Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slowdown fixed post system recovery, but unknown processes


  • Please log in to reply
7 replies to this topic

#1 Obsidian Fox

Obsidian Fox

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 14 July 2015 - 12:23 AM

Hello,

 

My main worry is checking out the multiple conhost/csrss and svchost at startup, after the event detailed below...

 

Recently after installing Teamspeak and not actually getting all addons necessary to join people in an ARMA3 game, I noticed I was having slowdowns.

 

I did a windows recovery to before the install and it seemed to fix the slowdowns but I'm a little paranoid about both the teamspeak download and the ARMA3 addon downloads---Given that I have a few conhost.exe at startup and several svchost. I'm not sure when they started being there. They are not there in safe mode when I scanned.

 

(I have to note that the recovery didn't fully complete because of some form of disc problem, but the installs seemed to be removed form registry and I deleted the Teamspeak files--- Running "sfc /scannow" apparently fixed everything from its perspective)

 

I run Malwarebytes (recently added anti-exploit), and have Kapersky installed from my motherboard software package.

I have run Malwarebytes anti-rootkit.

 

Windows 7 x64 Home Ed.

 

Processes

http://i1028.photobucket.com/albums/y341/ObsidianDisc/Proc1_zpszotos3nd.jpg

All Users Processes 1 and 2

http://i1028.photobucket.com/albums/y341/ObsidianDisc/ProcAll1_zpskoindahf.jpg

http://i1028.photobucket.com/albums/y341/ObsidianDisc/ProcAll2_zpsc1ll8kdt.jpg

 

There are two csrss processes one with 3 conhosts one with only 1 conhost further down

http://i1028.photobucket.com/albums/y341/ObsidianDisc/procexp1_zpsy7sind6n.jpg

http://i1028.photobucket.com/albums/y341/ObsidianDisc/procexp2_zps9jlni0lp.jpg

 

Any input, or which scans maybe necessary would be appreciated.

Thanks,

S



BC AdBot (Login to Remove)

 


#2 flightsim297

flightsim297

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:17 PM

Posted 14 July 2015 - 01:21 AM

Although I am not allowed to assist you with malware removal tools, I have however found out that:

AiChargerPlus - has something to do with ASUS. I think you have an ASUS laptop

aaHMSvc - another ASUS thing

 

The conhosts and the csrss processes I think are normal, just right click and click properties to make sure it is signed by Microsoft, and is in C:\Windows\System32


Windows 10 Insider

Flight Sim Enthusiast

- Windows 95, 98, 2000, XP, 7, and 8.1 user

- Oh and I like helping people too!


#3 Obsidian Fox

Obsidian Fox
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 14 July 2015 - 11:14 AM

I have an ASUS motherboard. I know the ASUS software.
Even if the conhost base program is digitally signed it can be running some aspect of other programs
I know that one conhost started post installation of the malwarebytes anti-exploit.

I hit verify in process explorer and all came up "(verified)". There are no digital signiture tabs in window explorer properties though (I can't even remember if Windows 7 has those).

conhost is being called from %systemroot%/system32

My issue is tracking down the program using/activating it, especially if the user is NETWORK
The path in process explorer has many programs that seem legit but don't point to one program but several core element directories, like for both nvidia and microsoft in the same path.



'Might be being paranoid, but I feel comfortable with that.

#4 flightsim297

flightsim297

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:17 PM

Posted 14 July 2015 - 11:29 PM

Click Start, then search for "conhost.exe". right click it and select properties. Now make sure it looks like this: 

http://i.imgur.com/i3xu8qg.png

Now you are running windows 7 so the version, date modified, and product version might be different. Just show me a screenshot of your conhost and I'll confirm it.

You don't need to "use" conhost.exe. It is just automatically used. But strangely you have conhost always open. I only have conhost run when cmd is open.

 

I'll try to get other people to look at this problem ASAP


Windows 10 Insider

Flight Sim Enthusiast

- Windows 95, 98, 2000, XP, 7, and 8.1 user

- Oh and I like helping people too!


#5 flightsim297

flightsim297

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:17 PM

Posted 14 July 2015 - 11:34 PM

I just want to see right now what is starting up with your computer. When you restart does conhost.exe automatically launch or does it launch after you opened a few programs?

 press Windows + R on your keyboard at the same time and type in msconfig.

If there is a UAC prompt, click yes.

Click the startup tab, and make a screenshot of it and post it in your next reply


Windows 10 Insider

Flight Sim Enthusiast

- Windows 95, 98, 2000, XP, 7, and 8.1 user

- Oh and I like helping people too!


#6 Obsidian Fox

Obsidian Fox
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 15 July 2015 - 10:19 AM

Click Start, then search for "conhost.exe". right click it and select properties. Now make sure it looks like this: 

http://i.imgur.com/i3xu8qg.png

Now you are running windows 7 so the version, date modified, and product version might be different. Just show me a screenshot of your conhost and I'll confirm it.

You don't need to "use" conhost.exe. It is just automatically used. But strangely you have conhost always open. I only have conhost run when cmd is open.

 

I'll try to get other people to look at this problem ASAP

 

It looks correct:

http://i1028.photobucket.com/albums/y341/ObsidianDisc/conhostprop_zpscfuhxfvh.jpg

Here are all the instances that show up in search:

http://i1028.photobucket.com/albums/y341/ObsidianDisc/conhostloc_zpsrtcmhide.jpg



#7 Obsidian Fox

Obsidian Fox
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 15 July 2015 - 10:20 AM

I just want to see right now what is starting up with your computer. When you restart does conhost.exe automatically launch or does it launch after you opened a few programs?

 press Windows + R on your keyboard at the same time and type in msconfig.

If there is a UAC prompt, click yes.

Click the startup tab, and make a screenshot of it and post it in your next reply

 

They start automatically.

 

This is the set of startup programs:

http://i1028.photobucket.com/albums/y341/ObsidianDisc/msstartup_zps4lmbv8sk.jpg



#8 flightsim297

flightsim297

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:17 PM

Posted 16 July 2015 - 12:07 AM

Now I can assist you.

We will be running some preliminary tests to see if your PC is infected or not.

 

1. Download Mini Toolbox and save it to your desktop. Run it, and please checkmark the following options. Note if you do use a proxy, be warned that this tool will reset your Firefox and Internet Explorer proxy settings.

 

  • Flush DNS
  • Report IE proxy settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Setings
  • List content of Hosts
  • List IP configuration
  • List WinSock Entries
  • List last 10 Event Viewer logs
  • List installed programs
  • List Devices
  • List Users Partitions, and Memory Size
  • List Minidump Files
  • List Restore Points

Hit Go  and post the result of the file Result.txt. It should be on your desktop.

 

_______________________________________________________________

 

The next program we are going to run is called Security CheckDownload and save the file to your Desktop.

A command prompt window will appear when you open it.

This is NORMAL.

 After this a text document will open automatically called checkup.txt at the top . Post that into your next reply. 

 

________________________________________________________________

Thank you for your patience.


Windows 10 Insider

Flight Sim Enthusiast

- Windows 95, 98, 2000, XP, 7, and 8.1 user

- Oh and I like helping people too!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users