services.exe rootkit malware?

Status
Not open for further replies.

Zixith

Honorable
Oct 1, 2016
34
0
10,530
Does anyone know what services.exe CPU usage should be looking like in task manager, also what is the normal files size for this program in the system32 folder?

I am getting around 10% CPU usage max (mostly around 5%ish), with the usage fluctuating up and down.

Any ideas?
 
Solution
A hash is just a fingerprinting of the file. If any portion of the file is different than what Microsoft installs, then it's suspect. You can not have it be a rootkit without modifying the file. If it's modified, it will show up with a different hash. The exact hash will be compared with a known list and identify the type of malware it is.

Just FYI, I suspect it's not a virus, rather a service that's stuck in a recursive scanning loop such as Windows Updates. You can open up services.msc (search bar) and right-click over Windows Update. Choose "stop". If CPU consumption goes away, you know that was the problem

Zixith

Honorable
Oct 1, 2016
34
0
10,530
MERGED QUESTION
Question from Zixith : "services.exe rootkit malware?"

Does anyone know what services.exe CPU usage should be looking like in task manager, also what is the normal files size for this program in the system32 folder?

I am getting around 10% CPU usage max (mostly around 5%ish), with the usage fluctuating up and down.

Any ideas?
 

Zixith

Honorable
Oct 1, 2016
34
0
10,530


Would such a tool detect if it were a rootkit, I hear rootkits can be pretty nasty viruses since they can retrieve all passwords and bank details.
 

stdragon

Admirable
A hash is just a fingerprinting of the file. If any portion of the file is different than what Microsoft installs, then it's suspect. You can not have it be a rootkit without modifying the file. If it's modified, it will show up with a different hash. The exact hash will be compared with a known list and identify the type of malware it is.

Just FYI, I suspect it's not a virus, rather a service that's stuck in a recursive scanning loop such as Windows Updates. You can open up services.msc (search bar) and right-click over Windows Update. Choose "stop". If CPU consumption goes away, you know that was the problem
 
Solution

stdragon

Admirable
For anyone else that suspect services.exe. If you're running Windows 10 version 1803, the SHA-256 hash is as follow below

6af120d627e26274d001a01e5cb9b165318b14b9fa8f1c8c59bf069da1114618

If your hash matches, your servces.exe file is clean.

Note: the service.exe file is subject to change based on Windows builds, versions, and any updates that have been applied.
 

Zixith

Honorable
Oct 1, 2016
34
0
10,530


I just realised that because I've checked this with VirusTotal, couldn't I have compromised my details since I'm not entirely sure if services.exe contains any information about my device or anything personal.

 

stdragon

Admirable


If your hash matches mine, we have the exact same file. No personal info would be contained in that file. If there was, the hash would be calculated differently.

 

Zixith

Honorable
Oct 1, 2016
34
0
10,530


My hash is different, as you mentioned probably due to different builds etc.

 

Zixith

Honorable
Oct 1, 2016
34
0
10,530

So.... since the hash is different, doesn't that mean that my services.exe file could contain different information to yours, like device identifiers and such?
 

stdragon

Admirable


Possible, but extremely unlikely if VirusTotal confirmed your hash to be clean. There's only so many version of service.exe compiled with only one possible SHA-256 possible for each one.

Essentially, if VirusTotal said it wasn't infected by all the scan engine results, then I'm going to put a great deal of faith that your file is fine.

If yours was truly rooted, there's a good chance it would have been flagged as infected.

If you're still worried that you have an active infection, then go ahead and install a trial copy of BitDender Antivirus or run a free online scan with Trend Micro House Call.

 

Zixith

Honorable
Oct 1, 2016
34
0
10,530


I'm using Malwarebytes, would that be ok to use instead of the others you have listed?
 
Status
Not open for further replies.