Need help verifying these findings

I was replying on a phone

System errors:
=============
Error: (06/26/2020 05:12:54 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The nordvpn-service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Date: 2020-06-26 11:18:28.706
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume11\Program Files\ESET\ESET Security\eamsi.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Samuria said:

I was replying on a phone

System errors:
=============
Error: (06/26/2020 05:12:54 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The nordvpn-service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Date: 2020-06-26 11:18:28.706
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume11\Program Files\ESET\ESET Security\eamsi.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Hey. The nord vpn crashing is nothing. It does not happen all the time, that must been because i had blue-screen because of another issue, like overclocking not being stable etc. My vpn works perfectly. And also that ESET error, i have researched it a lot now and the ESET team says this "This error seems to be by design of ELAM and how protected services work. It has no effect of functionality whatsoever. We'll try to find a workaround that should completely or substantially reduce these errors." So there is no problem with it. It's a known "Bug".

So please if anyone can answer my question about those findings on these files in my pc that i have no answer for yet. Thank you

Virus/Hack 1: Automated Malware Analysis Executive Report for taskhostw.exe - Generated by Joe Sandbox

Virus/Hack 2: Automated Malware Analysis Executive Report for SecurityHealthSystray.exe - Generated by Joe Sandbox

The sandbox is referring to a timestamp it believes is suspicious. Timestamps for compiled executables are found in the PE (portable executable) header. This timestamp can then be used to determine the time the executable was compiled ie from source code into a fully functioning .exe.
Anti-debugging refers to methods malware uses to evade certain malware analysis techniques. Ultimately the aim is to prevent the malware from being reverse engineered and for the secrets of the malware to be discovered.

So what the report is saying is the software you are using assumes a file has the wrong 'label' and that it's trying to make it difficult to understand whats going on under the bonnet. And these assumptions are fairly watery because these behaviors are common and not necessarily indicative of malware. Modified timestamps don't necessarily mean you're dealing with malware. In Linux for example you can use commands to modify timestamps like creation, modified, last accessed information. Is this indicative of malware? No. Annoying perhaps if you're a tutor at college and your students are trying to make it look like they've done their homework. That being said what is the timestamp? Is it way off into the future? If so then you might be looking at something malicious as no serious dev worth their job would timestamp an executable decades into the future.

Lots of software developers try and make it hard for people to reverse engineer their products (anti-debugging being one example) and Microsoft is a good example of a company that has tried for years to stop people doing stuff with their software they don't want them doing. People reverse engineer their stuff all the time which is why pirated Windows software has it's own black market and has done for decades. All sorts of tactics and techniques have been brought into effect over the years in many different realms of the digital world to protect the rights of the creators. Anti-debugging just basically attempts to stop someone from prying into the bowels of whatever is running. Debugging a script for example allows you to see a script running just like it would appear in a text editor. What you see when you run it though is different as you see the result of what is contained within the script ie the result of commands being run, conditional statements, arguments passed etc. With debugging you can lift the lid and see the internals of the script as they are running. Obviously what is being assumed is far more complex but you get the point.

All that being said you could be looking at malware. To be honest the analysis you got back from the software you are using is fairly poor but I'm guessing it's a free/basic subscription? That will be why. With more information you could get more from the analysis even if it's just minor information.

supermammalego said:

The sandbox is referring to a timestamp it believes is suspicious. Timestamps for compiled executables are found in the PE (portable executable) header. This timestamp can then be used to determine the time the executable was compiled ie from source code into a fully functioning .exe.
Anti-debugging refers to methods malware uses to evade certain malware analysis techniques. Ultimately the aim is to prevent the malware from being reverse engineered and for the secrets of the malware to be discovered.

So what the report is saying is the software you are using assumes a file has the wrong 'label' and that it's trying to make it difficult to understand whats going on under the bonnet. And these assumptions are fairly watery because these behaviors are common and not necessarily indicative of malware. Modified timestamps don't necessarily mean you're dealing with malware. In Linux for example you can use commands to modify timestamps like creation, modified, last accessed information. Is this indicative of malware? No. Annoying perhaps if you're a tutor at college and your students are trying to make it look like they've done their homework. That being said what is the timestamp? Is it way off into the future? If so then you might be looking at something malicious as no serious dev worth their job would timestamp an executable decades into the future.

