New
#21
It's probably nothing serious. The reports return very little. I'm guessing the VT scans also returned the same. It's very unlikely you've come across a new strain of malware (which has remained undetected) unless you have been a target of a sophisticated attack using malware that at current has been undetected in the wild. And an attacker wouldn't waste their new weapons on a target they had very little confidence in returning the outcome they were seeking. So it's likely if it was malware it would be detected as such. The activity suggested by the reports would indicate that if it is anything suspicious it's likely not dangerous malware but something that likely came bundled with software you installed. The behavior seems pretty generic to me. It could be that you are using a pirated version of Windows and therefore certain files are not matching their genuine counterparts and that Windows has been deliberately prevented from running checks that would replace them. This would render tools like DISM obsolete if the system has been patched in some way to prevent this. If you are using a genuine copy then I'm confused as to why this would be happening considering it's trivial but in the grand scheme of things potentially leaves your system open to being exploited due to these executables not being signed and therefore not forming the highest level of implied trust required for security standards to be adhered to.
Something has likely been patched. This is likely through user actions. This has resulted in a modified system configuration in some way reflecting the changes to Windows Security. Something may have been installed that while suspicious may not be malicious but which may have changed the system in some way. It is likely not malware in this instance.
What you can do. You could carry on as it's likely not a major issue. I would be checking firewall logs for any irregular activity. Tools like Glasswire are invaluable in this regard as they show real-time network activity. Programs you don't often use, or at all in fact, that are reporting high activity on the network are what you want to be looking for. Continued high activity while you are doing very little and only observing will also leave no doubt something is running in the background that perhaps you want to look at. Seeing as you are not using Windows Security as you have ESET you can actually disable Windows Security and this should then prevent any of it's features from running. You can download standalone firewall solutions to replace the built-in firewall and so you can also disable this leaving little excuse for these features to be running after the fact.
There is a topic started by another member where I posted the registry entries to comprehensively disable Windows Security. If the executable still remains then this is when you may be looking at malware as it should then have been disabled and removed from it's roles in all areas. At this point you could boot into safe mode and locate the executables in question and remove them manually. If they appear again after removing them and even while Windows Security has been disabled completely you could say with a high degree of confidence something is not right.
Another solution would be to a do a fresh install on a completely wiped and santized drive and use a genuine Windows setup medium. No genuine setup medium would contain system files which are not consistent with signed counterparts that are available throughout many examples of other Windows installations. My installation for example has signed versions of these files.
It's likely nothing serious though.
Quote
i have some more info. Is there anyway to renew the old certificate on taskhostw.exe? How do i renew certificates on system32 files? Will Dism online do that? I did Dism and it said it worked, but if there is a chance its lying, thats why i ask you about if Dism will renew and replace those files in system32 with real and new certificates. I now updated windows to 2004. Please anyone that can answer this please do until Supermammalego is back
