• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Conhost.exe Virus - Need help removing

Hello,

After running something I definately should not have run, I found myself with conhost.exe infiltrating my task manager. Using Windows Process Manager to see some of the things it was doing I saw constant activity of things like this:

High Resolution Date & Time:    8/26/2016 3:17:45.0649988 PM
Event Class:    Process
Operation:    Process Start
Result:    SUCCESS
Path:    
TID:    121704
Duration:    0.0000000
Parent PID:    81752
Command line:    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Current directory:    C:\Windows
Environment:    
    ALLUSERSPROFILE=C:\ProgramData
    APPDATA=C:\Users\HomeDipo\AppData\Roaming
    CommonProgramFiles=C:\Program Files\Common Files
    CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
    CommonProgramW6432=C:\Program Files\Common Files
    COMPUTERNAME=DESKTOP-1E54JDC
    ComSpec=C:\Windows\system32\cmd.exe
    HOMEDRIVE=C:
    HOMEPATH=\Users\HomeDipo
    LOCALAPPDATA=C:\Users\HomeDipo\AppData\Local
    LOGONSERVER=\\MicrosoftAccount
    NUMBER_OF_PROCESSORS=8
    OS=Windows_NT
    Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\AMD\ATI.ACE\Core-Static;C:\Program Files (x86)\Skype\Phone\
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE=AMD64
    PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 94 Stepping 3, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=5e03
    ProgramData=C:\ProgramData
    ProgramFiles=C:\Program Files
    ProgramFiles(x86)=C:\Program Files (x86)
    ProgramW6432=C:\Program Files
    PSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files\Intel\
    PUBLIC=C:\Users\Public
    SystemDrive=C:
    SystemRoot=C:\Windows
    TEMP=C:\Users\HomeDipo\AppData\Local\Temp
    TMP=C:\Users\HomeDipo\AppData\Local\Temp
    USERDOMAIN=DESKTOP-1E54JDC
    USERDOMAIN_ROAMINGPROFILE=DESKTOP-1E54JDC
    USERNAME=HomeDipo
    USERPROFILE=C:\Users\HomeDipo
    windir=C:\Windows

 I have attached an image with much more on its activities.

My predicament is removing it. I believe this virus has messed with registry files and I have not yet restarted my pc as that would only further disperse the virus. I've spent hours trying to figure this out but to no avail. I just can't stand the idea of this virus doing whatever it wants in the background.

I have also been lead to believe the virus uses a false csrss.exe as it is also running constantly in the background and taskmanager shows 2 services but both services are from SYSTEM. To my knowledge it is not normal for more than one service to be open by a single user.

File Attachment: 

Replies

Kudos0

Re: Conhost.exe Virus - Need help removing

Kudos0

Re: Conhost.exe Virus - Need help removing

Kudos0

Re: Conhost.exe Virus - Need help removing

Have you scanned your system to see if there is any malware? Restart your computer into Safe Mode with Networking and run a full system scan with your Norton product.

If that finds nothing, and you still feel your system is infected, I would suggest you sign up at one of the free Malware Removal sites below. Do not try to do anything on your own as it could make things harder for the Malware Removal expert at that site to help you. Choose one and stay there until your system is clean.

http://www.bleepingcomputer.com/
http://www.geekstogo.com/forum/
http://www.cybertechhelp.com/forums/
http://forums.whatthetech.com/
http://qmalwareremoval.freeforums.net/

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Conhost.exe Virus - Need help removing

Norton Full Scan doesn't show anything up, but based on the image of my task manager can I really believe that it is normal? From just google searching conhost.exe virus it seems people have had troubles with it themselves but I just am not sure if mine is a virus since Norton found nothing.

Kudos0

Re: Conhost.exe Virus - Need help removing

Hi HomeDipo:

If you really want to be sure, check out the file properties for the conhost.exe executable, and you’ll see that the description says Console Window Host

If you look at the details of the process from within Process Explorer (Download it from MS site), you’ll notice that the ComSpec is set to cmd.exe, a clear indication that it’s hosting the command prompt.

 

So now you know what the conhost.exe process does, and why you should never attempt to delete it. 

Sources:

PUP Hunter PRO: Just TRYING to save the world (U) from cyber threats, A single blog post, at a time, and ONCE & FOR ALL. (A fan of Nadia_Kovacs)
Kudos0

Re: Conhost.exe Virus - Need help removing

I would never delete conhost.exe. That would be a fools errand. I believe something is appearing as conhost.exe and is using it to further spread itself. I also know that conhost.exe should never be running from multiple sources from the same user account. It typically will run from SYSTEM and one instance of a user account, not 4 from one account. Besides that I have found new security groups on my pc with access to sensitive files that even I, an administrator could not open the folders. When checking who owns these folders, I found several "Unknown Account" with SID's not matching any of the accounts on my pc. Essentially, a backdoor for remote accounts which had full access to read/write/execute sensitive files. Now should I not be worried?

Kudos0

Re: Conhost.exe Virus - Need help removing

I repeat my suggestion to go to one of the free Malware removal sites. Even if nothing is found, it will give you peace of mind that your system is safe.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Conhost.exe Virus - Need help removing

If you see the conhost.exe and a associated with csrss.exe it should be fine. Also doing a properties on conhost.exe. If its legit, it will have a Microsoft digital signature to it. If not, its not valid. The conhost comes up for a bunch of stuff. Especially control windows, whether you see them or not. If you have Apple ITunes installed or made some changes to it, this can cause numerous conhosts to come out in background, as well as Visual Studio programs. It can be listed as a 'System' file running, OR a 'User' running process.

DELL XPS 8900 / I7-6700 / 64bit / 16GB RAM Win7 Pro - Norton Security

This thread is closed from further comment. Please visit the forum to start a new thread.