Need help verifying these findings

Page 1 of 3 123 LastLast

  1. Posts : 103
    Windows 10 Pro x64
       #1

    Need help verifying these findings


    Hi there. I get Taskhostw.exe unknown error when i log into my PC.

    And this is what i found in virustotal and Hitmanpro. There seems to be something fishy with Taskhostw.exe and SecurityHealthSystray.exe

    Here is pictures from the findings.
    Pic1 Hitman found this: Imgur: The magic of the Internet

    Pic2: Imgur: The magic of the Internet

    I can choose ignore or replace file in Hitman for the file SecurityHealthSystray.exe. But replcace won't work it does nothing, no report what so ever. Just says it's searching for a replacement file but nothing happens. Here is info from Virustotal, clicking "Show signature information" give more info but im not an expert so i dont know what it means what i see there. But i know by what i see it telling me is that its something to "maybe" worry about.

    SecurityHealthSystray.exe Automated Malware Analysis Executive Report for SecurityHealthSystray.exe - Generated by Joe Sandbox

    Taskhostw.exe Automated Malware Analysis Executive Report for taskhostw.exe - Generated by Joe Sandbox

    My windows version is 1909 18363.836 Windows 10 pro x64

    Thank you guys!
      My Computer


  2. Posts : 6,916
    windows 10
       #2

    Welcome to the forum. the best option would be to remove hitman then scan you pc with other AV possibly with a cloud based system so its not compromise by anything on the pc.

    Down load the correct bit version of this Download Farbar Recovery Scan Tool then post both reports so we can see whats going on
      My Computer


  3. Posts : 103
    Windows 10 Pro x64
    Thread Starter
       #3

    Thank for the reply! I already have scanned with Malwarebytes, Panda cloud, Hitman is uploading files through cloud as i saw, it said it was uploading files to cloud. I also scanned with zemana. But only Hitman did find that SecurityHealthSystray.exe file as being suspicious. What do you think about the Joe sanbox cloud finding about the 2 files?

    I have disabled GroupPolicy for security reasons, my pc is not connected to anyone and i made all my efforts to disable all remote access stuff and shares. But i don't know if that's the reason in the FRST log it warns about group policy, maybe its not because i disabled it?
    Attached the FRSTx64 scans :)
    Need help verifying these findings Attached Files
      My Computer


  4. Posts : 103
    Windows 10 Pro x64
    Thread Starter
       #4

    Hi again. I got firewall block from Eset. It said that Steam.exe tried using port 5000 and remote address was 127.0.0.1

    Steam don't use that port as i have googled the ports used by steam, and i never got that kind of block before, it blocked it over 8000 times in just seconds! I google "Steam port 5000" and i get nothing! Nothing whatsoever about that port and steam. Please look at this what they say about that port, and it rings all kinds of warning bells

    Port 5000 (tcp/udp) :: SpeedGuide

    This does not look good at all. I have already disabled UPnP service in services.msc a long time ago. It seems like someone or something in my PC uses the steam.exe file as a backdoor to get in with that port 5000 and also maybe by 127.0.0.1 ?
    Would be really grateful if you guys would help me find out what this is so i can fight back at a possible RAT/backdoor, well hidden malware/virus.

    Glad to be a part of this site! Thanks in advance! <3
      My Computer


  5. Posts : 1,604
    Win 10 home 20H2 19042.1110
       #5
      My Computers


  6. Posts : 6,916
    windows 10
       #6

    Looking at the scans the system is a mess you have lots of VPN and security software a lot of these conflict with each other and EST and VPN are showing errors making them useless. You have 1,000 of entries in the host file and firewall rules which can slow the pc to a crawl and cause more problems than they solve. Settings the DNS to 1.1.1.2 and 1.0.0.2 will block malware and problems with no load.
    Port 127.0.0.1 is local port what people don't understand is anything running locally can open ports and any ports can be used for anything
      My Computer


  7. Posts : 103
    Windows 10 Pro x64
    Thread Starter
       #7

    Hey, thanks for the help. But i already seen that and none of those softwares finds it, only Hitman pro finds SecurityHealthSystray.exe to be suspicious. And those analysis you saw on JoeSandBoxCloud.

    - - - Updated - - -

    Samuria said:
    Looking at the scans the system is a mess you have lots of VPN and security software a lot of these conflict with each other and EST and VPN are showing errors making them useless. You have 1,000 of entries in the host file and firewall rules which can slow the pc to a crawl and cause more problems than they solve. Settings the DNS to 1.1.1.2 and 1.0.0.2 will block malware and problems with no load.
    Port 127.0.0.1 is local port what people don't understand is anything running locally can open ports and any ports can be used for anything
    Thank you for the reply Samuria, but i have completely disabled windows firewall because Eset has the control only. So those blocks is not even in use. And i only have 1 antivirus active and that is Eset. What do you mean with EST? "conflict with each other and EST and VPN" I also only have 1 vpn, why do you say many vpn? I have no issue with host blocks making my internet or pc slower, its very fast. Is it not good to block sites with host file?

    You have no idea about why steam.exe tried connecting to me "incoming connection" on port 5000 when that port is not even used by steam? I think it was a ddos attack because it tried over 8 thousand times in just couple of seconds, was that because they tried breaking my Eset firewall by ddosing it?

    Thank you for any reply

    - - - Updated - - -

    Forgot to say that i already use custom dns, and i have no dns leak i have made tests if my vpn works and it does, and does not leak. So i have no problems there

    Cheers
      My Computer


  8. Posts : 6,916
    windows 10
       #8

    The DNS is new which blocks malware bad sites making host file not needed. If you look at addition file est is corrupted as is nordvpn . The problem with host and blocking bad sites via firewall is it's static and can change daily the DNS is dynamic so it's bang up to date
      My Computer


  9. Posts : 103
    Windows 10 Pro x64
    Thread Starter
       #9

    Samuria said:
    The DNS is new which blocks malware bad sites making host file not needed. If you look at addition file est is corrupted as is nordvpn . The problem with host and blocking bad sites via firewall is it's static and can change daily the DNS is dynamic so it's bang up to date
    Hello again Samuria. Can you please tell me what EST is? Or what it means, so i can see what i can do about it. I did not find anything named "EST" in Addition log, is EST short of something? What does it stand for?

    Thank you
      My Computer


  10. Posts : 1,867
    Windows 10 Pro 2004 20H1
       #10

    Eset
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 17:17.
Find Us




Windows 10 Forums