yahoo.com and I will try to tell you what it is and how to uninstall it.

When you send it, please put a link to this message in the email
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:mleach
ID: 12279543
I'll send it to you. Thanks.
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12280706
Please check the registry under the RUn key for any culprits and delte them from there it will stop running.
HKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/Run
HKEY_LOCAL _USER/software/microsoft/windows/currentversion/Run

Thats were any culprits lie..
If you can get on the internet then try a virus check @ http:\\housecall.trendmicro.com

0
 

Author Comment

by:mleach
ID: 12280864
Thanks but I've tried all of that (see above comments)
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12281287
Hi

I meant isolate a machine from the entire network full stop - not just the internet. Literally pull the patch lead out, attempt your manual removal and leave it to run for a while well beyond the time the problem recurs. I'm just trying to help establish if this is an issue specific to the machine in isolation or transmitted/propagated across the network. The only way to find out is to pull the network plug so to speak. Also what software exactly do you have installed on these machines?

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12281670
Ok - does this look familiar?
http://home.cyberdefender.com/risk/html/20041002005600svghost.exe.log.html
and
http://www.pcreview.co.uk/thread-4161.php

From the above link:
"""dude! I had 2 instances of svghost.exe running, it's some sort of backdoor prog... check your hidden files in windows directory. My file was named "kernell" and had 200 files of different names. but looking at the properties of them they all had the same info. and they were ALL applications (the same app)

I tried to delete the file then 5 minutes later it would come back. It did this EVERY time I tried to delete it. It was full of porn cracks, game cracks, etc etc (or so the file names implied).

Then I ran a search for apps on my puter and found 2 stray apps (with different names but the same app info) in the windows dir. one I could not delete (it says it was being run by windows) and the other I could.

so i then again... deleted the hidden file (with all the apps in it) the one stray app, ran the task manager, found the svghost, ended the task, then I could delete the app that I could previously not delete and emptied the recycle bin (done very quickly before it coud build the hidden file... agan). And that seemed to have gotten rid of it.

I have no idea what the app was trying to do, but my puter had been running funny till I got rid of all that crap.

Hope that helps
Diabolicboy""""

I think this sounds like a worm as mentioned in the first thread. Have you tried
1) Complete Isolation from network then
2) Restart in safe mode (disable system restore on windows xp first) then
3) Making sure all files and folders are not hidden using tools in folder options (unhide system files etc - reset all folders like current folder etc)
4) Rerun hijackthis, spyware tools, examine all running processes and services for validity etc
5) Delete all offending files referenced in registry - also look for rogue apps in all potential start-run keys and file folders
6) If this is successful repeat procedure on all pc's prior to reconnecting to network.
7) Ensure that all OS's are fully patched (with possible exception of XP SP2!)

Deb :))
0
 

Author Comment

by:mleach
ID: 12286692
I am going to try the Gaobot Removal tool from Norton to see if this helps.

Thanks
0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12288016
It looks to be Backdoor.SDBot.Gen

http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=177


You may want to try this removal tool:

http://vil.nai.com/vil/stinger/
0
 

Author Comment

by:mleach
ID: 12338075
After using Trendmicro's Housecall it found 3 or 4 trojans and worms. After removing these our Symantec Enterprise Edition Anti-Virus found W32.Spybot.Worm the next day. The file associated with this worm was svghost.exe.

Thanks for the help.
0
 

Expert Comment

by:scoinzen
ID: 14600612
There are two main variant of the SVGHOST.EXE, RBOT worm and SPYBOT worm. You can download cleaning package from www.trandmicro.com/downloads/dcs.asp.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question