Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple copies of svchost.exe listed as running in Task Manager


  • Please log in to reply
6 replies to this topic

#1 JayJax

JayJax

  • Members
  • 710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lee's Summit Missouri
  • Local time:01:28 AM

Posted 19 December 2016 - 07:54 PM

In the course of checking Task Manager about something else I saw that I have 12 copies running of svchost.exe and I'm curious if its supposed to be that way?    Because it seems to be using a lot of memory.

 

If its not supposed to be that way (I saw this a few days ago as well) how do I fix it?  Should I be concerned?



BC AdBot (Login to Remove)

 


#2 HrcaA3000

HrcaA3000

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 23 December 2016 - 03:45 AM

Download and run scan with Malwarebytes AntiMalware.

Svchost is process of one service or many services.
So, it is normal to have many svchost.exe (because Windows has many services, so one svchost.exe is usually for one service or for multiple services)but just to make sure that there is no virus run a scan with Malwarebytes AntiMalware

Edited by HrcaA3000, 23 December 2016 - 03:48 AM.


#3 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 23 December 2016 - 06:41 AM

You could download this as well and check to see if all the code was verify Image Signatures by microsoft, nasty code offten isn't.

 

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

 

 

Image Verification

A malware author who takes the trouble can easily add the name of a legitimate company, like Microsoft, to the Company field of an executable file. To provide assurance that their products are genuine, therefore, legitimate software vendors digitally sign most of the program files they publish. A digital signature can be used to verify that a file has been signed by the vendor using a private key and that the file has not been modified since being signed.

Process Explorer allows you to automatically verify the signature of a signed executable or DLL file. By default, verification is performed only on demand, and can be performed for individual files or for all running processes. In the Properties dialog for both processes and DLLs, the Image tab contains a Verify button that can be used to verify the digital signature for the associated file. Clicking the button causes Process Explorer to check the Certificate Revocation List (CRL) for the certificate to ensure that it is valid, and to check the cryptographic hash of the file to verify that it has not been tampered with since being signed.

To configure Process Explorer to automatically verify the signatures for all running processes and files, click the Options menu, and then click Verify Image Signatures.

The Verified Signer field, which displays next to the file icon in the Properties dialog and as a column that can be shown in the process list and DLL View, indicates the status of any signature check that has been performed. If Process Explorer is able to verify the signature, the field displays “(Verified)â€, followed by the subject name from the certificate. (Note that the name on the signing certificate might not be the same as the name in the Company Name field. For example, most executable files that ship as part of Windows have “Microsoft Corporation†as the company name but are signed with a “Microsoft Windows†certificate.)

If signature verification has not been attempted, or if the selected file is not an executable file type, the field is blank or displays “(Not verified)†followed by the company name from the file’s version resource. “(Unable to verify)†followed by the company name indicates that the file is not signed or that a signature check has failed.

https://www.microsoft.com/security/sir/strategy/default.aspx?_escaped_fragment_=malwarecleaning_explorer#!malwarecleaning_explorer

 

This is good too but it dousen't verify things the same way.

 

http://downloads.tomsguide.com/Task-Security-Manager,0301-1670.html



#4 JayJax

JayJax
  • Topic Starter

  • Members
  • 710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lee's Summit Missouri
  • Local time:01:28 AM

Posted 24 December 2016 - 01:13 AM

I

 

Download and run scan with Malwarebytes AntiMalware.

Svchost is process of one service or many services.
So, it is normal to have many svchost.exe (because Windows has many services, so one svchost.exe is usually for one service or for multiple services)but just to make sure that there is no virus run a scan with Malwarebytes AntiMalware

I did as you suggested and there was some sort of pup files that were detected and deleted.  But I'm confused as to what we are actually doing ?



#5 JayJax

JayJax
  • Topic Starter

  • Members
  • 710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lee's Summit Missouri
  • Local time:01:28 AM

Posted 24 December 2016 - 01:16 AM

You could download this as well and check to see if all the code was verify Image Signatures by microsoft, nasty code offten isn't.

 

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

 

 

Image Verification

A malware author who takes the trouble can easily add the name of a legitimate company, like Microsoft, to the Company field of an executable file. To provide assurance that their products are genuine, therefore, legitimate software vendors digitally sign most of the program files they publish. A digital signature can be used to verify that a file has been signed by the vendor using a private key and that the file has not been modified since being signed.

Process Explorer allows you to automatically verify the signature of a signed executable or DLL file. By default, verification is performed only on demand, and can be performed for individual files or for all running processes. In the Properties dialog for both processes and DLLs, the Image tab contains a Verify button that can be used to verify the digital signature for the associated file. Clicking the button causes Process Explorer to check the Certificate Revocation List (CRL) for the certificate to ensure that it is valid, and to check the cryptographic hash of the file to verify that it has not been tampered with since being signed.

To configure Process Explorer to automatically verify the signatures for all running processes and files, click the Options menu, and then click Verify Image Signatures.

The Verified Signer field, which displays next to the file icon in the Properties dialog and as a column that can be shown in the process list and DLL View, indicates the status of any signature check that has been performed. If Process Explorer is able to verify the signature, the field displays “(Verified)â€, followed by the subject name from the certificate. (Note that the name on the signing certificate might not be the same as the name in the Company Name field. For example, most executable files that ship as part of Windows have “Microsoft Corporation†as the company name but are signed with a “Microsoft Windows†certificate.)

If signature verification has not been attempted, or if the selected file is not an executable file type, the field is blank or displays “(Not verified)†followed by the company name from the file’s version resource. “(Unable to verify)†followed by the company name indicates that the file is not signed or that a signature check has failed.

https://www.microsoft.com/security/sir/strategy/default.aspx?_escaped_fragment_=malwarecleaning_explorer#!malwarecleaning_explorer

 

This is good too but it dousen't verify things the same way.

 

http://downloads.tomsguide.com/Task-Security-Manager,0301-1670.html

I'm not sure what I'm supposed to do with these?



#6 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 24 December 2016 - 03:05 AM

You saying you cant do verification of processes in the tool ?

Not really hard just go top left "options/verify image signature" and were done,you need a internet connection to do this and let it get past the firewall, take a screen shot if you dont know what to do next and post it.

 

All your svchost.exe should check out.

 

And what don't you understand about how security task manager works ? do you not see the red bars ?



#7 JayJax

JayJax
  • Topic Starter

  • Members
  • 710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lee's Summit Missouri
  • Local time:01:28 AM

Posted 24 December 2016 - 08:50 PM

You saying you cant do verification of processes in the tool ?

Not really hard just go top left "options/verify image signature" and were done,you need a internet connection to do this and let it get past the firewall, take a screen shot if you dont know what to do next and post it.

 

All your svchost.exe should check out.

 

And what don't you understand about how security task manager works ? do you not see the red bars ?

I'm not sure how to do it






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users