Solved Regarding file conhost.exe in temp folder

Abhishek · Sep 21, 2018

Recently i found out about virus in my after i installed malware bytes in my pc and my pc had been showing two threats in C:\Windows\debug\lsmose.exe and C:\Windows\temp\conhost.exe . Malware bytes used to regenerate both files ,i deleted lsmosw.exe manually and it didnt generate but conhost.exe is generating again . Kindly suggest me a way to remove it and find out if there are any other viruses in my system. Btw i use panda free antivirus with malware bytes.

Rustys · Sep 21, 2018

Relocated to the Malware Removal section.

@gus @jmarket

Abhishek · Sep 23, 2018

I wish i could get a quick solution for this, don't want my pc to be a home to viruses.

jmarket · Sep 23, 2018

Hey @Abhishek

Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.

If you are unsure if your operating system is 32 or 64 Bit please go HERE.

Once downloaded right click the FRST desktop icon and select "Run as administrator" from the menu.

If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
Frst will open with two dialogue boxes, accept the disclaimer.

Accept the default whitelist options,
If the additions.txt options box is not checked please select it.
Then select "Scan"

Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.

Please Copy and Paste the contents of these logs in your next post for review by our Security Team

Abhishek · Sep 23, 2018

Below are the attached files

jmarket · Sep 23, 2018

Thank you for the files.

I won't have a fix for you until later, so in the meantime, do the following for me please:

We will need a log from AdwCleaner for further information.

Please go HERE and download AdwCleaner to your Desktop. Once downloaded right click the new icon and select Run as Administrator from the context menu to open the program. It will open at the Dashboard tab and no further changes to the program are necessary at this stage.

Click the Scan Now button.

oklj3amfOpqEpPVXnuqk79lHRApDnhPQVXn6z6Y3NoRuEOwdc4_mOGQu11P43d4Fb8OGSEeDJ_AsebIM9FWRakQeH_rBtmEr8_ua1VJwBd_Ws3-miUSngeShjQ7W5K4p6SytCWs2=w2400

Allow AdwCleaner to start scanning and depending on the amount of data on your PC it may take some time. At the conclusion of the scan any content considered unnecessary will be displayed in the Scan Results box. Ensure all items are selected for removal and click "Clean & Repair"

7pQdUft-ojpPn88OGfzif4Zs2nG7cOkKWXOxq2hnIP5ll37IPbMzLUh9W3aC0wQonD-NEIwql19Hh7DJiYPOF1HL71bdqy81MiaqpcsP5f0JtykiLSk-l96KByQKj1ou2rexlOpo=w2400

After selecting "Clean & Repair" another dialogue box may appear asking to restart now or later. If so choose "Clean & Restart Now"

Once the PC has restarted if AdwCleaner does not restart then open it again and click "Log Files" tab on the left. All log files will be listed. If you have used the program previously you may have several logs to select from so double click the most recent "Clean" log and it will open a notepad file on your Desktop.

Please COPY and PASTE the contents of that file in your next post

We will need a log from Zemana, can you please download the free trial HERE. Save it to somewhere you can find, double click the downloaded file and start the installation. Accept the default install options and you can safely ignore any security warnings and allow Zemana to complete the install. Once completed click the new desktop icon

to open the program. If Zemana opens and informs of any available updates allow it to so. Next change Zemana's default from "Smart Scan" to Deep Scan as shown below.

Then click scan

When the scan is complete allow Zemana to Quarantine any infections found by clicking Next

Once the infections are quarantined a message box will indicate success, then click the logs icon as below.

Select the latest scan and choose Open Report from the upper menu. or simply double left click on the scan just run.

The log will open as a text file. Please Copy and Paste the contents of that file in your next post

I also see that you have multiple AVs installed. Please remove the following:

ESET
Avira
Panda
AVG
GridinSoft

You really only need Malwarebytes and Windows Defender. If you're looking for a really good realtime anti-malware solution, stick to Malwarebytes and Emsisoft.

After doing the following, please re-run FRST and post fresh logs in addition to any other logs I requested.

Abhishek · Sep 24, 2018

It might take some days for me to reply as im out of town ,please dont close this thread. I will reply as soon as i can. Thanks

jmarket · Sep 24, 2018

No worries

I'll keep this thread open.

