This may be two problems or one. I use a Windows 7 32-bit box isolated from my professional (computer consultant) net as a sandbox for playing on the web. Over the past couple of weeks, I've noticed my CPU (both cores) maxing out for significant periods of time. Some low level investigation shows that scores of conhosts (invisible on desktop) have been created and are each running unending PINGs. My first thought is that the machine has been enlisted as part of a botnet to deliver DDoS requests. I have been unable so far to determine who's launching all of the instances of conhost.exe (I've used What's Running, TUT, SysInternals proc tools, and others). I can wait out the storm, laboriously kill all of the programs, or reboot, and everything is fine for a while, then, in a day or two, it starts again.
I am running Microsoft Security Essentials and the internal firewall on this and a hardware firewall in a router between my computer and the cable modem. BTW, everything on the machine is kept up-to-date on a daily basis.
I have tried all of the recommended virus and rootkit scans that are typically listed here (usually assisted by rkill) and have gotten clean runs every time, with one exception. AVAST'S aswMBR.exe (btw, all of my rootkit scanner exe's are renamed to avoid any rootkit detecting one starting up - a good practice) which shows me a line indicating that c:\windows\system32\user32.dll is "suspicious." Interestingly aswCleaner shows nothing wrong.
I also have user32.dll.bak in the same directory and another copy in the c:\windows\winsxs\yada-yada\...\ subdirectory. The winsxs version and the .bak version show the same MD5 checksum, f1dd3acaee5e6b4bbc69bc6df75cef66, while the active version shows the same size, date, and time, but checksums to 7bd7f45ff37fa0669cd32ca0ef46e22c. I considered the chance that the live version is part of a Windows update, but that doesn't explain the same creation time and size, so I've replaced it for now with the one from ...\winsxs\... this morning. I haven't seen the conhost/PING problem today, but it is intermittent and (methinks) is only fired up by an external site passing it a URL and telling it to blitz it. I've also renamed PING.EXE to GNIP.EXE so I can still run it but the rogue conhosts can't find it (the b*st*rd simply substituted TRACERT.EXE instead, so I renamed that, too), but that still leaves the problem of 25 or 30 conhost.exe's eating cycles.
I have gone bull-goose-loony with MS support and forums just trying to get them to tell me what are the legitimate MD5 checksums for user32.dll, or even if 7bd7f45ff37fa0669cd32ca0ef46e22c is legit. All I get in return is an avalanche of advice on different virus and rootkit checkers to try - all of which I have on my collection of security thumb drives and have already tried.
I've also monitored i/o with firewall logs, packet sniffers, and such, but can't seem to spot any random external candidate.
Any suggestions on finding out whether the MD5 is bogus and, also, how I can isolate which process is instantiating all of the conhosts. Programs like TUT sometimes show the conhosts in the tree under a copy of csrss.exe and sometimes at the same level.
Edited by Beartooth, 26 May 2013 - 08:24 PM.