[SOLVED] Suspicious Task Manager

Memox

Member
Joined
Feb 13, 2019
Posts
21
A few days ago I posted here on this section just to be sure about my PC being clean. You guys did a great work, and lately I've been monitoring my task manager just to be sure... The latter is in fact a little suspicious (it always was, but now more than ever because I'm actually researching the names of such background processes). Don't misunderstand, I don't see that much of a problem (aside a lot of said processes that perhaps are even useless), but I do know that some malicious programs can mimick the names of real Windows processes/services, and that's the real issue; I really don't know if they're the real deal or not and how I can spot them (for starters, I think there are way too many "svchost.exe"). A/V(es) and Anti-malwares didn't find anything (supposedly, if there really is a problem these wouldn't find it anyway, because when I was attacked I clearly remember that the malwares/trojans were uploaded on that website the exact same day I downloaded them nasty files, so A/V(es) etc. may not in fact be up-to-date yet towards an alleged, new threat) finally, I don't have that much of CPU peaks and that's true, but I do have memory peaks, starting from booting up until i turn off the machine (that means: always). Don't know if that's good or not though; My final point would be, do you see anything out-of-place on those pictures? (Sorry, these are not in English); Anything peculiar? Can I do something to further identify and/or fight this stuff? I've already unchecked tons of legitimate(?) albeit useless(?) stuff on msconfig, but I think 75+ processes are still way too many.
 

Attachments

  • prest.png
    prest.png
    52.2 KB · Views: 10
  • services.png
    services.png
    567.3 KB · Views: 13
Sorry, Memox, although I can make out some of the words, the lettering in the services.png image is too small for me to read. As to process, I opened Task Manager on my Windows 10 laptop and with only 5 apps open, there are currently 62 Background processes and 99 Windows processes. So, no, 75+ processes is not too many.
 
Sorry, Memox, although I can make out some of the words, the lettering in the services.png image is too small for me to read. As to process, I opened Task Manager on my Windows 10 laptop and with only 5 apps open, there are currently 62 Background processes and 99 Windows processes. So, no, 75+ processes is not too many.

You're right, sorry; how about now?
By the way we can exclude the numerosity matter then, that's already something. What about their names though? Allegedly they're all from Windows... Or maybe not; audiodg.exe for example should be pretty normal, but it doesn't have any description and some malicious programs do in fact mimick that exact name. Another one which does that too is the aforementioned svchost.exe, and I do see many instances of this one. Is there a way to find out manually if they're legitimate? If not, how do I get rid of them? Maybe I'm just reading too much into it, but one can never be too sure.
 

Attachments

  • services2.png
    services2.png
    103.6 KB · Views: 12
Hi, Memox.

Starting with audiog.exe, as long as it is running in C:\Windows\System32, it is safe and doing what it is supposed to which is to ensure that the content and plug-ins are not modified by another application. As to svchost.exe, again, the location is C:Windows\System32 or C:Windows\SysWOW64 (32-bit services running on a 64-bit machine). It is a system process that can host from one to many Windows services and is essential. If you were running Windows 10, you'd see even more instances of svchost.exe than in Windows 7.
 
Hi, Memox.

Starting with audiog.exe, as long as it is running in C:\Windows\System32, it is safe and doing what it is supposed to which is to ensure that the content and plug-ins are not modified by another application. As to svchost.exe, again, the location is C:Windows\System32 or C:Windows\SysWOW64 (32-bit services running on a 64-bit machine). It is a system process that can host from one to many Windows services and is essential. If you were running Windows 10, you'd see even more instances of svchost.exe than in Windows 7.

Thanks for the elucidation, Corrine. I'm running on Windows 7; I did some researches earlier but I didn't find anything about it (or maybe I just didn't search the right keywords): I still don't get how to see the location from which processes and services launches. That would be of course, very beneficial... Do you know something about it, Windows 7 wise?
 
The logs you had posted showed the files as digitally signed so, unless you are having issues and post fresh FRST logs, it rather seems you may be over-worrying a bit. :)
 
I think you're right, we did in fact see it just a few days ago; how do you identify if the processes/services are legitimate, though? Is there a way through the task manager to see where the application starts?
 
You could use the SysInternals Process Explorer. However, you need to be very careful and not make changes with the various SysInternals tools if you don't have a complete understanding about what the process is and what it does. Otherwise, you will have a very nice door stop rather than a working computer. Process Explorer - Windows Sysinternals | Microsoft Docs
 
Very interesting, thank you for mentioning this. It's weird you can't do something like this by default, but whatever, this Process Explorer is still made by Microsoft so it will certainly do the work; obviously I won't touch anything, I just want to make sure that all the Windows processes are started from system32 or other similar Windows folders, exactly as it should be...
For starters, I can see that pretty much every svchost.exe is from system32, and this is already something good, I think. Unfortunately, a few have the phrase [Access Denied] or [Error opening process] attached to them, so I really can't tell a whole lot about those ones, they aren't even signed... One of which is audiodg.exe; speaking of which, when I've examined this one by merely hovering the cursor to it to see the path, after a few second its bar went red and finally the whole thing disappeared. I don't know, perhaps I'm again reading too much into it.
 
Yes, I do believe that you are reading a bit too much into it. Granted, it is important to be cautious but it is just as important to get carried away. Still being on Windows 7, you're missing out on the improvements in Windows 10. With Windows 10 Task Manager, when you look at Service Host under Windows Processes, the items can be expanded and it shows more information:

44060

But, taking it further, right-clicking on an item takes you to details where you can right-click again and select properties. This provides not only the file location but also the digital signature information.
 
That's indeed useful, I wish W7 had something like that by default... The problem is that Windows 10 is not so tempting to me anyway, for plenty of different reasons; I do know however that aside some things it's a really well made OS with enviable features and improvements... Still better than 8 and Vista, that's granted 😅 when the day of Windows 7 services and updates being discontinued will arrive, I'll do the leap. But for now, I would rather leave it as that.

Well, what else can I say... Going further on like this is just a big dead end, this Process Explorer indeed proved to be useful but in the end some things are hidden anyway; one thing is for certain, I'm being way too cautious about this and I knew it since the very beginning, but if I don't even have something solid to prove at this point, then we can only waste my and especially your time pointlessly, and that's obviously something I would rather avoid. You've taken care / tolerated me even too much! Thanks again.
 
You're welcome. I'm glad that I at least eased your mind. I do hope you realize that the end of support for Windows 7 is January 14, 2020.
 
I didn't know that... It's earlier than I thought! This will be problematic further on, almost traumatic because I love Windows 7 so much, it accompanied me for nearly a decade and I know damn well about its features and advantages... But I'm not here to rant about operational systems, so I would say this thread is solved too. As always, keep up the good work.
 
It will take a while to adjust to Windows 10 but I'm certain that you will and also certain that you'll appreciate the increased security features of the OS.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top