Lots of software developers try and make it hard for people to reverse engineer their products (anti-debugging being one example) and Microsoft is a good example of a company that has tried for years to stop people doing stuff with their software they don't want them doing. People reverse engineer their stuff all the time which is why pirated Windows software has it's own black market and has done for decades. All sorts of tactics and techniques have been brought into effect over the years in many different realms of the digital world to protect the rights of the creators. Anti-debugging just basically attempts to stop someone from prying into the bowels of whatever is running. Debugging a script for example allows you to see a script running just like it would appear in a text editor. What you see when you run it though is different as you see the result of what is contained within the script ie the result of commands being run, conditional statements, arguments passed etc. With debugging you can lift the lid and see the internals of the script as they are running. Obviously what is being assumed is far more complex but you get the point.

All that being said you could be looking at malware. To be honest the analysis you got back from the software you are using is fairly poor but I'm guessing it's a free/basic subscription? That will be why. With more information you could get more from the analysis even if it's just minor information.

Thank you so much for your deep reply!
I have some pics for you to check out in hope you get more information out of it.

Taskhost certificate and timestamp: Imgur: The magic of the Internet

Security health info from my pc: Imgur: The magic of the Internet

Security health more info: Imgur: The magic of the Internet

The certificate of taskhost is valid to 2020-05-02 only. So its old? Does this mean anything? if so what do i do about it? Thank you in advance!

- - - Updated - - -

Hi again. I have some more stuff that might be related if it's true i'm comprimized.

I found some changes in Local Security Policy, what i mean is that i found some of these rules not having the default rules applied, but that "someone" put them there in addition to the default values. And as it says its a security risk applying users not in default. I have one example to show you. My question is also, is this related to what might be the findings found on my files taskhost and security health? That is if some hacker uses those files to access my PC hence the additional user/group adds in secpol for his advantage?

Here is one of them: Imgur: The magic of the Internet

Here is additional info of the same rule, as you can see the default is Administrators : Imgur: The magic of the Internet



Keep in mind i have not made these additional adds in these rules

Edit: OK so it seems as if it could be ok or a must to leave that rule as is, but at the same time could be someone exploiting it to do a denial-of-service-condition?

What do you think? Imgur: The magic of the Internet

Hoping you could answer these questions. Thank you for your patience and help.

The processes you mention are normally safe system processes. But then again if you've already been compromised the chances are the malware has migrated to a process with the highest priveleges and potentially dropped more files to help it maintain persistence. The sandbox report said there was no dropped files which means if anything malicious has happened it hasn't attempted to touch the disk in a way that gets the ball rolling and any potential attack up and ready. This might be something the sandbox software you used hasn't picked up. And when you think about it like this the fact that known executables are being flagged as suspicious could be an indication of malware compromising these otherwise safe and critical parts of the operating system. Naturally the executable in the screenshot (if genuine) is a part of Windows Security and so it's safe. But if it's been compromised it may be being used as a front for the activity of malware while appearing like a genuine part of the operating system. This is a pretty common tactic in malware using the high level of trust we have in the running of our own computers and software that runs them to do bad things. Genuine parts get 'taken hostage' to then do bad things and all the while it appears like the activity of these parts is completely normal. Because why shouldn't we trust Windows Security when we know our operating systems are not the bad guys? This is what the sandbox report is pretty much saying. Things that are usually good and safe are acting out of character for system processes.

Can you download Autoruns and ProcessXP? These are great diagnostic tools and are available on the official Microsoft website. Autoruns will be able to populate a pretty comprehensive list of what is starting up on your computer at login, startup etc and any files responsible for these actions. I'd be looking at both services and registry entries. ProcessXP is a way better task manager than the one that comes with Windows and it shows much more information in regards to what is running on your computer. ProcessXP is the professional solution to the average home user solution that comes in the default Task Manager on Windows.

https://docs.microsoft.com/en-us/sys...ocess-explorer
https://docs.microsoft.com/en-us/sys...loads/autoruns

Look for taskhostw.exe and then screenshot the results. You'll likely see a process tree there with other child processes running under the parent. Anything that is running under the parent process is what you want to be looking at as this is where you'll find out if anything has migrated to this process. The same can done for the other process you mentioned. Ideally you want to screenshot everything that is running so that I can see whether theres anything suspicious running. This approach is a little like the same way you'd come at viewing HijackThis logs or any sort of logs that pertain to identifying suspicious activity at the core of the operating of a system.

The certificate you mentioned is also troubling as I've looked at taskhostw.exe on my computer and it's certificate expires at the end of the year. Microsoft would never risk letting certificates expire as these are the root of verifying the authenticity of everything that runs which Microsoft has developed and released. If a certificate expires the validity of whatever is in question reduces to pretty much 0. If Google's certificiate expired for their domain no-one could vouch for the authenticity of their entire product line and well, that's goodbye to Google Search, Gmail, YouTube etc. No signed verification means no trust. It could be Google you are getting or it could be Moogle or Froogle, some shady black market competitors looking to exploit the loophole in Google's missing authenticity process. You wouldn't throw away billions of dollars just so you could try and get away with not renewing critical security features like certificates.

