Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: W32.Sober in conhost.exe?

16 Dec 2008   #11
darkassain

Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
 
 

you see if you remove the conhost.exe
you essentially cant run command prompts...

i will do a network log on a idle machine running 6956 and another 6801 and see...
btw i have MS network monitor if you want to try it too [so far so good with this app]

i will check with you guys latter about this and compare notes....


My System SpecsSystem Spec
.
17 Dec 2008   #12
ShaWn

Windows 7 build 7057
 
 

I read somewhere, that conhost.exe hosting cmd's window. It's something like an emulator.
My System SpecsSystem Spec
17 Dec 2008   #13
MegaFixer

Microsoft Windows 6.1 (Build 6801)
 
 

Win32:Sober-A
is an email worm written in Visual Basic and packed with the modified version of UPX packer. The infected message could contain one of many different subject lines either in English or German language.

Some of the messages pretend to be the an update from an anti-virus company.

Win32:Sober-A contains its own SMTP routine for sending the e-mails. The recipient addresess are harvested from different files on the local machine. The worm installs itself into the system directory on the infected machine under the name SIMILARE.EXE. Two other copies of the worm are stored on the local disk as well. This worm has a special mechanism which is responsible for the keeping the worm active in the memory: it has two processes running and when one of them is terminated, the other one will restart it very quickly.

Win32:Sober-A adds a filename to the following registry entry so that the worm runs when you logon to your computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

It also creates the following file in the Windows system folder:
Macromed\Help\Media.dll

This file contains e-mail addresses collected from the system.
My System SpecsSystem Spec
.

17 Dec 2008   #14
davehc
Microsoft MVP

Vista and now 7 in 32 and 64 bit.
 
 

That is the extract from the Avast definitions. I use Avast on 7 and Vista and it did not detect it. A more thorough check also showed nix so I don't think it is a natural occurrence from all the current downloads.
My System SpecsSystem Spec
17 Dec 2008   #15
Brink

64-bit Windows 10 Pro
 
 

I did not get any notice from Avast about it either, only with Spybot S&D.
My System SpecsSystem Spec
17 Dec 2008   #16
darkassain

Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
 
 

i think its there is very good chance that its a false positve as believe the worm would be requesting access to the net wihich (even if it was dns packets) MS monitor would see those....
i have not seen anything different in the conhost from other builds apart from the fact that now it will close when i close cmd....

link: http://www.neowin.net/forum/index.ph...entry590257792


neowin....

edit: posted scan no av has reported sober worm...

http://www.virustotal.com/analisis/5...e67dc20ef2d348
My System SpecsSystem Spec
25 Dec 2008   #17
alon210

W7
 
 

Spyboot reports conhost as an infection on my computer too...
My System SpecsSystem Spec
25 Dec 2008   #18
Bare Foot Kid
Microsoft MVP

W 7 64-bit Ultimate
 
 

Hello alon210, welcome to Se7en Forums!

As I'm sure you're aware; it is generally believed that it is a false detection.
















Later Ted
My System SpecsSystem Spec
26 Dec 2008   #19
alon210

W7
 
 

Thanks for your reply BFK (I think I can say BFK^^)
My System SpecsSystem Spec
26 Dec 2008   #20
Bare Foot Kid
Microsoft MVP

W 7 64-bit Ultimate
 
 

Hello again!

Yes; that's fine. You can call me anything you like; just don't call me late for meals.
















Later Ted
My System SpecsSystem Spec
Reply

 W32.Sober in conhost.exe?




Thread Tools




Similar help and support threads
Thread Forum
Conhost.exe error in program
when conhost.exe running in my pc the cpu processing increases rapidly & temp 60 degree above, normal is 39-45 in task manager what's the solution? please .......
General Discussion
task manager shows extra cmd.exe/conhost/explorer - why?
I leave my Win7 pro machine running from 8am to about midnight every day and when it's off, it was done so by Start->Sleep (for quick boot time). Sometimes I'll have cause to go into the task manager and despite having no visible CMD windows or explorer windows (or perhaps just one), I'll see...
General Discussion
Why CONHOST.EXE process starts ONLY when I use TOR?
Hi guys, I have read in other threads the function of CONHOST.EXE process in Windows 7 (the legit process located in SYSTEM32 folder). But I wonder why in my pc this process appears only when I use the Tor Browser, and not when I use the stardard Firefox browser or in any other situation. ...
General Discussion
Conhost exe
I have 26 instances of conhost.exe running at the moment. It's slowing the laptop down. Yesterday there were close to 300 and when it first happened a few days ago there were 240. The only thing I can do is to restart the laptop which clears them for a while. I have AVG with firewall and...
General Discussion
conhost.exe infected. (backdoored)
Hi all.. Well,i dont know if this is normal but why is there always two conhost.exe And i mean its always running.. So i logon to my computer check task mananger and there are two conhost.exe running. So i then check WinPatrol and i go to active tasks and its running there also..But it...
System Security
conhost.exe
I keep on getting this message all the time and the only way I can get rid of it is to disable my virus protection any one know how I can solve this
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:19.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App