W32.Sober in conhost.exe?
- Thread starter ShaWn
- Start date
can you do a sfc /scannow???
or if you dont want to go thorough that process can you give us the MD5 hash
go here
http://www.whitsoftdev.com/md5/
download the unicode and open it point to the file itself and post the hash here..
or if you dont want to go thorough that process can you give us the MD5 hash
go here
http://www.whitsoftdev.com/md5/
download the unicode and open it point to the file itself and post the hash here..
My Computer
- Computer Manufacturer/Model Number
- Tx2500z Tablet Pc/Homemade Server
- OS
- Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
- CPU
- Turion X2 ultra (oh well came with laptop)/P4 @3.2 (yes P4)
- Motherboard
- IDK HP Motherboard / Intel DG965SS
- Memory
- OCZ Dual Channel 4GB kit/ 1gb Dual Channel
- Graphics Card(s)
- HD 3200 graphics /GMA x3100 (yay for intergrated!!)
- Sound Card
- Realtek HD Audio(mic working, well sort of)/Siig IC-70012
- Monitor(s) Displays
- built-in Hp 12" laptop screen/ Acer 19"
- Screen Resolution
- 1280x800 /1440x900
- Cooling
- All Air Cooled
- Mouse
- Logi MX Rev. /MS Wheel Optical 1.1A /Logitech Optical Mouse
- Internet Speed
- College baby but its still routed through vpn to 1536k...
- Other Info
- love my wacom pen and pressure sensitivity...
wished it worked in 7, SUSE for that matter though
i got this
05f88bf36b0cdd276cc0b6ad9554b397 md5 hash
whats yours???
05f88bf36b0cdd276cc0b6ad9554b397 md5 hash
whats yours???
My Computer
- Computer Manufacturer/Model Number
- Tx2500z Tablet Pc/Homemade Server
- OS
- Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
- CPU
- Turion X2 ultra (oh well came with laptop)/P4 @3.2 (yes P4)
- Motherboard
- IDK HP Motherboard / Intel DG965SS
- Memory
- OCZ Dual Channel 4GB kit/ 1gb Dual Channel
- Graphics Card(s)
- HD 3200 graphics /GMA x3100 (yay for intergrated!!)
- Sound Card
- Realtek HD Audio(mic working, well sort of)/Siig IC-70012
- Monitor(s) Displays
- built-in Hp 12" laptop screen/ Acer 19"
- Screen Resolution
- 1280x800 /1440x900
- Cooling
- All Air Cooled
- Mouse
- Logi MX Rev. /MS Wheel Optical 1.1A /Logitech Optical Mouse
- Internet Speed
- College baby but its still routed through vpn to 1536k...
- Other Info
- love my wacom pen and pressure sensitivity...
wished it worked in 7, SUSE for that matter though
It's same as I have, there are 2 options now:
1) Worm is in instalation files
2) SpyBot doing false alarm
My Computer
- OS
- Windows 7 build 7057
yes this is a false alarm...
have 6956 in vm...
clean install
there are no connections bypassing the firewall (got ms network monitor to check for that)
and frankly avast would have picked it up (on my real machine have 6956...)
have 6956 in vm...
clean install
there are no connections bypassing the firewall (got ms network monitor to check for that)
and frankly avast would have picked it up (on my real machine have 6956...)
My Computer
- Computer Manufacturer/Model Number
- Tx2500z Tablet Pc/Homemade Server
- OS
- Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
- CPU
- Turion X2 ultra (oh well came with laptop)/P4 @3.2 (yes P4)
- Motherboard
- IDK HP Motherboard / Intel DG965SS
- Memory
- OCZ Dual Channel 4GB kit/ 1gb Dual Channel
- Graphics Card(s)
- HD 3200 graphics /GMA x3100 (yay for intergrated!!)
- Sound Card
- Realtek HD Audio(mic working, well sort of)/Siig IC-70012
- Monitor(s) Displays
- built-in Hp 12" laptop screen/ Acer 19"
- Screen Resolution
- 1280x800 /1440x900
- Cooling
- All Air Cooled
- Mouse
- Logi MX Rev. /MS Wheel Optical 1.1A /Logitech Optical Mouse
- Internet Speed
- College baby but its still routed through vpn to 1536k...