Also try running an integrity check on system files.
Open Powershell w/ Admin priveleges and type in this command:

DISM.exe /Online /Cleanup-image /Restorehealth

What we are doing here is checking the integrity of your operating system installation. It will connect to Windows Update to then verify and if necessary download files which need repairing. This should in theory replace any corrupted/suspicious files that may have been replaced, such as the ones mentioned.

wow supermammalego, that was the best most honest reply I've got. Most while considered experts won't go so deep when i present the evidences. This is just something i know because I've tried it before but they won't go into details when i present them with what i found like you seen on joesandbox as an example and will just tell me nothing is wrong because FRST said so and wont comment on my additional findings. I've read about what you told me, that they can hide behind legit files I've read a lot of blogs about this that's why i need to deep dive into the findings when there is some and not rely fully on that 10 virus scanners won't detect possible well hidden virus. Because it seems like these "virus" i might have is doing just that, making it self undetectable.

Been deep diving and i found 1 more file that has the almost exact same warning, this file is rundll32.exe
Automated Malware Analysis Executive Report for filedata - Generated by Joe Sandbox

I used Dism a lot of times, but this findings still stands unfortunately. It doesn't seem to replace or fix them.

I took screenshots, but i did not find SecurityHealth in the list in processexplorer.

Here is pictures for Autoruns. Is it normal cmd has such old timestamp?

Autoruns 1: Imgur: The magic of the Internet

Autoruns 2: Imgur: The magic of the Internet

Autoruns 3: Imgur: The magic of the Internet

Autoruns 4: Imgur: The magic of the Internet

Autoruns 5: Imgur: The magic of the Internet

And here is screenshots of processexplorer of the files.

Rundll file info: Imgur: The magic of the Internet

Rundll 2: Imgur: The magic of the Internet

Rundll 3: Imgur: The magic of the Internet

Taskhost pid 3156: Imgur: The magic of the Internet (there are 2 taskhosts files running and have different info as you will see in the pictures).

Taskhost pid 3156 more info: https://imgur.com/a/ZmF4Jqa

The other Taskhost pid 8004: https://imgur.com/a/bpcese3

Taskhost pid 8004 more info: https://imgur.com/a/VlQxtNm

Both side by side with additional info: https://imgur.com/a/VlQxtNm

This one i accidentally screenshot because i thought securityhealth was this file by mistake when i read it, but i found it having very weird stuff going on with it if you can check it out quick. Whats up with all those groups? There are so many. Maybe its normal?

Pic 1: https://imgur.com/a/7f0F8np

Pic 2: https://imgur.com/a/ciaE2pM

More info: https://imgur.com/a/VlQxtNm

Information for s-1-15-3 but i don't understand so i let you see : https://imgur.com/a/jbChxP6

Lots of pictures, but i really appreciate the help! :)

I wouldn't say expert because to be an expert in understanding malware is the sort of path in life that most people will never traverse because simply put it's damn hard to understand. You're talking naturals who pick this sort of stuff up at a young age who by the age of 16 or maybe even younger had already developed a deeper understanding for how computers work. The guy at school who was the first to figure out a way to get past the content filtering, or the guy who hacked his teacher to get answers for homework, or something. By the time he's in his twenties he's working for companies (probably independent until offered the right salary) who are willing to pay heavy sums of money to protect their systems/networks. The sort of person who understands numerous programming languages, has several certifications and knows the lay of the land that 99% of the population will never even come close to understanding. So, expert? No. Not even close.

But I spent some time studying ethical hacking and this opened a lot of doors into how this stuff works. When you learn this stuff you're always learning lots of other different things as well. And when you learn how to break into things you also know how others do it too as there are no 'secrets' as such when it comes to hacking/malware. There are just different ways to do the same thing and while a threat is new it has a fresh and undetectable 'fingerprint' and so it can do what is already known really well, until of course, it is detected. But the playbook on hacking/malware/etc is vast and the people defending for threats know a lot about what threats are out there, it's just being able to detect them before they happen. And here we are with your issue.

