Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

svghost.exe using 100% CPU usage

Posted on 2004-10-11
12
Medium Priority
?
2,064 Views
Last Modified: 2013-12-04
On our WinXP and Win2000 workstations there is a file (spyware probably) that is draining CPU usage and jamming our internet connection. The file's name is svghost.exe.

I ran every spyware program known to man (with the latest updates) but with no success of it cleaning the workstation from this pest.

I have tried to manually clean the CPU by booting in safe mode and deleting the svghost file and removing all references to the file in the startup log and registry. But it keeps regenerating itself within 15 minutes of deleting it. I ahve turned off system restore as well.

I have contacted my Spyware vendors and inquired about this file to see if they knew it existed and received the usual "we'll look in to it" response.

Is there a way, via script or batch file, to kill this fill when and if it executes? Or is there a way to prevent it from being reinstalled after it is deleted?

Thanks
0
Comment
Question by:mleach
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 1500 total points
ID: 12278937
Hi

Have you tried disconnecting a pc from the network, then trying your manual removal (keeping it disconnected from the network) and seeing if it comes back then? Just checking really to see if it is actually being propagated across the network which is distinctly possible. If this does work then I suggest you do this with each pc in turn  ie isolate from network, remove the pest, and not reconnect anything until all is clear.

Or - failing that (as there may be other hidden entries that are spawining this) have you tried  online virus scans on it (like Panda, Trend Housecall etc)? and which spyware removal tools have you tried?

Deb :))
0
 

Author Comment

by:mleach
ID: 12279049
Thanks.

I'll try to disconnect from the internet to see if it comes back.

I have tried Panda and Housecall with no success.

The Spyware removal tools I have tried are:

Ad-aware
PestPatrol
Seach & Destroy
Hi-jack this
CWShredder

I have also checked to see if there were programs installed under the Add/Remove Programs of the Control Panel with no success as well.

I'll advise if disconnecting from the internet helps.

0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12279374
Can you email this file to grinler@yahoo.com and I will try to tell you what it is and how to uninstall it.

When you send it, please put a link to this message in the email
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mleach
ID: 12279543
I'll send it to you. Thanks.
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12280706
Please check the registry under the RUn key for any culprits and delte them from there it will stop running.
HKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/Run
HKEY_LOCAL _USER/software/microsoft/windows/currentversion/Run

Thats were any culprits lie..
If you can get on the internet then try a virus check @ http:\\housecall.trendmicro.com

0
 

Author Comment

by:mleach
ID: 12280864
Thanks but I've tried all of that (see above comments)
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12281287
Hi

I meant isolate a machine from the entire network full stop - not just the internet. Literally pull the patch lead out, attempt your manual removal and leave it to run for a while well beyond the time the problem recurs. I'm just trying to help establish if this is an issue specific to the machine in isolation or transmitted/propagated across the network. The only way to find out is to pull the network plug so to speak. Also what software exactly do you have installed on these machines?

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12281670
Ok - does this look familiar?
http://home.cyberdefender.com/risk/html/20041002005600svghost.exe.log.html
and
http://www.pcreview.co.uk/thread-4161.php

From the above link:
"""dude! I had 2 instances of svghost.exe running, it's some sort of backdoor prog... check your hidden files in windows directory. My file was named "kernell" and had 200 files of different names. but looking at the properties of them they all had the same info. and they were ALL applications (the same app)

I tried to delete the file then 5 minutes later it would come back. It did this EVERY time I tried to delete it. It was full of porn cracks, game cracks, etc etc (or so the file names implied).

Then I ran a search for apps on my puter and found 2 stray apps (with different names but the same app info) in the windows dir. one I could not delete (it says it was being run by windows) and the other I could.

so i then again... deleted the hidden file (with all the apps in it) the one stray app, ran the task manager, found the svghost, ended the task, then I could delete the app that I could previously not delete and emptied the recycle bin (done very quickly before it coud build the hidden file... agan). And that seemed to have gotten rid of it.

I have no idea what the app was trying to do, but my puter had been running funny till I got rid of all that crap.

Hope that helps
Diabolicboy""""

I think this sounds like a worm as mentioned in the first thread. Have you tried
1) Complete Isolation from network then
2) Restart in safe mode (disable system restore on windows xp first) then
3) Making sure all files and folders are not hidden using tools in folder options (unhide system files etc - reset all folders like current folder etc)
4) Rerun hijackthis, spyware tools, examine all running processes and services for validity etc
5) Delete all offending files referenced in registry - also look for rogue apps in all potential start-run keys and file folders
6) If this is successful repeat procedure on all pc's prior to reconnecting to network.
7) Ensure that all OS's are fully patched (with possible exception of XP SP2!)

Deb :))
0
 

Author Comment

by:mleach
ID: 12286692
I am going to try the Gaobot Removal tool from Norton to see if this helps.

Thanks
0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12288016
It looks to be Backdoor.SDBot.Gen

http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=177


You may want to try this removal tool:

http://vil.nai.com/vil/stinger/
0
 

Author Comment

by:mleach
ID: 12338075
After using Trendmicro's Housecall it found 3 or 4 trojans and worms. After removing these our Symantec Enterprise Edition Anti-Virus found W32.Spybot.Worm the next day. The file associated with this worm was svghost.exe.

Thanks for the help.
0
 

Expert Comment

by:scoinzen
ID: 14600612
There are two main variant of the SVGHOST.EXE, RBOT worm and SPYBOT worm. You can download cleaning package from www.trandmicro.com/downloads/dcs.asp.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question