Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

1273 processes- hundreds of cmd.exe and conhost.exe bloating memory


  • Please log in to reply
18 replies to this topic

#1 dogjoy

dogjoy

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 29 June 2017 - 10:46 PM

I have used multiple malware and combofix 50+ steps and still have not eliminated the problem.  Advise how to post hijackthis.log for advice.

 

at a loss


Edited by britechguy, 29 June 2017 - 11:18 PM.
Moved to "Am I Infected?" since this is clearly an issue with an infection of some kind.


BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 30 June 2017 - 12:09 AM

HijackThis is no longer supported.

 

First, download and run Sysinternals' Process Explorer.

 

https://technet.microsoft.com/en-us/sysinternals/bb896653

Enable the VirusTotal check in Process Explorer by clicking on Options > VirusTotal.com > Check VirusTotal.com

 

If VirusTotal flags any entries, click on the VirusTotal link to see what was identified.


Edited by jwoods301, 30 June 2017 - 12:12 AM.


#3 dogjoy

dogjoy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 30 June 2017 - 03:30 PM

Ok, got to it.  System was bloated to over 2170 processes.  VT would not run.  I rebooted and started with 75 process and VT does now run.  It is not clear how VT works or its use.  I dont see a way to add a screen shot, yet of VT

 

col Virus total format lists all of them at 0/XX.  Assume this is good?


Edited by dogjoy, 30 June 2017 - 04:10 PM.


#4 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 30 June 2017 - 03:35 PM

See the VirusTotal FAQ -

 

https://www.virustotal.com/en/faq/

 

Did it flag any processes?

 

You can use the built-in Windows Snipping Tool to get a screenshot and save it.

 

You'll need to post the screenshot on a site like Dropbox, Imgur, etc, and post a link to it in the thread.


Edited by jwoods301, 30 June 2017 - 03:39 PM.


#5 dogjoy

dogjoy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 30 June 2017 - 04:50 PM

  https://www.dropbox.com/s/sl24vrvt9iui5ve/170630%20VT-.JPG?dl=0

 

No flags 



#6 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 30 June 2017 - 05:02 PM

 I rebooted and started with 75 process...

 

You may want to take a look at how much stuff is loading on startup.

 

Download and run the Sysinternals free tool Autoruns...

 

https://technet.microsoft.com/en-us/sysinternals/bb963902

 

 

Keep using Process Explorer to monitor the situation...

 

If you see a bunch of cmd.exe and conhost.exe processes running, double click on a few and select the Image tab.

 

See what the Parent is. You might see something like "crss.exe (508)".

 

So you find that process, double click on that, and see what it's doing.

 

The Threads tab is helpful in getting more detailed information.


Edited by jwoods301, 30 June 2017 - 05:09 PM.


#7 dogjoy

dogjoy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 30 June 2017 - 10:41 PM

As it grows see images.  Seem related to my Crashplan?

 

 https://www.dropbox.com/s/wqxopr20fd93u07/170630%20Process%20Explr_1.JPG?dl=0 

 

https://www.dropbox.com/s/16wh89oz3yb729o/170630%20Process%20Explr_2.JPG?dl=0

 

https://www.dropbox.com/s/wwasm0d2pi1cofy/170630%20Process%20Explr_3.JPG?dl=0

 

https://www.dropbox.com/s/cjpi28sqbjx6tm7/170630%20Process%20Explr_4.JPG?dl=0

 

https://www.dropbox.com/s/hmpncz21mh85xgy/170630%20Process%20Explr_5.JPG?dl=0



#8 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 30 June 2017 - 11:44 PM

Turn CrashPlan off, reboot, and watch it for a while and see if it stops...

 

Known conflicts with CrashPlan...

 

https://support.crashplan.com/Troubleshooting/Known_Conflicts_With_The_Code42_CrashPlan_Application


Edited by jwoods301, 01 July 2017 - 12:17 AM.


#9 dogjoy

dogjoy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 01 July 2017 - 08:58 PM

so far stable process at 73 after 11hrs, not conhosts or cmds  Will  now open MSOutlook and see if Process counts is still around 70s in the morning.  I plan to uninstall and install crashplan.  the trouble shooting article did not seem to identify any of the antivirus- I use, MS Security Essentials, as a potential issue.  The only other monitor I use is CCleaner.

 

will monitor and see what happens next.



#10 dogjoy

dogjoy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 03 July 2017 - 08:08 AM

cmd.exe and conhost.exe are up again.  Processes at 170.

 

Using Process Explorer(PE) , conhost.exe has crss.exe(508) as the parent.   Cannot locate PID 508 looking down the PE PID list.  

 

The parent for cmd.exe is <Non-existent Process>(5276), number ( ) differs but find: 

 

CURRENT DIRECTORY  C:\Users\David2\AppData\Local\Programs\CrashPlan\bin\

COMMAND LINE C:\Windows\system32\cmd.exe  /K restart.bat  

PATH  C:\Windows\System32\cmd.exe

 

Nothing in the crashplan FAQ is useful

 

 Processes at 190 as I write this update 



#11 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 03 July 2017 - 01:48 PM

Have you uninstalled and re-installed CrashPlan?



#12 dogjoy

dogjoy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 03 July 2017 - 05:14 PM

Yes, downloaded current version 4.8.3  and installed.  I also have CCleaner exclude the crashplan folders.  

 

For the last 8hr, I placed crashplan on 'pause'.  Increase in process has held at 206, cmd/conhost not increasing.  Re-ran virus total and only Autoruns show red. Attached images.

 

https://www.dropbox.com/s/ldl78io9gkwdumc/Capture-Crashplan%20-%20_%203%20.JPG?dl=0

 

https://www.dropbox.com/s/00p5aokb20cna9b/Capture-Crashplan%20-%20_4.JPG?dl=0

 

https://www.dropbox.com/s/wfwc4ccbryc0k6u/Capture-Crashplan%20-%20_5.JPG?dl=0



#13 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 03 July 2017 - 05:20 PM

So when you "unpause" the new version of CrashPlan, does the cmd/conhost processes increase as before?

 

If so, I would report it to CrashPlan.



#14 dogjoy

dogjoy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 03 July 2017 - 05:47 PM

I'll unpause and let it run.  No issue with the WinTrojan agent?



#15 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 03 July 2017 - 06:58 PM

I'll unpause and let it run.  No issue with the WinTrojan agent?

 

If you're talking about Autoruns...it's a false positive.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users