- Other Info
- love my wacom pen and pressure sensitivity...
wished it worked in 7, SUSE for that matter though
Hello Shawn,
Yes, I can confirm the same thing.
Shawn
Yes, I can confirm the same thing.
Shawn
My Computer
- Computer type
- PC/Desktop
- Computer Manufacturer/Model Number
- Self built custom
- OS
- 64-bit Windows 11 Pro for Workstations
- CPU
- Intel i7-8700K OC'd to 5 GHz
- Motherboard
- ASUS ROG Maximus XI Formula Z390
- Memory
- 64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
- Graphics Card(s)
- ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
- Sound Card
- Integrated
- Monitor(s) Displays
- 2 x Samsung Odyssey G7 27"
- Screen Resolution
- 2560x1440
- Hard Drives
- 1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
- PSU
- Seasonic Prime Titanium 850W
- Case
- Thermaltake Core P3
- Cooling
- Corsair Hydro H115i
- Keyboard
- Logitech wireless K800
- Mouse
- Logitech MX Master 4
- Internet Speed
- 2 Gb/s Download and 100 Mb/s Upload
- Antivirus
- Malwarebyte Anti-Malware Premium
- Browser
- Google Chrome
- Other Info
- Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
you can also check in processxp
its strings
if you know how...
here is conhost.exe strings...
i see nothing out of the ordinary in the strings....
edit: two shawns
...lol
its strings
if you know how...
here is conhost.exe strings...
i see nothing out of the ordinary in the strings....
edit: two shawns
...lolMy Computer
- Computer Manufacturer/Model Number
- Tx2500z Tablet Pc/Homemade Server
- OS
- Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
- CPU
- Turion X2 ultra (oh well came with laptop)/P4 @3.2 (yes P4)
- Motherboard
- IDK HP Motherboard / Intel DG965SS
- Memory
- OCZ Dual Channel 4GB kit/ 1gb Dual Channel
- Graphics Card(s)
- HD 3200 graphics /GMA x3100 (yay for intergrated!!)
- Sound Card
- Realtek HD Audio(mic working, well sort of)/Siig IC-70012
- Monitor(s) Displays
- built-in Hp 12" laptop screen/ Acer 19"
- Screen Resolution
- 1280x800 /1440x900
- Cooling
- All Air Cooled
- Mouse
- Logi MX Rev. /MS Wheel Optical 1.1A /Logitech Optical Mouse
- Internet Speed
- College baby but its still routed through vpn to 1536k...
- Other Info
- love my wacom pen and pressure sensitivity...
wished it worked in 7, SUSE for that matter though
I agree, but I just do not feel comfortable with it considering the source of the OS.
My Computer
- Computer type
- PC/Desktop
- Computer Manufacturer/Model Number
- Self built custom
- OS
- 64-bit Windows 11 Pro for Workstations
- CPU
- Intel i7-8700K OC'd to 5 GHz
- Motherboard
- ASUS ROG Maximus XI Formula Z390
- Memory
- 64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
- Graphics Card(s)
- ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
- Sound Card
- Integrated
- Monitor(s) Displays
- 2 x Samsung Odyssey G7 27"
- Screen Resolution
- 2560x1440
- Hard Drives
- 1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
- PSU
- Seasonic Prime Titanium 850W
- Case
- Thermaltake Core P3
- Cooling
- Corsair Hydro H115i
- Keyboard
- Logitech wireless K800
- Mouse
- Logitech MX Master 4
- Internet Speed
- 2 Gb/s Download and 100 Mb/s Upload
- Antivirus
- Malwarebyte Anti-Malware Premium
- Browser
- Google Chrome
- Other Info
- Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
this file was running when i was playing GTA IV.
but then after a few runs, it's gone.
but then after a few runs, it's gone.
