Question taskhostw.exe - potential malware

Tom_T1993

Commendable
Jul 13, 2016
37
0
1,540
Best answers
4
Hi all,

I'm quite stumped by this and would love to hear some insight into what I'm seeing.

I have a desktop gaming PC, and recently i had a run in with an exe supposedly hogging CPU performance. However this is far from straightforward from what I'm seeing.

Ok, so occasionally i run perfmon, using perfmon /report to check everything is ok. Well this morning i ran it and ran into a warning message saying taskhostw.exe is using a lot of CPU performance. ~89%

Quick google search confirms that it's not standard behaviour for the legitimate process, and the setting that would utilise it in defender isn't even on.

Seems like it's a virus, can't see a reason why it wouldn't be.

But here's where it gets wierd, CPU performance isn't being utilised, it's idling most of the time, temps are in the 30s, and it's not running at full speed. Task manager shows no taskhostw.exe processes. there isn't a single process using more than 1% of its performance.

Malwarebytes full scan on all 3 installed disks finds nothing. Defender also finds nothing, and is switched on.

System performance is great, certainly doesn't seem like a process is utilising my cpu like perfmon states.

Anybody seen this before, any advice, don't particularly want someone using my device to crypto like what I've read, but i can't kill the process because task manager doesn't even show it.

When it reports in perfmon, it shows its PID changing each time, so i can't kill it using a cmd either.

I'll provide screenies and the like later. But I'm just interested to know if there's anyone out there that has had this issue before. I've installed nothing recently, so I'm quite stumped on how I've obtained any potential malware at all.

Components and info:

CPU: I7-7700k
MOBO: MSI Z270 Gaming m7 - Bios is flashed to most recent version, done well before this issue
OS: WIN10 64BIT - Up to date legit copy
Antivirus software used: Malwarebytes Free, up to date + Windows defender is on
Disks: Samsung 960 evo PCIe 1tb, Samsung 860 evo 1tb sata, Sandisk ultra II 1tb sata

Any help would be massively appreciated. Cheers.
 

Mandark

Distinguished
Sep 13, 2002
1,430
147
19,490
Best answers
10
Read this link and run that task host commandline to see what dlls are loaded. This is used in windows services that rely on DLLs and not executables

https://www.file.net/process/taskhostw.exe.html

So execute that taskhost command on the commandline and see what’s loaded. and post back here

You should back up all of your data and be prepared to do a clean install of windows 10 if you’re infected
 
Reactions: Tom_T1993

Tom_T1993

Commendable
Jul 13, 2016
37
0
1,540
Best answers
4
Hi,

Thanks for your reply, checked that after work. nothing malicious, although it does list the PID of the true taskhostw.exe, which believe it or not, perfmon shows a different PID.

I'm reformatting, don't particularly feel comfortable knowing it's there.

Thanks for the help. Hopefully a fresh install will get rid of whatever the hell it was.
 

mdd1963

Champion
Jan 14, 2006
10,731
248
51,740
Best answers
1,105
my own system shows a taskhostw.exe in a ProcessExplorer listing, PID 6850 (it can be suspended/resumed from within ProcessExplorer), and it shows as a subset of one of the numerous svchost.exe listings.... path is/should be "C:\Windows\System32\"

My own showed no readable processor usage whatsoever, currently....
 

ASK THE COMMUNITY

TRENDING THREADS