services.exe rootkit malware?

Status
Not open for further replies.

Zixith

Commendable
Oct 1, 2016
13
0
1,560
Does anyone know what services.exe CPU usage should be looking like in task manager, also what is the normal files size for this program in the system32 folder?

I am getting around 10% CPU usage max (mostly around 5%ish), with the usage fluctuating up and down.

Any ideas?
 
Solution
A hash is just a fingerprinting of the file. If any portion of the file is different than what Microsoft installs, then it's suspect. You can not have it be a rootkit without modifying the file. If it's modified, it will show up with a different hash. The exact hash will be compared with a known list and identify the type of malware it is.

Just FYI, I suspect it's not a virus, rather a service that's stuck in a recursive scanning loop such as Windows Updates. You can open up services.msc (search bar) and right-click over Windows Update. Choose "stop". If CPU consumption goes away, you know that was the problem

Zixith

Commendable
Oct 1, 2016
13
0
1,560
MERGED QUESTION
Question from Zixith : "services.exe rootkit malware?"

Does anyone know what services.exe CPU usage should be looking like in task manager, also what is the normal files size for this program in the system32 folder?

I am getting around 10% CPU usage max (mostly around 5%ish), with the usage fluctuating up and down.

Any ideas?
 

Zixith

Commendable
Oct 1, 2016
13
0
1,560


Would such a tool detect if it were a rootkit, I hear rootkits can be pretty nasty viruses since they can retrieve all passwords and bank details.
 

stdragon

Proper
Apr 5, 2018
94
0
160
A hash is just a fingerprinting of the file. If any portion of the file is different than what Microsoft installs, then it's suspect. You can not have it be a rootkit without modifying the file. If it's modified, it will show up with a different hash. The exact hash will be compared with a known list and identify the type of malware it is.

Just FYI, I suspect it's not a virus, rather a service that's stuck in a recursive scanning loop such as Windows Updates. You can open up services.msc (search bar) and right-click over Windows Update. Choose "stop". If CPU consumption goes away, you know that was the problem
 
Solution

stdragon

Proper
Apr 5, 2018
94
0
160
For anyone else that suspect services.exe. If you're running Windows 10 version 1803, the SHA-256 hash is as follow below

6af120d627e26274d001a01e5cb9b165318b14b9fa8f1c8c59bf069da1114618

If your hash matches, your servces.exe file is clean.

Note: the service.exe file is subject to change based on Windows builds, versions, and any updates that have been applied.
 

Zixith

Commendable
Oct 1, 2016
13
0
1,560


I just realised that because I've checked this with VirusTotal, couldn't I have compromised my details since I'm not entirely sure if services.exe contains any information about my device or anything personal.

 

stdragon

Proper
Apr 5, 2018
94
0
160


If your hash matches mine, we have the exact same file. No personal info would be contained in that file. If there was, the hash would be calculated differently.

 

Zixith

Commendable
Oct 1, 2016
13
0
1,560


My hash is different, as you mentioned probably due to different builds etc.

 

Zixith

Commendable
Oct 1, 2016
13
0
1,560

So.... since the hash is different, doesn't that mean that my services.exe file could contain different information to yours, like device identifiers and such?
 

stdragon

Proper
Apr 5, 2018
94
0
160


Possible, but extremely unlikely if VirusTotal confirmed your hash to be clean. There's only so many version of service.exe compiled with only one possible SHA-256 possible for each one.

Essentially, if VirusTotal said it wasn't infected by all the scan engine results, then I'm going to put a great deal of faith that your file is fine.

If yours was truly rooted, there's a good chance it would have been flagged as infected.

If you're still worried that you have an active infection, then go ahead and install a trial copy of BitDender Antivirus or run a free online scan with Trend Micro House Call.

 

Zixith

Commendable
Oct 1, 2016
13
0
1,560


I'm using Malwarebytes, would that be ok to use instead of the others you have listed?
 

stdragon

Proper
Apr 5, 2018
94
0
160
Malwarebytes is ok. Personally, I prefer BitDefender AntiVirus for all my computers due to its high detection, URL filtering of phishing and hosted malware, and multi-threaded speed for file scanning.
 
Status
Not open for further replies.