My Computer
- OS
- Windows 7 Build 7057 x64/7068 x86
- CPU
- AMD Athlon X2 64 4200+ @ 2.6GHz
- Motherboard
- Gigabyte GA-M55SLI-S4
- Memory
- 4*1GB Kingston DDR2-667
- Graphics Card(s)
- Point of View 8800GT 512MB DDR3
- Sound Card
- Integrated Realtek ALC850
- Monitor(s) Displays
- ViewSonic VA712
- PSU
- CoolerMaster 430W PSU
Thanks for the info Shawn,
Was thinking of replacing my 6801 x86 with 6956 but think I'll wait till the public beta 
Was thinking of replacing my 6801 x86 with 6956 but think I'll wait till the public beta
My Computers
System One System Two
-
- Computer type
- PC/Desktop
- Computer Manufacturer/Model Number
- ChillBlast - Custom to my design
- OS
- Windows 11 Pro x64 [Latest Release and Release Preview]
- CPU
- Ryzen 9 5950X, 3.8 - 5.2 MHz
- Motherboard
- Asus Prime X570-Pro
- Memory
- 64GB [2 x 32GB] DDR4 3200MHz
- Graphics Card(s)
- 4GB NVIDIA GEFORCE GTX 1650 Ti
- Sound Card
- On-board SPDIF to 5.1 System + HDMI [5.1 system]
- Monitor(s) Displays
- 32" UHD 32 Bit HDR Monitor + 43" UHD 4K 32Bit HDR TV
- Screen Resolution
- 2 x 3840 x 2160 @60Hz
- Hard Drives
- 1TB M2 SSD OS, 500GB Fast Access SSD, 2 x 8TB Data + Various Externals from 1TB to 4TB, 10TB NAS
- PSU
- NZXT C750 80 PLUS Gold 750W Modular PSU
- Case
- Workstation Case [Matt Black]
- Cooling
- NZXT Kraken X63 280mm CPU Cooler +2x Quiet Case fans
- Keyboard
- Logitech Wireless MX Keys & K400 + others
- Mouse
- Logitech Wireless MX Master 3S
- Internet Speed
- 920 MB Down 50 MB Up
- Antivirus
- BitDefender Total Security Pro
- Browser
- Chrome (always run latest Non-Beta)
- Other Info
- Also run ...
Laptop - Quad 8GB - Windows 10 Pro x64
Nexus 7 Android tablet x2
Samsung 10.2" tablet
Blackview TAB 8 4G Android Tablet c/w Keyboard
Wacom Intuos Pro Medium Pen Pad
Wacom Intuos Pro Small Pen Pad
Wacom Expresskeys Remote
Loopdeck+ Graphics Controller
Shuttle Pro v2 Control
-
- Computer type
- Laptop
- System Manufacturer/Model Number
- Dell XPS 17 10750H
- OS
- Windows 11 Pro x64 Latest RP
- CPU
- Intel I7 10750H 5.0GHz
- Motherboard
- Dell XPS
- Memory
- 32GB [2x16GB] DDR4 2933 MHz
- Graphics Card(s)
- nVidia GTX1650Ti 4 GB GDDR6
- Sound Card
- Stock [Realtek] 4 Speaker
- Monitor(s) Displays
- 17" IPS UHD+ Infinity Edge Touchscreen
- Screen Resolution
- 3840 x 2400
- Hard Drives
- 2TB M2 NVMe, 4TB External + various 500GB & 1TB External NVMe (also have access to spinner HDD from
- PSU
- Stock
- Case
- Stock XPS Aluminium & Carbon Fibre
- Cooling
- Stock - Active Fan Control
- Keyboard
- Backlit + Various Logitech
- Mouse
- Stock Track Pad + Logitech MX Trackball
- Internet Speed
- 72 MB Down 18MB Up
- Browser
- Chrome
- Other Info
- Also run ...
Laptop - Quad 8GB - Windows 10 Pro x64
Nexus 7 Android tablet x2
10.2" tablet
Sony Z3 Android Smartphone
Wacom Intuos Pro Medium Pen Pad
Wacom Intuos Pro Small Pen Pad
Wacom Expresskeys Remote
Loopdeck+ Graphics Controller
Shuttle Pro v2 Control Pad
10TB NAS
you see if you remove the conhost.exe
you essentially cant run command prompts...
i will do a network log on a idle machine running 6956 and another 6801 and see...
btw i have MS network monitor if you want to try it too [so far so good with this app]
i will check with you guys latter about this and compare notes....
you essentially cant run command prompts...
i will do a network log on a idle machine running 6956 and another 6801 and see...
btw i have MS network monitor if you want to try it too [so far so good with this app]
i will check with you guys latter about this and compare notes....
