Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - conhost.exe malware or legit?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

conhost.exe malware or legit?

 Post Reply Post Reply Page  12>
Author
Message
MichaelDev View Drop Down
Newbie
Newbie


Joined: 02 February 2011
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote MichaelDev Quote  Post ReplyReply Direct Link To This Post Topic: conhost.exe malware or legit?
    Posted: 02 February 2011 at 5:53am
Hey guys, Iv been seeing the conhost.exe recently running on the background and seems to pop up task manager even after i kill it.  I believe one of the conhost.exe(bottom most) shown on my attached pic is related to AVGIDSMonitor.exe. But im worried about the conhost.exe that is listed on the top. I cant seem to get any properties of it to show or kill it manually as i get access denied. Any help on if i should let it be or ways to kill if its malicious would be helpful. Any other info if needed please let me know.
Thanks
Michael

http://imageupload.org/?di=1129662575616




Edited by MichaelDev - 02 February 2011 at 5:54am
Back to Top
nullptr View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Australia
Status: Offline
Points: 763
Post Options Post Options   Thanks (0) Thanks(0)   Quote nullptr Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2011 at 7:49am
edit:
  After looking at the pic it seems OK. Conhost.exe can be malware (cycbot +). The genuine conhost.exe is in the system32 directory.


Edited by nullptr - 02 February 2011 at 11:49am
Back to Top
wj32 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 January 2009
Location: Australia
Status: Offline
Points: 1016
Post Options Post Options   Thanks (0) Thanks(0)   Quote wj32 Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2011 at 8:02am
conhost.exe is normal.
PH, a free and open source process viewer.
Back to Top
MichaelDev View Drop Down
Newbie
Newbie


Joined: 02 February 2011
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote MichaelDev Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2011 at 8:54pm
cheers for the reply. i understand that conhost.exe normally safe. But should there be 2 instances of csrss and conhost? Iv included another pic with the properties of the first most conhost.exe which shows no path or no info. (where as the conhost at the very bottom shows the correct path and all info).  still safe to ignore? just worried it might be doing something malicious

http://imageupload.org/?di=3129667976013
Back to Top
ken2000 View Drop Down
Newbie
Newbie


Joined: 30 July 2011
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote ken2000 Quote  Post ReplyReply Direct Link To This Post Posted: 01 August 2011 at 1:36pm
uploads/39893/conhost.rar

I  found a couple of conhost.exe in different subdirectories under c:\windows\winsxs
Attached the screenshot in the rar file.

Can i assume that it is safe?




Back to Top
nullptr View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Australia
Status: Offline
Points: 763
Post Options Post Options   Thanks (0) Thanks(0)   Quote nullptr Quote  Post ReplyReply Direct Link To This Post Posted: 01 August 2011 at 3:17pm
Quote Can i assume that it is safe?

Most likely. The only malicious conhost.exe(s) I've seen are Win32 malware and don't run on x64.

Win7x64 sp1 listing, w/MD5:

