Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

svghost.exe using 100% CPU usage

Posted on 2004-10-11
Last Modified: 2013-12-04
On our WinXP and Win2000 workstations there is a file (spyware probably) that is draining CPU usage and jamming our internet connection. The file's name is svghost.exe.

I ran every spyware program known to man (with the latest updates) but with no success of it cleaning the workstation from this pest.

I have tried to manually clean the CPU by booting in safe mode and deleting the svghost file and removing all references to the file in the startup log and registry. But it keeps regenerating itself within 15 minutes of deleting it. I ahve turned off system restore as well.

I have contacted my Spyware vendors and inquired about this file to see if they knew it existed and received the usual "we'll look in to it" response.

Is there a way, via script or batch file, to kill this fill when and if it executes? Or is there a way to prevent it from being reinstalled after it is deleted?

Question by:mleach
  • 5
  • 3
  • 2
  • +2
LVL 20

Accepted Solution

Debsyl99 earned 500 total points
ID: 12278937

Have you tried disconnecting a pc from the network, then trying your manual removal (keeping it disconnected from the network) and seeing if it comes back then? Just checking really to see if it is actually being propagated across the network which is distinctly possible. If this does work then I suggest you do this with each pc in turn  ie isolate from network, remove the pest, and not reconnect anything until all is clear.

Or - failing that (as there may be other hidden entries that are spawining this) have you tried  online virus scans on it (like Panda, Trend Housecall etc)? and which spyware removal tools have you tried?

Deb :))

Author Comment

ID: 12279049

I'll try to disconnect from the internet to see if it comes back.

I have tried Panda and Housecall with no success.

The Spyware removal tools I have tried are:

Seach & Destroy
Hi-jack this

I have also checked to see if there were programs installed under the Add/Remove Programs of the Control Panel with no success as well.

I'll advise if disconnecting from the internet helps.


Expert Comment

ID: 12279374
Can you email this file to grinler@yahoo.com and I will try to tell you what it is and how to uninstall it.

When you send it, please put a link to this message in the email
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.


Author Comment

ID: 12279543
I'll send it to you. Thanks.
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12280706
Please check the registry under the RUn key for any culprits and delte them from there it will stop running.
HKEY_LOCAL _USER/software/microsoft/windows/currentversion/Run

Thats were any culprits lie..
If you can get on the internet then try a virus check @ http:\\housecall.trendmicro.com


Author Comment

ID: 12280864
Thanks but I've tried all of that (see above comments)
LVL 20

Expert Comment

ID: 12281287

I meant isolate a machine from the entire network full stop - not just the internet. Literally pull the patch lead out, attempt your manual removal and leave it to run for a while well beyond the time the problem recurs. I'm just trying to help establish if this is an issue specific to the machine in isolation or transmitted/propagated across the network. The only way to find out is to pull the network plug so to speak. Also what software exactly do you have installed on these machines?

Deb :))
LVL 20

Expert Comment

ID: 12281670
Ok - does this look familiar?

From the above link:
"""dude! I had 2 instances of svghost.exe running, it's some sort of backdoor prog... check your hidden files in windows directory. My file was named "kernell" and had 200 files of different names. but looking at the properties of them they all had the same info. and they were ALL applications (the same app)

I tried to delete the file then 5 minutes later it would come back. It did this EVERY time I tried to delete it. It was full of porn cracks, game cracks, etc etc (or so the file names implied).

Then I ran a search for apps on my puter and found 2 stray apps (with different names but the same app info) in the windows dir. one I could not delete (it says it was being run by windows) and the other I could.

so i then again... deleted the hidden file (with all the apps in it) the one stray app, ran the task manager, found the svghost, ended the task, then I could delete the app that I could previously not delete and emptied the recycle bin (done very quickly before it coud build the hidden file... agan). And that seemed to have gotten rid of it.

I have no idea what the app was trying to do, but my puter had been running funny till I got rid of all that crap.

Hope that helps

I think this sounds like a worm as mentioned in the first thread. Have you tried
1) Complete Isolation from network then
2) Restart in safe mode (disable system restore on windows xp first) then
3) Making sure all files and folders are not hidden using tools in folder options (unhide system files etc - reset all folders like current folder etc)
4) Rerun hijackthis, spyware tools, examine all running processes and services for validity etc
5) Delete all offending files referenced in registry - also look for rogue apps in all potential start-run keys and file folders
6) If this is successful repeat procedure on all pc's prior to reconnecting to network.
7) Ensure that all OS's are fully patched (with possible exception of XP SP2!)

Deb :))

Author Comment

ID: 12286692
I am going to try the Gaobot Removal tool from Norton to see if this helps.


Expert Comment

ID: 12288016
It looks to be Backdoor.SDBot.Gen


You may want to try this removal tool:


Author Comment

ID: 12338075
After using Trendmicro's Housecall it found 3 or 4 trojans and worms. After removing these our Symantec Enterprise Edition Anti-Virus found W32.Spybot.Worm the next day. The file associated with this worm was svghost.exe.

Thanks for the help.

Expert Comment

ID: 14600612
There are two main variant of the SVGHOST.EXE, RBOT worm and SPYBOT worm. You can download cleaning package from www.trandmicro.com/downloads/dcs.asp.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question