Abhishek · Sep 28, 2018

thanks you so much for your patience. The files asked by you are pasted and attached below , i expect a quick reply from your side. thanks again.
Adwcleaner log
# -------------------------------
# Malwarebytes AdwCleaner 7.2.4.0
# -------------------------------
# Build: 09-25-2018
# Database: 2018-09-24.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 09-28-2018
# Duration: 00:00:15
# OS: Windows 7 Ultimate
# Cleaned: 13
# Failed: 0

***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted C:\Program Files (x86)\pandasecuritytb
Deleted C:\Users\SR\AppData\LocalLow\pandasecuritytb

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKCU\Software\csastats
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{6781912A-C64B-44DC-B5B3-F854AC52FBDA}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{46A47702-FF06-4551-934F-AEBD2F9112D1}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{BA8A06FF-6FA3-4D60-9952-FBA86B11D53A}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{81EB7EE5-A6E9-4DC1-83B6-8443CFE00A49}
Deleted HKCU\Software\PRODUCTSETUP
Deleted HKCU\Software\ProductSetup\Uninstall\0S1P1T1C1R1MtT0P1C1F2X1L1Q1P1QtT1S2UtT0Y1T1M1F1F
Deleted HKCU\Software\ProductSetup\Uninstall\0B2U2Z1P0F1P1G1R1P1V0A1Q1Q0O1G
Deleted HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

Deleted Ask
Deleted AOL

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [2581 octets] - [28/09/2018 20:58:46]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

Zemana AntiMalware 2.74.2.150 (Installed)

-------------------------------------------------------
Scan Result : Completed
Scan Date : 2018/9/28
Operating System : Windows 7 64-bit
Processor : 2X Intel(R) Core(TM)2 CPU 4300 @ 1.80GHz
BIOS Mode : Legacy
CUID : 12250136D2543C336AC47B
Scan Type : System Scan
Duration : 8m 32s
Scanned Objects : 27267
Detected Objects : 2
Excluded Objects : 0
Read Level : SCSI
Auto Upload : Enabled
Detect All Extensions : Disabled
Scan Documents : Disabled
Domain Info : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

panda_url_filteringc.dll
Status : Scanned
Object : %programw6432%\panda security url filtering\panda_url_filteringc.dll
MD5 : 8893FE26DCA52E3793170EDA7AA1C565
Publisher : Visicom Media Inc.
Size : 355824
Version : 2.0.1.8
Detection : Adware:Win32/VisicomToolbar!Ep
Cleaning Action : Report as safe
Related Objects :
File - %programw6432%\panda security url filtering\panda_url_filteringc.dll
DLL - 1336 - C:\Program Files\Panda Security URL Filtering\Panda_URL_Filteringb.exe

Panda_URL_Filteringb.exe
Status : Scanned
Object : %programw6432%\panda security url filtering\panda_url_filteringb.exe
MD5 : D4B7E17CD168972A16991123BE84E7EF
Publisher : Visicom Media Inc.
Size : 246256
Version : 2.0.1.8
Detection : Adware:Win32/VisicomToolbar!Ep
Cleaning Action : Quarantine
Related Objects :
File - %programw6432%\panda security url filtering\panda_url_filteringb.exe
Process - 1336 - C:\Program Files\Panda Security URL Filtering\Panda_URL_Filteringb.exe

Cleaning Result
-------------------------------------------------------
Cleaned : 0
Reported as safe : 2
Failed : 0

Abhishek · Sep 29, 2018

What should i do next??

jmarket · Sep 29, 2018

I have a partial fix for you.

Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system. Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. Also post fresh FRST logs please

Abhishek · Sep 29, 2018

Below are the attached 3 logs , let me know what to do next.

jmarket · Sep 29, 2018

Do you have System Restore disabled?

Also please remove Panda. You have ESET, and more than one real-time antivirus causes issues

Abhishek · Sep 29, 2018

System restore is turned on but i can't make a restore point by myself and it doesn't make one on its own. There is some issue with it i forgot to address in the starting of this thread(attached the screenshot of the issue when i try to create a restore point). Those are just some traces of Eset leftover,i just use panda. Still if you feel its a problem i would remove panda .

jmarket · Sep 30, 2018

Are you able to boot into Safe Mode and create a restore point?

jmarket · Sep 30, 2018

I did some research. You have a cryptomining malware on your machine. This is going to require aggressive techniques to remove. Let's get started.

To start, please download RKill and ESET Online Scanner. You'll need both of these to start. Please keep RKill someplace easily accessible as we'll need it multiple times in our disinfection.

After doing so, please run RKill and let it finish. After that's done, go ahead and run ESET Online Scanner and do a full scan. Please post any logs it generates and await further instructions.

In my professional opinion, Panda is crap. I don't recommend it on my client's PCs. I recommend Malwarebytes + Emsisoft. I use those personally and commercially.

