Share via

Multiple Conhost.exe Tasks - Potential Malware Concerns

Anonymous
2024-10-24T01:32:07+00:00

I hope you can help me with an issue I’m experiencing on my Windows computer. I’ve noticed that there are over 11 instances of Console Window Host (conhost.exe) running in Task Manager, and it’s raising some red flags for me.

I have a reasonable suspicion that my system might be compromised, possibly with a cryptocurrency miner (like Bitcoin or XMR). I’m particularly concerned because I see multiple tasks running under NT AUTHORITY\SYSTEM privileges and they appear to be linked to my user account (User/Alex).

Here’s the backstory: recently, while using a public library computer, I stepped away for just a moment. When I returned, my computer was at the BIOS screen, which seemed very unusual. This has led me to believe that someone might have accessed my machine and installed something malicious.

I’ve done quite a bit of searching online and the results point towards possible malware or a trojan, but I’m not sure how to proceed with diagnosing or removing any potential threats.

If anyone has advice or suggestions on how to handle this situation, I would greatly appreciate it. I can provide screenshots for reference as well.

I have ran Rkill, Eset(which never ended up scanning or updating), Process Killer, Malwarebytes, Norton Security, god im running out of options, But I seriously need help..

I finished Mandalorian and thought jack black was a funny character in the tv show so i decided to include him as well.

I'll check in tomorrow morning and see what's going on as far as updates. I cant seem to figure out what is running the background executables and I seriously need help

https://pastebin.com/rAYRxuDj - Hitman Loghttps://pastebin.com/datpCS1M - RKill Log

![](https://learn-attachment.microsoft.com/api/attachments/f673c152-a491-4380-a495-ce8c5edfce48?platform=QnA"https://learn-attachment.microsoft.com/api/attachments/4777d76e-95c3-4db2-bc8c-ae1b0642e40a?platform=QnA" title="filestore.community.support.microsoft.com" rel="ugc nofollow">

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

17 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-10-24T22:19:34+00:00

    Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\Users\Alex> Get-Process conhost | Select Id, @{l='Parent';e={$_.Parent.Path}}

    Id Parent -- ------

    8516

    8556

    8688

    8880

    9124

    9360

    9504

    9612

    10300

    21052

    24992

    31124

    32880

    PS C:\Users\Alex>

    give me a moment to look and find out

    I took the time to prt scrn the parent id's 1 by 1 and we'll go through them one by one:

    wlan.exe (must be the vpn wlan I have configured through DDG browser vpn) wlanext.exe Windows Wireless LAN KEWL BEANS

    Image

    NVidia (Good)Image

    Gotta be the Razer Basilik Mouse Device I have

    Image

    Razer App Manager (looking gewd)

    Image

    Razer Diagnostics (supra ultra gewd)

    Image

    Razer Synapse (totally gewd)

    Image

    Razer Device manager (looks gewd)

    Image

    Razer Smart Light (looking gewwd)

    Image

    KAPSService.exe (Looking into this one) killer analytics serviceImage

    Msi bloatware (Looks Good)

    Image

    SteelSeriesSonar(Good)Image

    So as I see it's just mostly Razer Bloatware and some other functions. How were you able to tell and come to the conclusion from looking at the

    First + Additon logs files to determine if there were any Malware or if there's any trojans? Also I'm curious to know because im learning and getting more into OS and other functionalities as far as computers, does a computer usually need and require so much RAM even at IDLE? I'm trying to see and figure out why maybe a article or if you can point me into a direction that can initially explain for the High RAM usage as far as the computer being at idle.

    This post has been solved! If it's of use to anyone else Partition Reader is an amazing tool to use to check PID and task's from Task Manager!

    I would Like to thank both _AW_ + Ramesh Srinivason for taking the time to read, take their time and also to pin point the issues in regards to double triple quadruple checking to see if any Malware/Trojans were on the gigga chad laptop! Thank you guys again

    you guys are the bomb! Here's a Tribute!

    Was this answer helpful?

    4 people found this answer helpful.
    0 comments
  2. _AW_ 67,926 Reputation points Volunteer Moderator
    2024-10-24T22:26:37+00:00

    That's Powershell 5 output. To get the parent in Powershell 5, run:

    $obj = Get-Process conhost | % {
    $ppid = (Get-CimInstance CIM_Process | ? ProcessId -eq $_.id).ParentProcessId
    [PSCustomObject]@{
        Id = $_.Id
        ParentId = $ppid
        ParentPath = ((Get-Process | ? Id -eq $ppid).Path)
    }
}
$obj | ft -auto

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  3. Anonymous
    2025-01-13T11:46:33+00:00

    Thank you for your help and your fast responses. 👍

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  4. Ramesh Srinivasan 82,050 Reputation points Independent Advisor
    2024-10-24T05:14:03+00:00

    Hi Alexander, This is Ramesh.

    The system might be infected by miners. To verify that, please run the Farbar Scanner and share your logs on OneDrive.

    1. Download Farbar Recovery Scan Tool 64-bit (FRST64.exe)

    https://www.bleepingcomputer.com/download/farba...

    Note: If Microsoft Edge or Chrome mislabels the Farbar Scanner executable as PUA/malware, choose to keep it by tapping … in the bottom bar, choosing Keep, and then choosing Keep anyway in the dialog that appears. See this screenshot: https://learn.microsoft.com/en-us/deployedge/me...

    1. If the OS language is non-English, rename FRST64.exe to FRST64English.exe.
    2. Run the program. Don't check or uncheck any options. Click "Scan".
    3. Zip the two logs, FRST.txt and Addition.txt, upload them to your OneDrive and share the link here.

    How-To: Share OneDrive files and folders - Microsoft Support

    https://support.microsoft.com/en-us/office/shar...

    OneDrive sharing options - screenshot

    https://imgur.com/a/vZyxpY9

    Standard Disclaimer: There is a link to a non-Microsoft website. The page appears to provide accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as PUPs (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

    Was this answer helpful?

    0 comments
  5. _AW_ 67,926 Reputation points Volunteer Moderator
    2024-10-24T02:23:28+00:00

    Do you know what steelseriessonar.exe is?

    To thoroughly check for malware, please run a scan with Farbar Recovery Scan Tool (FRST) and share your logs.

    https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

    Note: If you are using Edge, SmartScreen may initially block the download.

    Click on the three dots next to the warning and select Keep => Show more => Keep anyway.

    • If your computer's language is not English, rename FRST64.exe to FRST64English.exe
    • Run the tool, leave the default settings, and press Scan.
    • Zip the logs, FRST.txt and Addition.txt, then upload to a cloud storage service like OneDrive or Google Drive.
    • Post the share link.

    Share OneDrive files and folders - Microsoft Support

    Was this answer helpful?

    0 comments