Jump to content

Aquif

Members
  • Posts

    1
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Dear All,Am using windows XP service pack 3. Am having problems with a files named conhost.exe located at C:\WINDOWS\Temp. On googling around about it i came to know that conhost.exe is a system file only in Windows 7 and has no place in Windows XP. Also it being system file it cannot run from Windows Temp folder. Also conhost.exe modifies windows registry so that everytime a antivirus or malware removal tool has been used, it starts itself so that the antivirus will show error and shuts down. I had this problem with my Bitdefender which would shut down everytime it tried to scan conhost.exe. So i decided to use Malwarebytes. Lucky enough for me it detected and removed conhost.exe.But after a few minutes it restarted probably since the registry has been modified. Now i wanted to get rid of it since people claim that conhost.exe helps in downloading other spywares and can be very critical for the system. Moreover it eats up the processor so much so that, my Dell Inspiron shuts down due to overheating of Hard Disk. Please if someone can help me with this. It will be really helpful. Pls note i already tried running Malware bytes in Safe Mode with no result. I am running Windows XP sp3 too and had the same problem a while ago but I didn't have the typical symptoms that usually seem to go with it (browser redirection, additional infections). This is probably because some functional parts of the virus were missing (or that it has been designed for Windows 7?). I did experience some annoying problems however: -conhost.exe process using 99% of cpu -outgoing connections to 83.133.127.85, where it possibly downloads malicious data -conhost.exe "bitcoin miner" signed by Ufasoft keeps popping up in C:\Windows\TEMP Now I did some research and learned that conhost is designed to be a keylogger so at worst it could steal your important personal data; i.e passwords and banking details. I checked Wireshark and it did show connections to some strange addresses and having analyzed the data I came to a conclusion that the data it captures is first base64 encoded and then sent to a remote server in Russia, but probably never actively processed. I did not find any references to any of my recent inputs such as usernames or visited websites (maybe another encoding scheme is taking place as well) but I somehow have the feeling that conhost is not an active threat on Windows XP machines when it's behaving like this. Removing conhost.exe is a bit tricky, because simply deleting it from C:\Windows\TEMP doesn't work and if the process is running while some anti-virus software is trying to remove its components they will fail to do so. For me conhost.exe found its way to run even in safe mode so I guess it infects some really important system files (at least DCOM, WMI and RPC as stopping those services caused the conhost.exe process fail to run). The file conhost.exe is generated by the infected process, which takes data from specific registry key values and creates the file in TEMP folder. I ran Malwarebytes and it found the virus parts, including the registry keys it uses but I also checked regedit manually and found some additional odd looking values and removed them (I'm sorry I don't remember which keywords I used :/ ). Malwarebytes seemed to have been able to remove the threat completely but it wasn't the end of it quite yet. For another week the conhost.exe process kept spawning while scanning with Malwarebytes didn't yield any good results, so I used Linux instead (dual-boot). Then suddenly one day it stopped. I believe that some active parts of it were left in system restore after the removal which allowed it to keep spawning and when time passed Windows ditched them. Haven't seen it since and Wireshark doesn't log anything suspicious. I hope it's gone, because I'd hate to reinstall Windows again as I just had to do it a month ago or so. My advice is, run Malwarebytes a couple of times in safe mode, look for strange registry keys by searching with different keywords and keep stopping the conhost.exe in task manager. Also clear temp and prefetch folders and perhaps run CCleaner to keep your system clean. If the problem persists and is not gone in few weeks you should probably reinstall Windows; you don't want to take chances. You could also try ComboFix or other powerful malicious software removal tools to see if they can locate something additional related to conhost. I have found many removal guides for conhost that spawns in C:\Windows\System32 (trying to mimic the legit Windows 7 process) but this one is somehow a different, perhaps an evolved form of it. I got tired of reverse engineering it myself, but if I get the same problem later on and still don't find any help with Google I might look into it again with some deeper dedication Hope this helps in any way!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.