My Computer
- Computer Manufacturer/Model Number
- Tx2500z Tablet Pc/Homemade Server
- OS
- Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
- CPU
- Turion X2 ultra (oh well came with laptop)/P4 @3.2 (yes P4)
- Motherboard
- IDK HP Motherboard / Intel DG965SS
- Memory
- OCZ Dual Channel 4GB kit/ 1gb Dual Channel
- Graphics Card(s)
- HD 3200 graphics /GMA x3100 (yay for intergrated!!)
- Sound Card
- Realtek HD Audio(mic working, well sort of)/Siig IC-70012
- Monitor(s) Displays
- built-in Hp 12" laptop screen/ Acer 19"
- Screen Resolution
- 1280x800 /1440x900
- Cooling
- All Air Cooled
- Mouse
- Logi MX Rev. /MS Wheel Optical 1.1A /Logitech Optical Mouse
- Internet Speed
- College baby but its still routed through vpn to 1536k...
- Other Info
- love my wacom pen and pressure sensitivity...
wished it worked in 7, SUSE for that matter though
Win32:Sober-A
is an email worm written in Visual Basic and packed with the modified version of UPX packer. The infected message could contain one of many different subject lines either in English or German language.
Some of the messages pretend to be the an update from an anti-virus company.
Win32:Sober-A contains its own SMTP routine for sending the e-mails. The recipient addresess are harvested from different files on the local machine. The worm installs itself into the system directory on the infected machine under the name SIMILARE.EXE. Two other copies of the worm are stored on the local disk as well. This worm has a special mechanism which is responsible for the keeping the worm active in the memory: it has two processes running and when one of them is terminated, the other one will restart it very quickly.
Win32:Sober-A adds a filename to the following registry entry so that the worm runs when you logon to your computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
It also creates the following file in the Windows system folder:
Macromed\Help\Media.dll
This file contains e-mail addresses collected from the system.
is an email worm written in Visual Basic and packed with the modified version of UPX packer. The infected message could contain one of many different subject lines either in English or German language.
Some of the messages pretend to be the an update from an anti-virus company.
Win32:Sober-A contains its own SMTP routine for sending the e-mails. The recipient addresess are harvested from different files on the local machine. The worm installs itself into the system directory on the infected machine under the name SIMILARE.EXE. Two other copies of the worm are stored on the local disk as well. This worm has a special mechanism which is responsible for the keeping the worm active in the memory: it has two processes running and when one of them is terminated, the other one will restart it very quickly.
Win32:Sober-A adds a filename to the following registry entry so that the worm runs when you logon to your computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
It also creates the following file in the Windows system folder:
Macromed\Help\Media.dll
This file contains e-mail addresses collected from the system.
My Computer
- OS
- Microsoft Windows 6.1 (Build 6801)
That is the extract from the Avast definitions. I use Avast on 7 and Vista and it did not detect it. A more thorough check also showed nix so I don't think it is a natural occurrence from all the current downloads.
My Computer
- Computer Manufacturer/Model Number
- Three desktops and one laptop with good specs..
- OS
- Vista and now 7 in 32 and 64 bit.
I did not get any notice from Avast about it either, only with Spybot S&D.
My Computer
- Computer type
- PC/Desktop
- Computer Manufacturer/Model Number
- Self built custom
- OS
- 64-bit Windows 11 Pro for Workstations
- CPU
- Intel i7-8700K OC'd to 5 GHz
- Motherboard
- ASUS ROG Maximus XI Formula Z390
- Memory
- 64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
- Graphics Card(s)
- ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
- Sound Card
- Integrated
- Monitor(s) Displays
- 2 x Samsung Odyssey G7 27"
- Screen Resolution
- 2560x1440
- Hard Drives
- 1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
- PSU
- Seasonic Prime Titanium 850W
- Case
- Thermaltake Core P3
- Cooling
- Corsair Hydro H115i
- Keyboard
- Logitech wireless K800
- Mouse
- Logitech MX Master 4
- Internet Speed
- 2 Gb/s Download and 100 Mb/s Upload
- Antivirus
- Malwarebyte Anti-Malware Premium
- Browser
- Google Chrome
- Other Info
- Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
i think its there is very good chance that its a false positve as believe the worm would be requesting access to the net wihich (even if it was dns packets) MS monitor would see those....
i have not seen anything different in the conhost from other builds apart from the fact that now it will close when i close cmd....
