malicious? "Host process for windows tasks" in notification area icons

[Keyes]

malicious? "Host process for windows tasks" in notification area icons

When I view my notification area icons, I see an entry for "host process for windows tasks". I believe it is related to either rundll32 or task host, both of which are all in their legitimate folders.

is there any reason why this would be here? It is set to show only notifications. What notifications would taskhost make?

 

[Keyes]

http://i.stack.imgur.com/uYs6M.png

Here is an image of what im looking at.

 

[Ranger4]

Read through these 2 website for information on "host process for Windows tasks". It seems that it is part of the Windows OS. Also mentioned is making sure your anti virus is up to date & running & you have checked for malware other possible infections.

What is "host process for windows tasks" and why does it show - Microsoft Community

taskhost.exe Windows process - What is it?

 

[Keyes]

I understand taskhost is a legitimate file, but what causes it to appear in the notification area icons? Currently I dont see an icon, but I see it under the custmise button in the image I posted

 

[Keyes]

So does anyone have any idea? I really need help with this.

 

[Callender]

Reset notification area?

So does anyone have any idea? I really need help with this.

It will probably disappear if you reset the notification area. It's probably an old item if you don't see the active icon in your system tray.

What I usually do is kill Explorer using task manager then File > New Task > Run

type ie4uinit.exe -ClearIconCache and press enter.

File > New Task > Run

type explorer.exe then press enter

Exit Task Manager

Right click a blank part of your Desktop and choose "Refresh"

That rebuilds the icon cache (it's the best and most reliable method for me)

Following that I proceed to run the batch file in Brink's tutorial to reset the notification area:

http://www.sevenforums.com/tutorials/13102-notification-area-icons-reset.html

Then after the reboot re-customise by right clicking Start > Properties > Taskbar > "Notification Area > Customize"

In theory you won't see "Host process for windows tasks" in the list.

Edit: Reading your post on another forum it would appear that you reset the notification area already. Are you saying that it still shows up? And if so have you plugged in any external devices?

 

[Keyes]

Yes, I deleted two registry keys.


HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify


Iconstream and pasticonstreams and reset explorer via task manager.


Its gone, but I want to find the origin. I did a system restore so I could get it back to investigate. Is it malicious? I dont see why host process for windows tasks would be there. I have my headphones, keyboard, mouse and installed a new gpu few weeks ago.

 

[Callender]

taskhost.exe

Well this is a tough one. Apparently it can relate to plugging external drives into USB 3 ports - at least according to a little research but yes it can also be malware related. The best information that I can find suggests searching your windows partition for "taskhost.exe"

It should show up in "C:\Windows\System32\taskhost.exe" - that's normal.

If it shows up in:

%Windir% - copy and paste into explorer address bar. If it shows up here then it's suspect.

As for tracking down possible malware I'm pretty confident with my own machine but not so confident providing advice to others. Personally I'd keep an eye on connections and look for anything dodgy.

This utility does that:

CrowdInspect

If you choose "Run as Admin" when running the executable then toggle "Show full path" and "Live/ History" and see if anything suspicious shows up. If it does - ask about it in the System Security section.
[/B][/URL]

Alternatively you can leave this running overnight:

ThreatCheck

There's more info on both utilities here and they can both pick up suspicious activity that your AV might miss. Note: suspicious does not always mean malicious.

http://www.sevenforums.com/software/348608-threatcheck-released.html

Note: If using ThreatCheck - use a disposable email address if you wish to avoid marketing emails from the company. They don't flood you with emails but you can expect one or two!

If anything suspicious shows up - again the advice is to post it in the System Security section.

 

[Keyes]

Well actually I have been connecting and reconnecting various devices into my usb 3.0 ports lately, and only used began to use them in the last week. I keep my system secure, infact I rarely use an internet browser other than youtube, and when it comes to downloading, I usually just get sysinternal tools, like autoruns and tcpvew. I don't see anything lately that I have done that would cause a malicious action, but it seems odd.


I can give a go at messing around with usb 3.0 ports and see if it makes the icon active. Also, a full mbam scan is clean.

 

[Keyes]

I have 4 taskhost.exe files.

1 in system32, and 3 in winsxs, which I believe are all legit. As I said, mbam detects no bad network activity and the scans are clean.

 

[Callender]

Taskhost.exe

I have 4 taskhost.exe files.

