Thank you very much for your quick answers.
I have successfully recovered the file, following Ted's and Mr Grim's suggestion on doing a system restore.
Thank very much, once again!
Hello again krypnik.
I'm pleased to see you've found a solution that worked for you!
Later :) Ted
is this a false postive? i know its been while since this thread has had anything added to the topic, but i just got home and when my computer came back up from idling for about 3 hours i had about 20-25 conhost.exe's running the back ground. and then one by one they disappeared. im running build 7048 64-bit. just was unclear if it was or not.
im probably going to to a clean install within the next few days, so any kind of infection at this point will get erased then.
spook
If everybody is so sure this is a False Positive, tell me how you deleted it! It has it's own Administrator rights and Says can only be deleted or changed by "Trusted Installer"! As Administrator, I should be able to delete or change any file I wish!
It claims to be a Microsoft file. Why will Microsoft not come out and say it is?
I wonder how many computers are infected, and when will Conhost suddenly come alive! I do believe this is a Trojan!
Hi john d ross & welcome :)
The whole point is, is that MS don't want you to delete that file as it's needed by the system.
Even with admin privileges, you don't have access/control over a lot of files.
If you really did want to delete it, you'd make sure that you have ownership and full control permissions before doing so (NOT RECOMMENDED).
This might be of interest to you.
What is conhost.exe and Why Is It Running? :: the How-To Geek
conhost.exe (Sober Trojan)
thanks rsvr85
APPRECIATE YOUR QUICK REPLY. jUST WONDERED ARE THERE ANY OTHER FILES IN THE O.S, WHICH ARE UNDER THE CONTROL OF "' tRUSTED iNSTALLER"' AND WON'T ALLOW EVEN ADMINISTRATOR ACCESS? AND WHY DOES CONHOST.EXE CHANGE TO CMD.EXE AND BACK AGIN, BY ITSELF, AFTER I OPEN THE SYSTEM32 FILES.
REGARDS
A lot of the files in %windir% & %windir%\system32 are under the control of trusted installer. It's much safer that way
conhost doesn't have a GUI i believe and as such will probably just flash when you try and execute it in Explorer, much the same as ipconfig.exe does.
See the How-To-Geek link above for a full explanation of conhost.exe
One more concern.
My Virus protection provider asked me to Password Protect Archive and send to their investigators. The system will not allow me to Archive and send. Message says Access not allowed! I am not deleting, or changing the file, but access is denied!
Why is Microsoft not speaking about all these concerns?
What concerns?
As the file is system protected, it won't allow access by anything other that itself. Also this is possible to happen if the file is in use (which conhost.exe probably will be)
Please, unless you are 100% sure it's malicious, do not delete conhost.exe
Quote