Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need A Tool To Identify conhost File Execution


  • Please log in to reply
4 replies to this topic

#1 bludgard

bludgard

  • Members
  • 934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No Clue Whatsoever, Western Hemishere
  • Local time:12:55 AM

Posted 04 November 2014 - 04:18 PM

Is there a tool that can identify the files running by conhost?

I was infected and manually removed the garbage: I remember 1 (or two at times - short lived) of these running before but I know there wasn't three. And not running all the time.

I have an image backup but I would like to figure this out.

Thanks for any input, BP.

One

cnhst_zpsa4c97359.jpg

 

Edit: Got it. Using Process Explorer.

Well, thought I did: Still cannot find the files called on....


Edited by bludgard, 04 November 2014 - 04:41 PM.


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,002 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 04 November 2014 - 04:42 PM

The following programs may help. Edit I see you are using Process Explorer. Good Luck.

 

Process Explorer

 

Process Monitor

 

Process Hacker


Edited by JohnC_21, 04 November 2014 - 04:42 PM.


#3 bludgard

bludgard
  • Topic Starter

  • Members
  • 934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No Clue Whatsoever, Western Hemishere
  • Local time:12:55 AM

Posted 04 November 2014 - 05:54 PM

Hey, thanks.

According to ProcExploder, all conhost windows were pointing to a Quictime associated Java file that was left in the Java install directory after Java was uninstalled months ago. I deleted the orphaned directory and rebooted and all he** broke loose... lol. CPU @ 100%, RAM steady climbing and dll processes kept multiplying. Rebooted and the conhost entries stayed the same but now point to WindowsPowerShell.

Something was using IE as after I deleted the Java directory and rebooted I got a window informing me that IE had quit working > do I want to close or check for a fix or whatever...

Must still be infected.

Previously (after removing as much of infection that I could) ran Bitdefender, SAS and MBAM. They found some minor leftovers and found the system clean.

Oh, well. Back to bricking my machine....lol

Good day.

Thanks

 

Edit: The assoc attributed to these conhost entries are COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC


Edited by bludgard, 04 November 2014 - 05:57 PM.


#4 JohnC_21

JohnC_21

  • Members
  • 24,002 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 04 November 2014 - 06:03 PM

That sounds like a seriously infected computer. Have you tried running Hitman Pro?

 

Edit: You might want to post the appropriate logs in the Malware Removal Forum. They are busy as usual so you may not get a response for a few days.


Edited by JohnC_21, 04 November 2014 - 06:06 PM.


#5 bludgard

bludgard
  • Topic Starter

  • Members
  • 934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No Clue Whatsoever, Western Hemishere
  • Local time:12:55 AM

Posted 04 November 2014 - 06:12 PM

Man, I am just playing around. I have an Image backup but I take pride in my ability to kill perfectly good working machines....lol

I may even get lucky enough to actually get this straight before reimage.

I will however run HP to see if it finds anything. Love testing AV/AM progs.

Thanks again.

One :guitar:

 

Edit: Thread was about a tool: Found it. In the meantime something ugly was discovered. Don't know how long it has been creeping around. I am the least paranoid about stuff like this; however, this is creepy. :lmao: This is my workhorse and I need to be able to trust it when I need to.

Backups are suspect at this point and will proceed with a clean slate when I get done playing.

Thanks for responding. I notice that processhacker is awful similar to processexplorer.


Edited by bludgard, 04 November 2014 - 08:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users