I found something irregular in your sandbox screenshot. You're using an outdated version of Firefox? As well as an outdated Windows build as well? Maybe the timestamps are inaccurate because you're using a computer that hasn't been updated to the latest build? That would explain the outdated timestamps. Build 1803 was way back in 2018 if I'm not mistaken. What are you doing using Windows that is almost 2 years off the latest build? Moreover I hope you're not using an out-dated version of Firefox as well. I'm guessing you are. This is really bad practice and it's actually pretty dangerous in the context of now being open to the vulnerabilities of this particular version. This is why we update software. When we update it the source code of whatever we are using along with everything else that comes for the ride is updated too and this often includes security fixes ie serious security flaws in the code of the software we are updating. You are leaving yourself wide open.

Update to the latest build and then come back. If you still have issues then we know we're looking at something potentially suspicious. Until then it's likely sandbox reports are firing back as suspicious because there is a discrepency in time between your computer and the algorithms used for the sandbox software. It might not factor in outdated software. This could actually be something you could flag up with the developers of this software, if the issues do not arise when you update, as it's a feature that would need revising to accomodate for older builds.

Here someone tells us this about those several s-1-15-3-1024. This is a clean install of windows on a brand new ssd. I have only created 1 account ever since. Can this be an indication some hacker is creating temp users because he hacked my pc? Imgur: The magic of the Internet

- - - Updated - - -

supermammalego said:

I wouldn't say expert because to be an expert in understanding malware is the sort of path in life that most people will never traverse because simply put it's damn hard to understand. You're talking naturals who pick this sort of stuff up at a young age who by the age of 16 or maybe even younger had already developed a deeper understanding for how computers work. The guy at school who was the first to figure out a way to get past the content filtering, or the guy who hacked his teacher to get answers for homework, or something. By the time he's in his twenties he's working for companies (probably independent until offered the right salary) who are willing to pay heavy sums of money to protect their systems/networks. The sort of person who understands numerous programming languages, has several certifications and knows the lay of the land that 99% of the population will never even come close to understanding. So, expert? No. Not even close.

But I spent some time studying ethical hacking and this opened a lot of doors into how this stuff works. When you learn this stuff you're always learning lots of other different things as well. And when you learn how to break into things you also know how others do it too as there are no 'secrets' as such when it comes to hacking/malware. There are just different ways to do the same thing and while a threat is new it has a fresh and undetectable 'fingerprint' and so it can do what is already known really well, until of course, it is detected. But the playbook on hacking/malware/etc is vast and the people defending for threats know a lot about what threats are out there, it's just being able to detect them before they happen. And here we are with your issue.

I found something irregular in your sandbox screenshot. You're using an outdated version of Firefox? As well as an outdated Windows build as well? Maybe the timestamps are inaccurate because you're using a computer that hasn't been updated to the latest build? That would explain the outdated timestamps. Build 1803 was way back in 2018 if I'm not mistaken. What are you doing using Windows that is almost 2 years off the latest build? Moreover I hope you're not using an out-dated version of Firefox as well. I'm guessing you are. This is really bad practice and it's actually pretty dangerous in the context of now being open to the vulnerabilities of this particular version. This is why we update software. When we update it the source code of whatever we are using along with everything else that comes for the ride is updated too and this often includes security fixes ie serious security flaws in the code of the software we are updating. You are leaving yourself wide open.

Update to the latest build and then come back. If you still have issues then we know we're looking at something potentially suspicious. Until then it's likely sandbox reports are firing back as suspicious because there is a discrepency in time between your computer and the algorithms used for the sandbox software. It might not factor in outdated software. This could actually be something you could flag up with the developers of this software, if the issues do not arise when you update, as it's a feature that would need revising to accomodate for older builds.

No!! Really?!? How is that possible? This is really not good.. I installed windows fresh from iso from Microsoft own legit site, made a bootable usb and installed and installed updates all the time for it since. But just after the new release of windows came out i stopped auto updates just because i don't want that version before 1 month or more goes by just in case there is something negative with the update, as you know sometimes the updates can delete your user account or something bad like that, so i wanted to wait. But this is not long ago, its very recent, so my windows should not be as old as 2018, that don't make any sense at all, something is really wrong here. How come my firefox is not up to date when it says it is? So they even managed to fake my firefox updates... Here is a pic : Imgur: The magic of the Internet

Could a rootkit be installed on a HDD in a way that it hides itself and then when you install windows regardless if you have a new HDD, it takes over your legit fresh windows install that you downloaded and installed trough windows own site, and replaces the system files and more, with its own hacked/altered version? So you think you installed a new fresh uncompromised windows but little did i know the rootkit replaced the whole installation during installation and put its own files with it..