C:\Windows\System32\conhost.exe    --a---- 338944 bytes    [05:35 13/07/2011]    [06:53 03/06/2011] 0781B335C421A785520037365897F1BF
C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.16385_none_d050b8f81bcacc5a\conhost.exe    --a---- 338432 bytes    [23:38 13/07/2009]    [01:39 14/07/2009] F64E8258351E501AA065AC499530367C
C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.16816_none_d09d72341b9113dd\conhost.exe    --a---- 338944 bytes    [05:36 13/07/2011]    [07:32 14/05/2011] 4E61A3EDD4F8B6B8278C54E15A5EEF34
C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.16823_none_d08fa16a1b9be3c9\conhost.exe    --a---- 338944 bytes    [05:35 13/07/2011]    [06:35 02/06/2011] DD2CE830345301D6817B9C4646E90D15
C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.20978_none_d0e8300b34dd8dfb\conhost.exe    --a---- 338944 bytes    [05:35 13/07/2011]    [06:50 03/06/2011] 410D122273D8B4B6282D2B555EF064F7
C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17514_none_d281ccc018b94ff4\conhost.exe    --a---- 337920 bytes    [05:32 23/02/2011]    [13:24 20/11/2010] BD51024FB014064BC9FE8C715C18392F
C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17617_none_d284cf8418b69920\conhost.exe    --a---- 338432 bytes    [05:36 13/07/2011]    [07:16 14/05/2011] 28B04ED2C7F75723B1B4FC490F8A20D4
C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17625_none_d277ff0418c08263\conhost.exe    --a---- 338944 bytes    [05:35 13/07/2011]    [06:53 03/06/2011] 0781B335C421A785520037365897F1BF
C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.21728_none_d3049cad31db6e32\conhost.exe    --a---- 338432 bytes    [05:36 13/07/2011]    [07:09 14/05/2011] 5B738B95803CF1FD00CD8C5477DFBEAE
C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.21738_none_d2f9ccc131e38a23\conhost.exe    --a---- 338944 bytes    [05:35 13/07/2011]    [06:52 03/06/2011] 13A1C354D7DB71A4CD7DA8EB4C760DAE

Back to Top
ken2000 View Drop Down
Newbie
Newbie


Joined: 30 July 2011
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote ken2000 Quote  Post ReplyReply Direct Link To This Post Posted: 02 August 2011 at 12:41am
ok thanks for the reply. Smile
Back to Top
Cel01 View Drop Down
Newbie
Newbie


Joined: 18 October 2005
Location: United States
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Cel01 Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2012 at 9:28am
Windows 7 SP1 64 bit Home Premium

Within the past 48 hours I have gotten a few alerts from my Norton Internet Securities about this file.

It has blocked it.  Here is the info the program gives me about it blocking it.  I am sure one of you out there understands it better than me.

Category: Norton Product Tamper Protection
Date & Time,Risk,Activity,Status,Recommended Action,Date,Actor,Actor PID,Target,Target PID,Action,Reaction

2012-02-02 1:17:24,Medium,Unauthorized access blocked (Access Process Data),Blocked,No Action Required,
2012-02-02 1:17:24,C:\WINDOWS\SYSTEM32\CONHOST.EXE,4364,

C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\cltlmh.exe,4532,Access Process Data,Unauthorized access blocked


Edited by Cel01 - 02 February 2012 at 9:31am
Back to Top
MagicAndre1981 View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 08 January 2007
Location: Germany
Status: Offline
Points: 2139
Post Options Post Options   Thanks (0) Thanks(0)   Quote MagicAndre1981 Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2012 at 1:04pm
Look at the file versions and check the md5 hash of the file:

faa93cd63bcac60d74dbd7762402044f *C:\Windows\System32\conhost.exe
bd51024fb014064bc9fe8c715c18392f *C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17514_none_d281ccc018b94ff4\conhost.exe
448bf22538f1dfcb3412ae2b1cf123a9 *C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17641_none_d25e5e0418d454e9\conhost.exe
e6157d6f1ea0b2827326e817eb833380 *C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.21773_none_d2c98b9f32087b34\conhost.exe
7cd62a90d99f916564aa9d095f4299eb *C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.21824_none_d3009d6b31df05fd\conhost.exe
faa93cd63bcac60d74dbd7762402044f *C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.21831_none_d2f2cca131e9d5e9\conhost.exe

I have some hotfixes which install QFE versions so you may not have all versions.


Edited by MagicAndre1981 - 02 February 2012 at 1:05pm
Back to Top
cel View Drop Down
Newbie
Newbie


Joined: 17 November 2010
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote cel Quote  Post ReplyReply Direct Link To This Post Posted: 04 February 2012 at 4:03pm
I have no clue how to do the md5 hash thing on files.  Can't you walk me in.  Thanks

w7 sp1 home premium


Edited by cel - 04 February 2012 at 4:08pm
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down