What are those doubled services with hex?

[Bogo]

https://imgur.com/a/8fkx1

I found it when tried to check if there are any leftover services from deleted apps.
Anyone knows what are those clones and why they are running of svhost?

from what uncle Google told me OneSyncSvc should run of APHostService.dll
btw GMER loves false positive.

@EDIT: https://www.bleepingcomputer.com/forums/t/628386/gmer-detected-a-rootkit/ best of what i found - probably(?) not malware but its gone after full format. WTF

 

[Colif]

well, I have 2 as well, I suspect its normal.

This service synchronizes mail, contacts, calendar and various other user data. Mail and other applications dependent on this functionality will not work properly when this service is not running.

http://servicedefaults.com/10/onesyncsvc/

the second one may match your profile or something, as everyones numbers are different.

Hkey_local_machine\system\currentcontrolset\services\onesyncsvc and there will be another onesyncsvc_xxxxxx which will be a random hex code, different on each server.

https://social.msdn.microsoft.com/Forums/Windows/en-US/1c4aa5e3-b16f-45b6-b689-14deffce6e8a/onesyncsvc278cba0-in-windows-server-2016?forum=servervirtualization

 

[johnbl]

I think it is the windows apps store and its automatic updates. you might go to
app store->setting-> turn off automatic updates

I think you might also be able to run an admin cmd.exe or powershell and stop this service via:
net.exe stop "user data access_session1",
you have to put the quotes around the service name because of the embedded spaces
it will stop the service for the current boot only. good for testing to see if it is the problem

GMER reporting this as a rootkit is most likely just a bogus flagging.