1 in system32, and 3 in winsxs, which I believe are all legit. As I said, mbam detects no bad network activity and the scans are clean.

That's how it should be. Nothing to worry about then. About the only other thing I might be able to suggest is to run ProcessExplorer. (Right click the executable) and choose "Run as adminstrator"

See the tutorial here:

http://www.sevenforums.com/tutorial...er-virustotal-check-all-processes-50-avs.html

Once you've got it set up to scan processes with VirusTotal take a look at the processes running as .dll's under taskhost.exe

Change View to "Show Lower Pane" and change "Lower Pane View" to "Show DLL's"

Highlight taskhost.exe in the list of running processes and check the VirusTotal scores for the listed DLL's.

If the icon reappears any time soon post again and there's another tool that can check all executables that were run or created during the last 30 days.

 

[Keyes]

Will try some methods soon, just rerunning mbam and did a process explorer dll and handle search for taskhost.


I see one entry under system, as a process.
Onder under csrss.exe as a process, 10 as threads.
1 taskhost process under services.exe
1 process under lsass.exe
1 process under svchost
20 or so threadscof taskhost.exe as itself.

 

[Callender]

Process Explorer

What you want to see is a list of DLL's shown in the lower pane being scanned by VirusTotal when you highlight taskhost.exe. It's just as well to check the rest of the running processes.

I have a very vague memory that I might have seen your problem notification area entry on my own machine once before after Windows installed updates. I'm not 100% sure though!

 

[Keyes]

I did have a new .net framework update. Was it a recent one, or many updates ago this memory comes from?


Just tried out virustotal, and just one program had 1/57 - iusb3mon.exe. its a signed file, and seems to be labled as a generic w32 hfs.adware 2048 by Bkav. Must be a false positive. (Running intel chip, file has existed for years.)


Im not sure if I understand how to get virsutotal to scan .dlls though.

 

[Callender]

False Positive

I did have a new .net framework update. Was it a recent one, or many updates ago this memory comes from?


Just tried out virustotal, and just one program had 1/57 - iusb3mon.exe. its a signed file, and seems to be labled as a generic w32 hfs.adware 2048 by Bkav. Must be a false positive. (Running intel chip, file has existed for years.)


Im not sure if I understand how to get virsutotal to scan .dlls though.

1/57 detection sure does look like a false positive.

If you click the "View" tab in the Process Explorer toolbar then select "Show Lower Pane" then under the "View" tab the next entry is "Lower Pane View" - set that to "Show DLL's" then highlight taskhost.exe in te process list.

It probably won't show any detections but it's best to check.

Re: Windows updates. It was ages ago that's why my memory isn't clear. I just thought that I'd mention it!

The other thing is that I have a habit of regularly reseting notification area icons and clearing icon cache anyway!

 

[Keyes]

Currently have the .dll lower pane tab set, it also shows .exes and .mui, .db, .nls, etc, but mainly .dlls. Only file with a detection is the iusbmon, which is a false poaitiv3. Spent 10-15 mins or looking at each process, and all related dlls and files above were clean.

How does it sound?

 

[Callender]

No detections?

Currently have the .dll lower pane tab set, it also shows .exes and .mui, .db, .nls, etc, but mainly .dlls. Only file with a detection is the iusbmon, which is a false poaitiv3. Spent 10-15 mins or looking at each process, and all related dlls and files above were clean.

How does it sound?

It sounds okay to me. Just post again if that notification area entry ever reappears. As far as malware and stuff goes - it's only a big problem if it's sending your data to a server somewhere or asking you for money to fix something. If there's no malicious ip address connections detected and no dodgy running processes then I wouldn't worry about it!

 

[Keyes]

Thanks. Im going to reset the icons now (its still there since I did a restore to get it back to investigate. )


Is the method of deleting the iconstreams and pasticonsteams the recommended way? I apologise for any mispellings, using an android.

 

[Callender]

Reset notification area icons

I always use the batch file that can be downloaded from Brink's tutorial:

http://www.sevenforums.com/tutorials/13102-notification-area-icons-reset.html

I'm not sure what the best method is but the batch file works.

 

[Keyes]

I've seen it come up again, and I believe it is related totto the pop up that comes up when when windows detects "slow performance" and tries to switch aero. I recently saw that pop up, and it also shares the same yellow exclamation mark, which now appears in the notification bar.