Jump to content

Resolved possibly undetected malware miners monero or any coins

Recommended Posts


I just want to share a possibly new or undetected malware that resides in my windows 10, I really hate windows 10 because it has so many backdoors for malwares to use any methods for persistence inside the windows operating system, I wished I hadn't upgraded from my windows 8.1, First I detected possibly a malware from Task manager with 100% cpu usage and made my computer lagged, especially when I connected my laptop to an outlet. I use Process Explorer to see a conhost.exe to be called everytimes I rebooted my machine and look for the main process that called conhost.exe it happened to be wlanext.exe, devicecensus.exe and tiworker.exe (virustotal said its all clean, so strange) so many persistence programs used by the malware and I deleted all the programs right away and turned out it didn't harm my windows 10 operations, and I saw some services with strange ending such as OneSyncSvc_9036f2 and many more around 6 of them and I can not disabled them from services panel, so I deleted them all manually , I was using regedit.exe and right now my laptop is running smoothly with only 15% to 25% cpu usage.

If somebody can recognize what kind of malware is it please let me know, because I think the main script or powershell script is still running in the background but can't do any harm anymore (hopefully).

I hope this topic can help somebody else too

Link to post
Share on other sites

Hello goku888 and welcome to Malwarebytes,

Every file you`ve mentioned are legitimate Windows files, I`d be very carefull what you delete. When such files are suspected, VirusTotal is a good place to start. If VT gives the all clear then further intervention will always carry risks. Unless you are more than familiar with the Windows Registry, I would not recommend deleting any genuine file on a whim, or it just seems the right thing to do.

OneSyncSvc_9036f2 service synchronizes mail, contacts, calendar and various other user data. Mail and other applications dependent on this functionality will not work properly when this service is not running.

For ConHost read here: https://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/
I`ve see many posts where the thread starter mentions High CPU that drops off when task manager is opened, I`ve not yet seen any positive answer only that it seems to be a W10 gliche. Running an AV scan is always the best place to start, or another indepth analysis scan recommended by a professional. If neither shows any obvious Malware or infection then a Clean Boot is worth trying... http://support.microsoft.com/kb/929135
Thank you,
Link to post
Share on other sites

Hi Kevin,

Thank you for your reply, yes it was my desperate measure that I have to delete all those file because I saw them from process explorer ( I don't have the screenshot right now) that conhost.exe was running under wlanext.exe (so I assumed it was somekind of powershell script was running when windows called wlanext.exe).

For the high cpu usage 100% it will last long until I shutdown the computer and when I do shutdown the computer it said this application is preventing shutdown (noname application probably a malware script or malware program was running in the background), but right now it never show up again.

Hopefully it won't give me any trouble when I deleted those files.

Thank you

Link to post
Share on other sites

Hiya goku888,

Wlanext.exe is part of Windows, it is a system process that can host several Windows services together. It is essential for the use of shared service processes, for instance where several services can share a process to reduce resource consumption. WLANExt.exe is located in the C:\Windows\System32 folder, anywhere else is suspicious.

Unfortunately that process can also show in other folders when an exploited version is used by malware writers, for instance coming bundled with other innocent looking free software...


Startup: C:\Users\another\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wlanext.lnk
ShortcutTarget: Wlanext.lnk -> C:\Program Files (x86)\I`m a free program\Wlanext.exe

It may also have a scheduled task to run the shortcut.....

Hope that helps you....


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.