Jump to content

Malware Conhost.exe

heliton

By heliton
in Resolved Malware Removal Logs

 Share

Recommended Posts

heliton

heliton

Posted
Posted

Boa Tarde,

O Malwarebytes identifica ameaça, como Trojan.Agent.BTMGen localizado no Windows/Temp/Conhost.exe

Envia o arquivo para quarentena, e pede para reiniciar o computador para excluir o arquivo.

Após a reinicialização, o arquivo reaparece.....

Pode me ajudar a excluir definitivamente esse arquivo?

Link to post
Share on other sites
  • Replies 67
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions
 

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi,

Remove these programs in bold via the Control Panel > Programs > Programs and Features.

CCleaner (HKLM\...\CCleaner) (Version: 5.45 - Piriform)
Version 5.45 is compromised. Delete it and get the previous version.
https://www.bleepingcomputer.com/news/software/ccleaner-v545-pulled-due-to-anger-over-usage-data-collection/
===

Java 8 Update 151 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180151F0}) (Version: 8.0.1510.12 - Oracle Corporation)
Just delete this OLD version.
===

Yahoo Search Set (HKLM\...\Yahoo! SearchSet) (Version:  - Yahoo Inc.)
Adware.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me lknow if the problem persists.

fixlist.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi,

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS

  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.


There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Wait for further instructions.

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted (edited)

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file. 

	Start
	CreateRestorePoint:
CloseProcesses:
	(TODO: <???>) C:\Windows\Temp\conhost.exe
() C:\Windows\Help\lsmosee.exe
HKU\S-1-5-21-99009950-3056784836-314409812-1000\...\MountPoints2: I - I:\AutoRun.exe
HKU\S-1-5-21-99009950-3056784836-314409812-1000\...\MountPoints2: {0b6ec889-ecf5-11e5-9c4c-60a44cdedf45} - I:\AutoRun.exe
HKU\S-1-5-21-99009950-3056784836-314409812-1000\...\MountPoints2: {0b6ec893-ecf5-11e5-9c4c-60a44cdedf45} - I:\AutoRun.exe
HKU\S-1-5-21-99009950-3056784836-314409812-1000\...\MountPoints2: {21242d6c-2c2f-11e8-8fb8-60a44cdedf45} - I:\AutoRun.exe
HKU\S-1-5-21-99009950-3056784836-314409812-1000\...\MountPoints2: {4503059d-2779-11e8-b9be-60a44cdedf45} - I:\AutoRun.exe
HKU\S-1-5-18\...\Run: [] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Restrição <==== ATENÇÃO
S2 Windows Audio Control; C:\Program Files\Common Files\conime.exe -s [X]
	AlternateDataStreams: C:\Program Files\GbPlugin:IncompleteStartProcessProtection.cnt [8]
AlternateDataStreams: C:\Windows\system32\drivers:GbpKmAp.lst [212]
AlternateDataStreams: C:\Windows\system32\Drivers\wsddfac.sys:X5ZN8aGXs4 [2174]
	C:\Windows\Temp\conhost.exe
C:\Windows\Help\lsmosee.exe
	File: C:\Program Files\mozilla firefox\defaults\pref\autoconf_warsaw.js
	Reboot:
End


Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

fixlist.txt

Edited by nasdaq
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.