Cdghsy

eirebhoy · 29-01-2005 11:18pm #1

I pressed ctrl-alt-dlt today and found a process called cdghsy.exe running and taking up over 20mb of memory. I'd never seen it before so ended it and restarted my computer and it hasn't been in processes since (edit: just restarted and it is now). I googled and no results came up for it. Only a few minutes ago I went to startups in msconfig and it was listed as a startup from my SYSTEM32 folder. I went and looked in that folder and there's a load of xml files starting with cdghsy (eg. cdghsyk1.xml) aswell as the .exe file. Does anyone have a clue what this could be as I can't find it google?

Cheers.

edit - another startup item is wxahkt.exe in my windows folder.

snappieT · 29-01-2005 11:32pm

That is Odd. Not a single reference to either processes in any search engine. That means it hasn't even ever been discused on any (indexed) boards.

Clueless. Will be checking back to this post often to see how it spans out.

Are you sure you've spelled them right?

maxheadroom · 30-01-2005 12:02am

snapscan1212p wrote:

That is Odd. Not a single reference to either processes in any search engine. That means it hasn't even ever been discused on any (indexed) boards.

Clueless. Will be checking back to this post often to see how it spans out.

Are you sure you've spelled them right?

Have you run an AV scan recently? Some viruses use random process names. If not, download stinger and run it.

eirebhoy · 30-01-2005 12:04am

snapscan1212p wrote:

Are you sure you've spelled them right?

http://members.boards.ie/eirebhoy/cdghsy.jpg

NotMe · 30-01-2005 12:22am

Yeah sounds like a randomly name virus. Have you done all the checks?

eirebhoy · 30-01-2005 12:49am

I've done a scan with Stinger (from the link maxheadroom provided), that found an IRC/Flood.bi trojan but nothing more. I got a message from Norton that there is a trojan in the Windows folder called msnbc.com but that can't be deleted. I'll do a few more scans.

NotMe · 30-01-2005 1:48am

Try this aswell: http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

smorton · 30-01-2005 4:12am

it could be spyware. some spyware generates a random filename which is why it doesn't show up in google. i'd assume some viruses would do the same. the trick is to start in safe mode so the exe doesn't automatically start and then delete it. Probably problem solved

maxheadroom · 30-01-2005 10:49am

smorton wrote:

it could be spyware. some spyware generates a random filename which is why it doesn't show up in google. i'd assume some viruses would do the same. the trick is to start in safe mode so the exe doesn't automatically start and then delete it. Probably problem solved

Actually, this sounds a bit like a coolwebsearch variant. Try CWShredder and see what it finds. Have you noticed any problems with IE, extra popup windows for example?

eirebhoy · 30-01-2005 11:58am

Yeah, I only use IE when I have to (hotmail, etc.) and when I was using it last week I got a good few popups and still get them from dealhelper. I posted a log file on another site but still got no reply:
http://www.spywarewarrior.com/viewtopic.php?t=9788

I've tried every anti-Spyware program under the sun without any luck.

Ciaran500 · 30-01-2005 12:02pm

Did you look for the offiicial uninstaller from dealhelper? There normally is one.

EDIT: http://sarc.com/avcenter/venc/data/pf/adware.dealhelper.html

eirebhoy · 30-01-2005 1:43pm

Ciaran500 wrote:

Did you look for the offiicial uninstaller from dealhelper? There normally is one.

EDIT: http://sarc.com/avcenter/venc/data/pf/adware.dealhelper.html

I did everything that says in the link. When I did the full scan with Norton it got rid of that msnbc.com thing I mentioned earlier but nothing else. None of the registry keys were found and I deleted dealhelper from add/remove last week.

I've just noticed that wxahkt.exe is gone from the Windows folder and no loger in Startups. I've attached the icon for the other file.

Cdghsy

Comments