Hi -
I am on a Windows 11 version 22H2 machine and venturing into new territory here so forgive me if I am a bit clumsy with delivery. The overall concern is that I have malware on my machine that isn't being detected by any scans. Post is full of questions. Thank you in advance for your patience and support.
In Process Explorer svchost.exe is running 7 processes with my computer as the username instead of either SYSTEM, LOCAL SERVICE or NETWORK SERVICE. I read a lot of information today that stated this is most often a sign of malware, although not always. I did some more research and came across additional info stating that if svchost.exe is running from Windows\System32 then it is valid, but then saw malware can disguise itself to go into this folder.
Confusingly, at least to me, all instances of svchost.exe running under my username are from C:\Windows\System32\svchost.exe
All 7 processes have this View attachment 48348 as the image.
The command lines for each:
C:\WINDOWS\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s webthreatdefusersvc
C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\WINDOWS\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
C:\WINDOWS\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup
C:\WINDOWS\system32\svchost.exe -k LocalService -p -s CaptureService
With any of these processes if I right-click and kill them they repopulate within 15 seconds. Uncertain if that is suggestive of malware.
Scans I ran today and all were clear:
Bitdefender
Malwarebytes
Windows Security
rkill.exe
tdsskiller.exe
Although Bitdefender did send me this notification:
Feature: Online Threat Prevention
chrome.exe attempted to establish a connection relying on an unmatching security certificate to cs.ffbtas.com. We blocked the connection to keep your data safe since the used certificate was issued for a different web address than the targeted one.
There isn't any odd behavior with my system either. Everything seems to be fine.
Taking all of this into consideration, should I be concerned about the svchost.exe processes running under my username? Is it likely malware that the scans are missing? If so what do I do? What other indicators in Process Explorer or elsewhere might indicate malware? This is a new topic to me and I generally haven't been as diligent as I should about protecting my system and am now concerned about malware sneaking past all scanners.
Also regarding this command line C:\WINDOWS\system32\svchost.exe -k LocalService -p -s CaptureService => I read this online today about capture services (Important: Some malware camouflages itself as CaptureService.exe, particularly when located in the C:\Windows or C:\Windows\System32 folder. Therefore, you should check the CaptureService.exe process on your PC to see if it is a threat.) Where would I further explore the captureservice.exe process and what would I look for?
Thanks -
I am on a Windows 11 version 22H2 machine and venturing into new territory here so forgive me if I am a bit clumsy with delivery. The overall concern is that I have malware on my machine that isn't being detected by any scans. Post is full of questions. Thank you in advance for your patience and support.
In Process Explorer svchost.exe is running 7 processes with my computer as the username instead of either SYSTEM, LOCAL SERVICE or NETWORK SERVICE. I read a lot of information today that stated this is most often a sign of malware, although not always. I did some more research and came across additional info stating that if svchost.exe is running from Windows\System32 then it is valid, but then saw malware can disguise itself to go into this folder.
Confusingly, at least to me, all instances of svchost.exe running under my username are from C:\Windows\System32\svchost.exe
All 7 processes have this View attachment 48348 as the image.
The command lines for each:
C:\WINDOWS\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s webthreatdefusersvc
C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\WINDOWS\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
C:\WINDOWS\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup
C:\WINDOWS\system32\svchost.exe -k LocalService -p -s CaptureService
With any of these processes if I right-click and kill them they repopulate within 15 seconds. Uncertain if that is suggestive of malware.
Scans I ran today and all were clear:
Bitdefender
Malwarebytes
Windows Security
rkill.exe
tdsskiller.exe
Although Bitdefender did send me this notification:
Feature: Online Threat Prevention
chrome.exe attempted to establish a connection relying on an unmatching security certificate to cs.ffbtas.com. We blocked the connection to keep your data safe since the used certificate was issued for a different web address than the targeted one.
There isn't any odd behavior with my system either. Everything seems to be fine.
Taking all of this into consideration, should I be concerned about the svchost.exe processes running under my username? Is it likely malware that the scans are missing? If so what do I do? What other indicators in Process Explorer or elsewhere might indicate malware? This is a new topic to me and I generally haven't been as diligent as I should about protecting my system and am now concerned about malware sneaking past all scanners.
Also regarding this command line C:\WINDOWS\system32\svchost.exe -k LocalService -p -s CaptureService => I read this online today about capture services (Important: Some malware camouflages itself as CaptureService.exe, particularly when located in the C:\Windows or C:\Windows\System32 folder. Therefore, you should check the CaptureService.exe process on your PC to see if it is a threat.) Where would I further explore the captureservice.exe process and what would I look for?
Thanks -
My Computer
System One
-
- OS
- Windows 11