link: http://www.neowin.net/forum/index.php?showtopic=708246&pid=590257792&st=0&#entry590257792
neowin....
edit: posted scan no av has reported sober worm...
http://www.virustotal.com/analisis/582d92f1a97e47f5a1e67dc20ef2d348
i have not seen anything different in the conhost from other builds apart from the fact that now it will close when i close cmd....
link: http://www.neowin.net/forum/index.php?showtopic=708246&pid=590257792&st=0&#entry590257792
neowin....
edit: posted scan no av has reported sober worm...
http://www.virustotal.com/analisis/582d92f1a97e47f5a1e67dc20ef2d348
Last edited:
My Computer
- Computer Manufacturer/Model Number
- Tx2500z Tablet Pc/Homemade Server
- OS
- Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
- CPU
- Turion X2 ultra (oh well came with laptop)/P4 @3.2 (yes P4)
- Motherboard
- IDK HP Motherboard / Intel DG965SS
- Memory
- OCZ Dual Channel 4GB kit/ 1gb Dual Channel
- Graphics Card(s)
- HD 3200 graphics /GMA x3100 (yay for intergrated!!)
- Sound Card
- Realtek HD Audio(mic working, well sort of)/Siig IC-70012
- Monitor(s) Displays
- built-in Hp 12" laptop screen/ Acer 19"
- Screen Resolution
- 1280x800 /1440x900
- Cooling
- All Air Cooled
- Mouse
- Logi MX Rev. /MS Wheel Optical 1.1A /Logitech Optical Mouse
- Internet Speed
- College baby but its still routed through vpn to 1536k...
- Other Info
- love my wacom pen and pressure sensitivity...
wished it worked in 7, SUSE for that matter though
Hello alon210, welcome to Se7en Forums!
As I'm sure you're aware; it is generally believed that it is a false detection.
Later Ted
As I'm sure you're aware; it is generally believed that it is a false detection.
Later
TedMy Computer
- Computer Manufacturer/Model Number
- * BFK Customs *
- OS
- W 7 64-bit Ultimate
- CPU
- Intel Q9550 Yorkfield
- Motherboard
- ASUS P5Q Pro
- Memory
- 8GB Dominator 8500C5D
- Graphics Card(s)
- ATI : XFX 5870
- Sound Card
- Realtek HD Audio 7-1
- Monitor(s) Displays
- 1x 47" LCD HDMI & 3x 26" LCD HDMI
- Screen Resolution
- 1920x1080P & 1920x1200
- Hard Drives
- 1x 80GB Intel X25-M G2 SSD : 1x 500GB & 1x 640GB WD Caviar Black(s)
- PSU
- Corsair 620HX
- Case
- Cooler Master RC-690
- Cooling
- Tuniq Tower 120, 2x 140mm and 3x 120mm case fans
- Keyboard
- Microsoft 500
- Mouse
- Razer Diamondback 3G
- Internet Speed
- 14 Mb/s
- Other Info
- 1x Koutech 3Gb/s SATA HDD Hot Swap Rack
Hello again!
Yes; that's fine. You can call me anything you like; just don't call me late for meals.
Later Ted
Yes; that's fine. You can call me anything you like; just don't call me late for meals.
Later
TedMy Computer
- Computer Manufacturer/Model Number
- * BFK Customs *
- OS
- W 7 64-bit Ultimate
- CPU
- Intel Q9550 Yorkfield
- Motherboard
- ASUS P5Q Pro
- Memory
- 8GB Dominator 8500C5D
- Graphics Card(s)
- ATI : XFX 5870
- Sound Card
- Realtek HD Audio 7-1
- Monitor(s) Displays
- 1x 47" LCD HDMI & 3x 26" LCD HDMI
- Screen Resolution
- 1920x1080P & 1920x1200
- Hard Drives
- 1x 80GB Intel X25-M G2 SSD : 1x 500GB & 1x 640GB WD Caviar Black(s)
- PSU
- Corsair 620HX
- Case
- Cooler Master RC-690
- Cooling
- Tuniq Tower 120, 2x 140mm and 3x 120mm case fans
- Keyboard
- Microsoft 500
- Mouse
- Razer Diamondback 3G
- Internet Speed
- 14 Mb/s
- Other Info
- 1x Koutech 3Gb/s SATA HDD Hot Swap Rack