Suspected hacking - potential Trojan?

Hello all,

For reasons that are rather long and unimportant, I have reason to suspect myself and some of my friends’ computers have been hacked (some serious but rather crazy-sounding threats). I suspect I may be being overly cautious, but id rather be safe than sorry.

When shutting down my computer earlier, I received a “exception breakpoint” error. I had no idea what that is but its odd for me to get such errors at all on my relatively new system, so out of curiosity I decided to reboot and see what was running.

All the processes in the task manager seem fine, except for one, conhost.exe. Now I tried a little research online, which tells me this is a legit Windows file, HOWEVER, some people report a virus of the same name, and it appears even when I dont have any console windows open. When looking at it in my task manager, under Description there is no path file stated for the process, when I try to select “Properties” nothing happens, and if I try to End Process, I am told Access Denied.

I have tried running Malwarebytes, but I got nothing related to this. Is there a way for me to figure out if this is the legit Windows program or a virus? Is there also any other things I should be on the look out for on my or my friends machines which may indicate whether we have been hacked?

Thanks very much in advance!

All the processes in the task manager seem fine, except for one, conhost.exe.
Suspicious files can be testet here www.virustotal.com / www.metadefender.com / www.jotti.org If scanned before always click rescan for a fresh result

Post link to VirusTotal scan result here

If you want a check … You can dropp the Malwarebytes part since you have already done that

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

Check back tomorrow for a reply

@ Pondus: Thank you for the reply! I would like to scan and give you the information, but I have no idea how to locate the file on my computer, since I cannot access the path directory via the “Properties” option. Is there a way I can locate where the file is?

search for it > conhost.exe

on the computer i use now it is located in c\windows\system32

Hi again,

Please find my logs attached! I hope that I havent missed anything.

Cheers :slight_smile:

Just adware by the looks of it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Winsock: Catalog9 01 C:\Windows\system32\LavasoftTcpService.dll No File Winsock: Catalog9 02 C:\Windows\system32\LavasoftTcpService.dll No File Winsock: Catalog9 03 C:\Windows\system32\LavasoftTcpService.dll No File Winsock: Catalog9 04 C:\Windows\system32\LavasoftTcpService.dll No File Winsock: Catalog9 15 C:\Windows\system32\LavasoftTcpService.dll No File Winsock: Catalog9-x64 01 C:\Windows\system32\LavasoftTcpService64.dll [373864 2015-03-12] (Lavasoft Limited) Winsock: Catalog9-x64 02 C:\Windows\system32\LavasoftTcpService64.dll [373864 2015-03-12] (Lavasoft Limited) Winsock: Catalog9-x64 03 C:\Windows\system32\LavasoftTcpService64.dll [373864 2015-03-12] (Lavasoft Limited) Winsock: Catalog9-x64 04 C:\Windows\system32\LavasoftTcpService64.dll [373864 2015-03-12] (Lavasoft Limited) Winsock: Catalog9-x64 15 C:\Windows\system32\LavasoftTcpService64.dll [373864 2015-03-12] (Lavasoft Limited) FF user.js: detected! => C:\Users\Janine\AppData\Roaming\Mozilla\Firefox\Profiles\ggknqkts.default-1429611696102\user.js [2016-03-10] Task: {8EA6CC25-6804-4C59-A937-D939A6A3A8B0} - System32\Tasks\{6B82CE56-8347-4FD2-B243-270F801CACD6} => pcalua.exe -a C:\Users\Janine\AppData\Roaming\mystartsearch\UninstallManager.exe -c -ptid=ima C:\Program Files\Lavasoft\Ad-Aware Antivirus C:\Windows\system32\LavasoftTcpService.dll C:\Program Files (x86)\mbot_de_582 C:\Windows\system32\LavasoftTcpService64.dll C:\Users\Janine\AppData\Roaming\mystartsearch C:\Program Files (x86)\PC Speed Up C:\Program Files (x86)\Optimizer Pro 3.64 C:\Program Files (x86)\Lavasoft\Web Companion C:\Program Files (x86)\YTDownloader Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your Desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool
[*]Click the Scan button and wait for the process to complete.
[*]Click the logfile button and the log will open in Notepad
[*]Click on the Clean button follow the prompts.
[]A log file will automatically open after the scan has finished and the PC has rebooted
[
]Please post the content of that log file with your next answer.
[*]The report will be saved in the C:\AdwCleaner folder.