multiple conhost.exe, cmd.*32 running in task manager

[Skynet2020]

I have had this problem awhile now. Whenever I load into my OS. Maybe like 20 minutes later I see Conhosts.exe and cmd,*32 pop up. Then they keep multiplying into the hundreds until I restart my computer. There not causing performance issues, but this can't be normal. I thought it might be malware, so I ran malwarebytes anti malware in safe mode and there it was. A malware file in my registry, but the damn thing reactivates!!! I don't no how to get rid of it. Norton and malwarebytes anti malware say everything is fine in normal boot. The name of the file is Disabled.Cryptsvc. Any help would be nice and i'm not very computer savvy.

 

[Darkbreeze]

Clearly there is an infection. Try ALL of the suggestions at the following two links, paying particular attention to the second opinion and rootkit scanner utilities. Also, be sure to attack the infection in Safe mode and you might really want to use Malwarebytes Chameleon and combofix:


http://www.tomshardware.com/faq/id-2602295/protect-remove-virus-malware-infections-layman.html

http://www.tomshardware.com/forum/8263-63-simple-free-guide-removing-malware


I'd be sure to run one of the advanced rootkit scanners like hitman pro or tdss killer as well.

 

[Skynet2020]

Alright I have read both your links and am going to attempt this again in safe mode with networking as the second link states. This combofix might do the trick after.

 

[Skynet2020]

Still no fix after running malwarebytes anti malware + combofix on safe boot. It's still finding the same malware over and over again. I Have the logs if that helps for combo fix and malwarebytes anti malware.

This is the malware that keeps coming back over and over again. I'm not even sure if this is the reason why I get Conhost.exe. and cmd*32 multiplying into the hundreds.
Registry Data: 1

Disabled.Cryptsvc, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\CRYPTSVC|Start, 4, Good: (2), Bad: (4),Replaced,[7aee84ecf19983b36946c63c7195fb05]

 

[Darkbreeze]

Use http://www.bleepingcomputer.com/download/rkill/


Then run, in order, in Safe Mode with Networking, AFTER making sure all definitions are up to date:

Malwarebytes
Whatever virus scanning program you have installed in addition to Malwarebytes
Hitman Pro
TDSS Rootkit killer
Rogue Killer
Combofix

 

[Skynet2020]

Alright I will give all that a try and let you know if it works.

 

[Skynet2020]

I ran all them programs in order in safe mode. malwarebytes anti malware found that same malware from before once again, but none of the other programs found anything. I have the log files if needed. If it helps any. I see a conhost.exe running in task manager. I can't end the process and I can't open file location. I noticed conhost.exe and cmd.*32 kinda work together, so this one conhost.exe might be my problem, but I don't no what windows service or program is opening this is if any.

 

[Darkbreeze]

One instance of conhost.exe does not necessarily suggest a problem. Conhost is used for normal operation by windows but it's also easily hijacked by malicious software and used to execute multiple instances of itself with or without various payloads/consequences.

http://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/



Here's some further information about conhost.exe infections:

http://www.bleepingcomputer.com/forums/t/407940/how-to-delete-conhostexe-virus/

 

[Skynet2020]

I read both and tried some fixes listed on the second link. It did not fix my problem. My conhost.exe has no description and neither does the csrss.exe.I have also noticed that there is an equal amount of schtasks,exe for each conhost.exe and cmd.*32 if that helps. Now the strange thing is my computer beeps before these conhost.exe, cmd.*32 multiply. I had my head set on playing some and noticed this sound. Its one of the sounds windows makes like during a install of a new program and it asks for administrator privileges.

 

[Darkbreeze]

Well, I'm not exactly sure what to tell you to do from here. Persistent infections aren't my strongest area, however, two things come to mind.

One, I'll see if one of the other members with more experience in this area might be willing to help out with this and two you might ask around over at another forum that's dedicated specifically to wiping out infections.

Spywarehammer forum: http://spywarehammer.com/simplemachinesforum/index.php/board,10.0.html

 

[ex_bubblehead]

1. Turn off System Restore. Malware can hide there and regenerate on reboot.

2. Remove the drive, connect it externally to a known clean system and scan the drive with multiple malware and virus scanners (at least 3 of each). No single scanner is 100% accurate.

3. Repeat step 2 until ALL scans come back clean.

4. Reinstall the drive, unplug the ethernet cable, & boot the system. It should be clean at this point. If not then back up your files, wipe the drive, and reinstall Windows clean.


Step #2 above is very important. You can never be sure that you've found everything on an active system, but, when connecting the drive to another system, none of the files on that drive are active and therefore cannot potentially hide from scans.

 

[Darkbreeze]

I knew I missed a step. I forgot about connecting to a separate system or using it as a secondary drive on your primary system, in the event you might have another drive you can temporarily or as a backup, install windows on. Thanks for the advice.

I'd do as ex_bubblehead has indicated and see what shakes out. I always hesistate to advise anybody to have to to a clean install of windows if it isn't necessary, but if for any reason the above method doesn't work or you can't find anything over at spywarehammer, then it's probably the last option you have.

 

[Skynet2020]

Is it possible for this virus or malware to jump hard drives? It may sound dumb, but I have 3 internal Hard drives. Mostly for storage and I run my OS off a single Hard drive and have programs like Fraps right to one of my other drives. If this is possible then that is a big problem, because this malware/virus can just jump to another hard drive connected to my motherboard. As far as having another system to test it on I do not I will turn off system restore though and run through the program list you gave me darkbreeze and thank you both and yeah I really don't like the idea of a full format, but I will if this fails.

 

[Darkbreeze]

If anything was going to jump ship, it already did. It's unlikely though unless you've moved infected files to one of those drives. I'd just disconnect them until you resolve the issue.

 

[Skynet2020]

alright I will open up the case and unplug the Sata cables and turn off system restore and run through the programs in safe mode again.

 

[Darkbreeze]

Nah, I think you misunderstood. The drive needs to be connected as a secondary drive to another system, or to your current system with a separate drive that is not infected and has windows installed on it otherwise the infection can just keep replicating as long as you're running the system off that drive. Otherwise, since the majority of your files are hopefully backed up on one of those other drives, reinstalling is the best option.

 

[Skynet2020]

I did misunderstood. It's okay I believe what I did do worked somewhat
I disconnected my other 2 drives and turned off system restore. It seems that worked for the most part. I still get the conhost.exe and the cmd.*32, but there not multiplying I waited an hour and only four of each are opening and I think these 4 conhost.exe and 4 cmd.*32 are somehow related to system mechanic. because when I killed system mechanic. It killed all 4 of them I still do not believe it's normal 20 minutes after loading windows you get a beep beep and then 4 of them pop up in task manager. I am going to uninstall system mechanic and I will let you guys no if it's the cause of just the four only, but as for the multiplying conhost.exe and cmd.*32 I do believe it's been killed for good

 

[Skynet2020]

It was System Mechanic causing the 4 conhost.exe and 4 cmd.*32 twenty minutes after windows booted up. Now I don't no if the multiplying conhost.exe and cmd.*32 came from system mechanic, but since that subscription is almost up and even though I love the program. I will buy CC cleaner instead. Thanks guys for your help

 

[Darkbreeze]

Nice, good luck.