Solved

svghost.exe using 100% CPU usage

Posted on 2004-10-11
12
2,013 Views
Last Modified: 2013-12-04
On our WinXP and Win2000 workstations there is a file (spyware probably) that is draining CPU usage and jamming our internet connection. The file's name is svghost.exe.

I ran every spyware program known to man (with the latest updates) but with no success of it cleaning the workstation from this pest.

I have tried to manually clean the CPU by booting in safe mode and deleting the svghost file and removing all references to the file in the startup log and registry. But it keeps regenerating itself within 15 minutes of deleting it. I ahve turned off system restore as well.

I have contacted my Spyware vendors and inquired about this file to see if they knew it existed and received the usual "we'll look in to it" response.

Is there a way, via script or batch file, to kill this fill when and if it executes? Or is there a way to prevent it from being reinstalled after it is deleted?

Thanks
0
Comment
Question by:mleach
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 500 total points
ID: 12278937
Hi

Have you tried disconnecting a pc from the network, then trying your manual removal (keeping it disconnected from the network) and seeing if it comes back then? Just checking really to see if it is actually being propagated across the network which is distinctly possible. If this does work then I suggest you do this with each pc in turn  ie isolate from network, remove the pest, and not reconnect anything until all is clear.

Or - failing that (as there may be other hidden entries that are spawining this) have you tried  online virus scans on it (like Panda, Trend Housecall etc)? and which spyware removal tools have you tried?

Deb :))
0
 

Author Comment

by:mleach
ID: 12279049
Thanks.

I'll try to disconnect from the internet to see if it comes back.

I have tried Panda and Housecall with no success.

The Spyware removal tools I have tried are:

Ad-aware
PestPatrol
Seach & Destroy
Hi-jack this
CWShredder

I have also checked to see if there were programs installed under the Add/Remove Programs of the Control Panel with no success as well.

I'll advise if disconnecting from the internet helps.

0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12279374
Can you email this file to grinler@yahoo.com and I will try to tell you what it is and how to uninstall it.

When you send it, please put a link to this message in the email
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:mleach
ID: 12279543
I'll send it to you. Thanks.
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12280706
Please check the registry under the RUn key for any culprits and delte them from there it will stop running.
HKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/Run
HKEY_LOCAL _USER/software/microsoft/windows/currentversion/Run

Thats were any culprits lie..
If you can get on the internet then try a virus check @ http:\\housecall.trendmicro.com

0
 

Author Comment

by:mleach
ID: 12280864
Thanks but I've tried all of that (see above comments)
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12281287
Hi

I meant isolate a machine from the entire network full stop - not just the internet. Literally pull the patch lead out, attempt your manual removal and leave it to run for a while well beyond the time the problem recurs. I'm just trying to help establish if this is an issue specific to the machine in isolation or transmitted/propagated across the network. The only way to find out is to pull the network plug so to speak. Also what software exactly do you have installed on these machines?

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12281670
Ok - does this look familiar?
http://home.cyberdefender.com/risk/html/20041002005600svghost.exe.log.html
and
http://www.pcreview.co.uk/thread-4161.php

From the above link:
"""dude! I had 2 instances of svghost.exe running, it's some sort of backdoor prog... check your hidden files in windows directory. My file was named "kernell" and had 200 files of different names. but looking at the properties of them they all had the same info. and they were ALL applications (the same app)

I tried to delete the file then 5 minutes later it would come back. It did this EVERY time I tried to delete it. It was full of porn cracks, game cracks, etc etc (or so the file names implied).

Then I ran a search for apps on my puter and found 2 stray apps (with different names but the same app info) in the windows dir. one I could not delete (it says it was being run by windows) and the other I could.

so i then again... deleted the hidden file (with all the apps in it) the one stray app, ran the task manager, found the svghost, ended the task, then I could delete the app that I could previously not delete and emptied the recycle bin (done very quickly before it coud build the hidden file... agan). And that seemed to have gotten rid of it.

I have no idea what the app was trying to do, but my puter had been running funny till I got rid of all that crap.

Hope that helps
Diabolicboy""""

I think this sounds like a worm as mentioned in the first thread. Have you tried
1) Complete Isolation from network then
2) Restart in safe mode (disable system restore on windows xp first) then
3) Making sure all files and folders are not hidden using tools in folder options (unhide system files etc - reset all folders like current folder etc)
4) Rerun hijackthis, spyware tools, examine all running processes and services for validity etc
5) Delete all offending files referenced in registry - also look for rogue apps in all potential start-run keys and file folders
6) If this is successful repeat procedure on all pc's prior to reconnecting to network.
7) Ensure that all OS's are fully patched (with possible exception of XP SP2!)

Deb :))
0
 

Author Comment

by:mleach
ID: 12286692
I am going to try the Gaobot Removal tool from Norton to see if this helps.

Thanks
0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12288016
It looks to be Backdoor.SDBot.Gen

http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=177


You may want to try this removal tool:

http://vil.nai.com/vil/stinger/
0
 

Author Comment

by:mleach
ID: 12338075
After using Trendmicro's Housecall it found 3 or 4 trojans and worms. After removing these our Symantec Enterprise Edition Anti-Virus found W32.Spybot.Worm the next day. The file associated with this worm was svghost.exe.

Thanks for the help.
0
 

Expert Comment

by:scoinzen
ID: 14600612
There are two main variant of the SVGHOST.EXE, RBOT worm and SPYBOT worm. You can download cleaning package from www.trandmicro.com/downloads/dcs.asp.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question