I have a server that's infected with Malware conhost.exe.
I've completed steps from these forum posts listed below.
https://forums.malwarebytes.com/topic/235964-malware-conhostexe/?page=2
https://www.bleepingcomputer.com/virus-removal/remove-console-window-host-conhost.exe-monero-miner#rkill
The Malware Bytes app seems to keep it from starting up again, but I can't seem to keep it from being created in the c:windows\temp directory after reboot.
Below are my registry exports.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
When you right click on the process in the first picture the conhost.exe process is being run from the c:windows\temp directory. After I install the Malware bytes application that conhost.exe process doesn't show back up as running.
The last step is to stop the conhost.exe file from being created in the c:windows\temp directory after a reboot.