W32.Sober in conhost.exe?

[ExNavy11]

Has anyone reported this to Spybot SD support so they are made aware of it and can fix it so it doesnt come up as a worm?

Ill go ahead and do it and see what they say. You know a lot of people will just do a scan, see that and delete it because they will believe its a worm/virus because the scanner told them it was. I wouldve done it if I had not seen this post here.

 

[Bare Foot Kid]

Hello BS.

Yes, quite a lot us of have sent "feedback" to MS and Spybot about it but the more the better.
















Later :shock: Ted

 

[krypnik]

Hi, I'm new here on Windows SevenForums, and so far I'm loving it!

I'm really glad I found this post!
After checking my system for spyware, Spybot reported conhost.exe as a worm. I think I got a little scared and deleted the file right away. Now some programs aren't working as they should, I receive an cmd.exe error.

Is it possible for someone to, please, upload the conhost.exe file?! If not, please, can anybody help me to restore the file so I don't have to reinstall my windows?


Thanks in advance,

 

[Mark]

Have you tried doing a system restore?

 

[zm91]

so far im sure this is just a false positive.

 

[Bare Foot Kid]

Hi, I'm new here on Windows SevenForums, and so far I'm loving it!

I'm really glad I found this post!
After checking my system for spyware, Spybot reported conhost.exe as a worm. I think I got a little scared and deleted the file right away. Now some programs aren't working as they should, I receive an cmd.exe error.

Is it possible for someone to, please, upload the conhost.exe file?! If not, please, can anybody help me to restore the file so I don't have to reinstall my windows?


Thanks in advance,

Hello krypnik,welcome to Se7en Forums!

Sorry you found out the hard way; we already knew it's a false positive.

I had the file already to upload to you; but I'm limited by the forums upload size limit; because the file is too big to upload. I'm sorry.......Maybe someone with a bigger size limit will upload it for you.

As Mr Grim suggested, have you tried a System Restore to a point before you deleted the file?

Keep us informed!


Later Ted

 

[Airbot]

I don't think you can transfer system32 files, can you?

 

[Bare Foot Kid]

Hello Aaron.

I just used this to make a copy of it to put in a zip; if that's what you're asking.

http://www.sevenforums.com/tutorials/516-context-menu-add-copy-folder-move-folder.html?ltr=C















Later ted

 

[Airbot]

Hi BFK..How ya doin?

No, I mean I believe it's a prohibited thing to do, according to dmex, I saw him say it in a post a few days ago. I could be wrong though.

 

[Bare Foot Kid]

Howdy, so far so good.

I thought that's what you were asking/saying; believe me if anyone knows, it would be dmex.

















Later :shock: Ted

 

[krypnik]

Thank you very much for your quick answers.

I have successfully recovered the file, following Ted's and Mr Grim's suggestion on doing a system restore.


Thank very much, once again!

 

[Bare Foot Kid]

Hello again krypnik.

I'm pleased to see you've found a solution that worked for you!

















Later Ted

 

[Airbot]

Glad you got it back krypnik.

 

[spook24]

is this a false postive? i know its been while since this thread has had anything added to the topic, but i just got home and when my computer came back up from idling for about 3 hours i had about 20-25 conhost.exe's running the back ground. and then one by one they disappeared. im running build 7048 64-bit. just was unclear if it was or not.


im probably going to to a clean install within the next few days, so any kind of infection at this point will get erased then.



spook

 

[john d ross]

conhost.exe (Sober Trojan)

If everybody is so sure this is a False Positive, tell me how you deleted it! It has it's own Administrator rights and Says can only be deleted or changed by "Trusted Installer"! As Administrator, I should be able to delete or change any file I wish!
It claims to be a Microsoft file. Why will Microsoft not come out and say it is?
I wonder how many computers are infected, and when will Conhost suddenly come alive! I do believe this is a Trojan!

 

[rsvr85]

If everybody is so sure this is a False Positive, tell me how you deleted it! It has it's own Administrator rights and Says can only be deleted or changed by "Trusted Installer"! As Administrator, I should be able to delete or change any file I wish!
It claims to be a Microsoft file. Why will Microsoft not come out and say it is?
I wonder how many computers are infected, and when will Conhost suddenly come alive! I do believe this is a Trojan!

Hi john d ross & welcome
The whole point is, is that MS don't want you to delete that file as it's needed by the system.
Even with admin privileges, you don't have access/control over a lot of files.
If you really did want to delete it, you'd make sure that you have ownership and full control permissions before doing so (NOT RECOMMENDED).
This might be of interest to you.
What is conhost.exe and Why Is It Running? :: the How-To Geek

 

[john d ross]

conhost sober trojan

conhost.exe (Sober Trojan)
thanks rsvr85
APPRECIATE YOUR QUICK REPLY. jUST WONDERED ARE THERE ANY OTHER FILES IN THE O.S, WHICH ARE UNDER THE CONTROL OF "' tRUSTED iNSTALLER"' AND WON'T ALLOW EVEN ADMINISTRATOR ACCESS? AND WHY DOES CONHOST.EXE CHANGE TO CMD.EXE AND BACK AGIN, BY ITSELF, AFTER I OPEN THE SYSTEM32 FILES.
REGARDS

 

[rsvr85]

A lot of the files in %windir% & %windir%\system32 are under the control of trusted installer. It's much safer that way
conhost doesn't have a GUI i believe and as such will probably just flash when you try and execute it in Explorer, much the same as ipconfig.exe does.
See the How-To-Geek link above for a full explanation of conhost.exe

 

[john d ross]

conhost sober trojan

One more concern.
My Virus protection provider asked me to Password Protect Archive and send to their investigators. The system will not allow me to Archive and send. Message says Access not allowed! I am not deleting, or changing the file, but access is denied!
Why is Microsoft not speaking about all these concerns?

 

[rsvr85]

What concerns?

As the file is system protected, it won't allow access by anything other that itself. Also this is possible to happen if the file is in use (which conhost.exe probably will be)
Please, unless you are 100% sure it's malicious, do not delete conhost.exe