I think i read somewhere that its possible, that the rootkit is encrypted in a hidden partition so nothing finds it or can access. Maybe cause its on some of my other non-OS HDD so when i use an newly bought HDD it still infects the pc? But just in case i installed windows with only my new SSD in it so that it would not corrupt my install with the rootkit from other HDD. But still maybe it's in my motherboard bios? I tried downgrading the bios and then re-flashing it from the internet through the bios, and it worked, so it seems weird if that would not remove any possible rootkit in it?

But at the same time maybe it got reinfected, maybe my usb got infected that i used to install windows with, even if i wiped the usb, that somehow it survived. This is really frustrating, because i have reinstalled windows so many times already and i did it fresh. So really don't believe that would help, cause it has not helped yet. Ive had this issue more than 8 months now all in all after reinstall after reinstall of windows. If its true somethings wrong then its something deep like some kind of rootkit in play, or what do you think?

Oh wait a minute! I got so shocked about what you said about my windows being so old, so i just had to check winver again and you can see i´m on 1909! How come you saw that i use older version? What if the hacker has changed the winver and somehow replaced it with an counterfeit one that shows a new version when i really have a 2018 version of windows update? Is that possible? Because you said you see i´m on 1803, maybe that's the real version and winver is showing a fake version that im on 1909? But i made updates since install and i got successful updates just before this new update (Windows 10 2004 update) that i skipped just for now, and this is like not long ago it came out at all. Is it 2 months now?

Picture: Imgur: The magic of the Internet

It could be analysis of the first upload of this particular file. You do find that websites like the one you are using revert back to prior reports instead of creating a new one each and every time the same file is analysed.

About the timestamps...
The Windows Security process is saying the year 1929 as a timestamp. The process above it is saying 1942. Wagnardsoft is showing as 1942.
Try disabling the Windows Security processes first in the same Task Scheduler section you made your screenshot. It's odd that the executables are not signed. Did you look at the logon section as well? Screenshot this section as this will show what is starting up on logon.

VIDC.RTV1 also seems like it has way outdated timestamps but I'm guessing this has something to do with MSI Afterburner and so can be expected as many parts of software may not be fresh and in fact have remained since versions way back before the current one. You are using an MSI machine, right? I'm thinking it may have something to do with your update to 2004. Malware analysis wouldn't return such a low analysis score for something that was doing malicious activity. All that was detected according to the sandbox report was the off timestamps.

Well i have just only now thrown those files into virustotal where i found the joesandbox findings. VIDC.RTV1 yeah its related to Afterburner. And my motherboard is ROG maximus hero ix from asus. "I'm thinking it may have something to do with your update to 2004" do you mean as if i updated to 2004? Because i have not done that yet, updating to 2004 i mean, because i wanted to wait a little before i do that. But before 2004 update came in around "28 may?" i had updates enabled that was successful.

Here is the logon section in Autoruns, is that what you meant? Imgur: The magic of the Internet

"Try disabling the Windows Security processes first in the same Task Scheduler section you made your screenshot"
Do you mean these ones? (marked in red) Imgur: The magic of the Internet

Or is it somewhere in Processexplorer you meant?

I appreciate your help, thank you again.

- - - Updated - - -

I just found this edits when i did a scan with ccleaner, never seen it before. Can this be some kind of indication of something fishy going on?

Pic: Imgur: The magic of the Internet

I have disabled internet explorer 11 in "Turn windows futures on or off" Maybe that has something to do with it? But i never seen those reg edits before when i scanned with ccleaner after i disabled internet explorer 11 though.

- - - Updated - - -

I found even more. As you seen on Autoruns the CMD has a very old timestamp from 1914-12-28. So i threw it into virustotal and got joesandbox warning me again, this one is even a little worse i think. The weird thing is that joesandbox shows the file as being Utilman.exe Automated Malware Analysis Executive Report for Utilman.exe - Generated by Joe Sandbox

So the cmd we see in autoruns is somehow related to Utilman.exe or the cmd we see is Utilman.exe hiding as cmd.

"Bypassing the Windows logon comes in handy if our clients have forgotten their logon password, their user profiles were corrupted or malware was interfering with the system before login.

This works because the user can trigger Utilman by pressing Windows Key + U before Windows logon. This will load up the Utilman.exe executable which resides in the Windows\System32 directory. If you swap the Utilman.exe file with something else like cmd.exe, you have access to the command prompt running SYSTEM privileges. SYSTEM is an account with the highest possible privileges on Windows which similar to the root account on Unix systems."

As you can see it´s referring to the exact same file but telling us that it really is Utilman not cmd. Or am i wrong?

Picture: Imgur: The magic of the Internet

Pic 2: Imgur: The magic of the Internet