EAM Not Detecting Fake Conhost

Recommended Posts

My server infected with this conhost. I can almost confirmed this is 100% a virus.

Roguekiller got it.

ESET failed to block it

Emsisoft unable to detect it, but.. if i copy/duplicate the file, emsisoft detects it and delete the new duplicated file.. However the original file remains.. haha

Download Image

Share this post

Link to post
Share on other sites

1) copy conhost

2) paste to same location 

3) rename conhost - Copy to 1 (random name) <- only at this point emsisoft detect it.

Another thing, knowing the origin file conhost is indeed a virus, right click the file. Select scan with emsisoft, no virus found.


Download Image

Share this post

Link to post
Share on other sites

Lets get a log from FRST, and see if it shows the cause of the issue. Please download Farbar Recovery Scan Tool (FRST) from one of the following links, and save it to your Desktop (please note that some web browsers will automatically save all downloads in your Downloads folder, so in those cases please move the download to your desktop):


For 32-bit (x86) editions of Windows:


For 64-bit (x64) editions of Windows:


Note: You need to run the version compatible with your computer. If you are not sure which version applies to your computer, then download both of them and try to run them. Only one of them will run on your computer, and that will be the right version.

  1. Run the FRST download that works on your computer (for Windows Vista, Windows 7, and Windows 8 please right-click on the file and select Run as administrator).

  2. When the tool opens click Yes for the disclaimer in order to continue using FRST.

  3. Press the Scan button.

  4. When the scan is done, it will save a log as a Text Document named FRST in the same place the tool was run from (if you had saved FRST on your desktop, then the FRST log will be saved there).

  5. Please attach the FRST log file to a reply using the More Reply Options button to the lower-right of where you type in your reply to access the attachment controls.

  6. The first time the FRST tool is run it saves another log (a Text Document named Addition - also located in the same place as the FRST tool was run from). Please also attach that log file along with the FRST log file to your reply.

Share this post

Link to post
Share on other sites

It's possible that ESET's driver was intercepting the read of the file before our driver was, and Windows wasn't passing it to any other drivers because of that. I'll offer more on what I see in the FRST log via Private Message.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.