malicious? "Host process for windows tasks" in notification area icons

Keyes said:

I have 4 taskhost.exe files.

1 in system32, and 3 in winsxs, which I believe are all legit. As I said, mbam detects no bad network activity and the scans are clean.

That's how it should be. Nothing to worry about then. About the only other thing I might be able to suggest is to run ProcessExplorer. (Right click the executable) and choose "Run as adminstrator"

See the tutorial here:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)

Once you've got it set up to scan processes with VirusTotal take a look at the processes running as .dll's under taskhost.exe

Change View to "Show Lower Pane" and change "Lower Pane View" to "Show DLL's"

Highlight taskhost.exe in the list of running processes and check the VirusTotal scores for the listed DLL's.

If the icon reappears any time soon post again and there's another tool that can check all executables that were run or created during the last 30 days.

What you want to see is a list of DLL's shown in the lower pane being scanned by VirusTotal when you highlight taskhost.exe. It's just as well to check the rest of the running processes.

I have a very vague memory that I might have seen your problem notification area entry on my own machine once before after Windows installed updates. I'm not 100% sure though!

Keyes said:

I did have a new .net framework update. Was it a recent one, or many updates ago this memory comes from?


Just tried out virustotal, and just one program had 1/57 - iusb3mon.exe. its a signed file, and seems to be labled as a generic w32 hfs.adware 2048 by Bkav. Must be a false positive. (Running intel chip, file has existed for years.)


Im not sure if I understand how to get virsutotal to scan .dlls though.

1/57 detection sure does look like a false positive.

If you click the "View" tab in the Process Explorer toolbar then select "Show Lower Pane" then under the "View" tab the next entry is "Lower Pane View" - set that to "Show DLL's" then highlight taskhost.exe in te process list.

It probably won't show any detections but it's best to check.

Re: Windows updates. It was ages ago that's why my memory isn't clear. I just thought that I'd mention it!

The other thing is that I have a habit of regularly reseting notification area icons and clearing icon cache anyway!

Keyes said:

Currently have the .dll lower pane tab set, it also shows .exes and .mui, .db, .nls, etc, but mainly .dlls. Only file with a detection is the iusbmon, which is a false poaitiv3. Spent 10-15 mins or looking at each process, and all related dlls and files above were clean.

How does it sound?

It sounds okay to me. Just post again if that notification area entry ever reappears. As far as malware and stuff goes - it's only a big problem if it's sending your data to a server somewhere or asking you for money to fix something. If there's no malicious ip address connections detected and no dodgy running processes then I wouldn't worry about it!

I always use the batch file that can be downloaded from Brink's tutorial:

Notification Area Icons - Reset

I'm not sure what the best method is but the batch file works.