How to remove the Conhost.exe cryptomining malware

What is Conhost.exe?

Conhost.exe (Console Window Host) is the process of a program (cryptominer) that is designed to mine Monero cryptocurrency. Generally, cyber criminals trick people into downloading and installing this program to generate revenue.

In summary, the program uses computer resources to mine cryptocurrency when a user logs into the Windows Operating System. Note that the presence of this malware significantly diminishes computer performance.

More about cryptomining malware

The cryptocurrency mining process involves solving complicated mathematical problems. To achieve this, the installed cryptominer uses the CPU (Central Processing Unit). People are often unaware that there is a cryptomining process running in the background on their systems.

Typically, programs of this type cause high CPU usage, which results in diminished computer performance and increased use of electricity. This can also cause hardware to overheat. Increased use of electricity/higher energy consumption leads to higher electricity bills.

Furthermore, users with computers infiltrated by cryptominers receive nothing in return – only the cyber criminals who trick them into installing these programs benefit from the mined cryptocurrency. If a computer is slower, and there is significant CPU usage, this is likely to be caused by an installed cryptominer.

Note that conhost.exe (and its associated process [“Console Windows Host”]) is a legitimate windows process, however, cyber criminals disguise a cryptominer behind this name in an attempt to give the impression of legitimacy and to make detection/removal difficult.

Fortunately, most anti-virus/anti-spyware suites are capable of detecting and eliminating this malware. Therefore, if you see a Console Windows Host process, which is using many computer resources, immediately scan the system with a reputable anti-virus/anti-spyware suite and eliminate all detected threats.

Threat Summary:
Name Conhost.exe (Console Window Host) virus.
Threat Type Trojan, Cryptominer.
Detections (conhost.exe)
Avast (Win32:DangerousSig [Trj]), BitDefender (Trojan.GenericKD.31848709), ESET-NOD32 (A Variant Of Win32/Kryptik.GLWT), Kaspersky (Trojan.Win32.RunDll.ddu), Full List (VirusTotal).
Malicious Process Name(s) Console Window Host.
Symptoms Significant decrease in computer performance, system crashes, processes with high CPU usage in Windows Task Manager.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Inability to use the computer properly, potential hardware damage, increased electricity usage.
Malware Removal (Windows)

Cryptomining malware in general

There are many other programs that are designed to mine cryptocurrency including, for example, XMR Miner, BitCoinMiner, and AV64N.exe. They could be used by anyone, however, people also download and install them inadvertently when cyber criminals trick them.

It is unknown exactly how they proliferate this particular miner, however, there are a number of commonly-used methods to stealthily proliferate this software.

How did Conhost.exe infiltrate my computer?

Generally, cyber criminals distribute computer infections through Trojans, spam campaigns, fake software updaters, untrustworthy software download tools/sources, and software ‘cracking’ tools. When installed, trojans download and install computer infections. These are malicious programs that cause chain infections.

To proliferate viruses through spam campaigns, cyber criminals send emails that contain malicious attachments. Typically, the attached files are MS Office documents, JavaScript or archive files, PDF documents, executables (.exe files), and so on. Once opened, they download and install computer infections.

Fake/unofficial software updaters download and install malicious programs rather than updates or fixes, or they exploit bugs and flaws of outdated software. Unofficial, freeware, free file hosting websites, third party downloaders, Peer-to-Peer networks, and other similar software download channels can be used to present malicious programs as legitimate.

Cyber criminals also present viruses as harmless files. When people download and open them, they install viruses. Software cracking tools are programs that supposedly bypass paid software activation, however, these tools often cause computer infections (they download and install viruses rather than activating any programs).

How to avoid installation of malware?

Do not open attachments (or web links) that are presented in irrelevant emails, especially if they are received from unknown, suspicious addresses. Installed programs/software should be updated using implemented tools or functions that are provided by official software developers. Download software using official and trustworthy websites or other official sources.

Avoid third party software downloaders and other sources (mentioned above). Bear in mind that software cracking tools are illegal and are often used to proliferate computer infections. Another way to avoid computer infections is to have trustworthy, reputable anti-spyware/anti-virus software installed and to keep it enabled.

If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Malicious executable (ConHost.exe) identified as a threat by various anti-virus/anti-spyware suites:

Quick menu:

  • What is Conhost.exe?
  • STEP 1. Manual removal of Conhost.exe malware.
  • STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task – usually it is best to allow antivirus or anti-malware programs to do this automatically.

To remove this malware we recommend using Combo Cleaner Antivirus for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user’s computer:

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

 Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in “Safe Mode with Networking”:

Windows 8 users: Start Windows 8 is Safe Mode with Networking – Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened “General PC Settings” window, select Advanced startup. Click the “Restart now” button.

Your computer will now restart into the “Advanced Startup options menu”. Click the “Troubleshoot” button, and then click the “Advanced options” button. In the advanced option screen, click “Startup settings”. Click the “Restart” button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.


Video showing how to start Windows 8 in “Safe Mode with Networking”:

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click “Restart” while holding “Shift” button on your keyboard. In the “choose an option” window click on the “Troubleshoot”, next select “Advanced options”. In the advanced options menu select “Startup Settings” and click on the “Restart” button.

In the following window you should click the “F5” button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in “Safe Mode with Networking”:

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click “Options” at the top and uncheck the “Hide Empty Locations” and “Hide Windows Entries” options. After this procedure, click the “Refresh” icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose “Delete”.

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.

To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with Conhost.exe/Console Window Host malware, should I format my storage device to get rid of it?

No, it is not necessary to format the infected storage device to remove the Conhost.exe/Console Window Host malware.

What are the biggest issues that malware can cause?

The most common problems with having a computer infected with malware are data and (or) monetary loss, identity theft, and hijacked personal accounts. It depends on the type of injected malware.

What is the purpose of Conhost.exe malware?

It is a cryptomining malware. It uses computer hardware to mine cryptocurrency. More information about cryptocurrency miners is provided in our article above.

How did a malware infiltrate my computer?

In most cases, malware infects computers via malicious drive-by downloads, cracked software download pages (and other unreliable sources for downloading software/files), and emails containing malicious links or attachments.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and eliminate almost all known malware. When a computer is infected with high-end malware, running a full system scan is necessary. Otherwise, antivirus software will not be able to detect malware that hides deep in the operating system.


Article post on:

Leave a Comment

Your email address will not be published. Required fields are marked *