Abhishek · Sep 30, 2018

Attached are the screenshots of Rkill and eset online scanner logs, i appreciate your effort for helping me in making my system virus free and safe.
The reason i kept panda was that my system became too slow and i had premium Mcafee , it couldnt detect any virus and no antivirus was able to run on my pc other than panda. Sure i am gonna delete panda as instructed by you.

jmarket · Sep 30, 2018

Awesome. ESET found some stuff. We're going to go ahead and start the next step.

Go ahead and reboot the computer. After doing so, re-run RKill. No need for a log this time.

After RKill completes, go ahead and do the following:

Download ResetBrowser to your desktop.

Now close all open browsers. All browsers MUST be closed during this operation!

Right click and Run as Administrator

Click on Reset Chrome-- Allow completion.
Click on Reset Firefox-- Allow completion.
Click on Reset Internet Explorer-- Allow completion.

We will need a log from AdwCleaner for further information.

Please go HERE and download AdwCleaner to your Desktop. Once downloaded right click the new icon and select Run as Administrator from the context menu to open the program. It will open at the Dashboard tab and no further changes to the program are necessary at this stage.

Click the Scan Now button.

Allow AdwCleaner to start scanning and depending on the amount of data on your PC it may take some time. At the conclusion of the scan any content considered unnecessary will be displayed in the Scan Results box. Ensure all items are selected for removal and click "Clean & Repair"

After selecting "Clean & Repair" another dialogue box may appear asking to restart now or later. If so choose "Clean & Restart Now"

Once the PC has restarted if AdwCleaner does not restart then open it again and click "Log Files" tab on the left. All log files will be listed. If you have used the program previously you may have several logs to select from so double click the most recent "Clean" log and it will open a notepad file on your Desktop.

Please COPY and PASTE the contents of that file in your next post

We need you to run Malwarebytes Anti-Malware (MBAM) to get a log. Please download the free version of Malwarebytes HERE

Save the file to somewhere you can easily find it. Double click the saved file to start the install, accept any security warnings that may appear and after the install click the new desktop icon

to start the program. We need to modify a couple of things with MalwareBytes before we use it so please follow the steps below.

If the dashboard is not already displayed select it.

Then select Update to get the latest definition database.

Next we need to change a scanning option, select Settings on the main menu

Then Detection and Protection on the left.

Then select Scan for rootkits in the detection options, as well as the other two options already checked.

Now return to Dashboard on the main menu and select Scan Now at the bottom of the screen.

Allow Malwarebytes to scan your system. It may take some time depending on how much data loaded onto your hard drive. When the scan is finished any threats will be listed for action. Ensure all threats are selected, and click Remove Selected

A dialogue box may open and ask to restart the computer, if so select Yes

Once the computer restarts open Malwarebytes again and select History on the menu bar, Application logs, then click the scan just completed, then click Export, choose text file. Name the text file and select a location, preferably the desktop and close Malwarebytes.

Please copy and paste the contents of the text file in your next post

Download Security Check to your desktop.
Right click it and choose Run as Administrator.
When the program completes, the tool will automatically open a log file.
Please post that log here in your next post.

Reset Host File

Click here to download RstHosts v2.0
Save the file to your desktop.
Right Click and Run as Administrator.
Click on Restaurer, then click OK at the prompt.
This will restore the default host file.
Next Click on Creer Un Rapport.
This will open a logfile, post that in your next reply.

After doing all that, please re-run ESET, as well as fresh FRST logs. After doing all said, post all the required logs and reboot the computer. Don't worry, we're getting your computer clean

Abhishek · Sep 30, 2018

Below are the attached logs, eset scan would take some hours so i would update it later and also frst logs. I am so thankful to you for that

jmarket · Oct 1, 2018

I await the other logs

Abhishek

Rustys

Abhishek

jmarket

PCHF's Almighty Ruler

Abhishek

Attachments

jmarket

PCHF's Almighty Ruler

Abhishek

jmarket

PCHF's Almighty Ruler

Abhishek

Attachments

Abhishek

jmarket

PCHF's Almighty Ruler

Attachments

Abhishek

Attachments

jmarket

PCHF's Almighty Ruler

Abhishek

Attachments

jmarket

PCHF's Almighty Ruler

jmarket

PCHF's Almighty Ruler

Abhishek

Attachments

jmarket

PCHF's Almighty Ruler

Abhishek

Attachments

jmarket

PCHF's Almighty Ruler

Search

Search

Solved Regarding file conhost.exe in temp folder