SInce installing Norton 360, v5, I have been unable to open Command Prompt (specifically ipconfig).
When I attempt to open the Command Prompt, it "flashes" on the monitor screen for less then a second and then disappears. This is immediately followed by the error message: "Process: Terminated. Identified use: User Determination." "Resident Terminated the process conhost.exe because it was on the black list."
When I reviewed the incident in the Task Manager Window, both cmd.exe and conhost.exe would flash in the Task Manager window for less than 0.5 sec and then the above error message would appear.
Is the mysterious "Black List" somewhere in Norton 360? Any suggestions on how to get conhost.exe (and, I presume, cmd.exe) off the "Black List"?
SInce installing Norton 360, v5, I have been unable to open Command Prompt (specifically ipconfig).
When I attempt to open the Command Prompt, it "flashes" on the monitor screen for less then a second and then disappears. This is immediately followed by the error message: "Process: Terminated. Identified use: User Determination." "Resident Terminated the process conhost.exe because it was on the black list."
When I reviewed the incident in the Task Manager Window, both cmd.exe and conhost.exe would flash in the Task Manager window for less than 0.5 sec and then the above error message would appear.
Is the mysterious "Black List" somewhere in Norton 360? Any suggestions on how to get conhost.exe (and, I presume, cmd.exe) off the "Black List"?
This error happens if the conhost.exe is already been hacked/damaged by virus or malware. I would suggest to try booting your computer into Safe Mode, and then run a full system scan with Norton 360. You just need to double-click Norton 360 icon to start the full system scan.
In normal mode, download and run Norton Power Eraser tool :
Check if it detects any threats and if it does, please provide us the filename and other details. Don't fix any files now, you can fix those after getting confirmation in this thread.
I ran a full systen scan in safe mode with Norton 360. Only two low risk tracking cookies were found and automatically corrected. I then rebooted, downloaded the Norton Power Eraser and ran it. It detected 3 "Bad" risks. They are "G-Zapper", "pepidmgr.exe" and "hosts". Pepidmgr.exe is a program I use frequently since installation in Dec 2008. "Hosts" (DNS entry) was installed when the computer was manufactured in Nov 2006. G-Zapper is a software utility that blocks Google cookies. I vaguely remember installing several months ago as a free utility. There was also one suspicious risk: Media Impressions that is a Kodak program that was installed in June 2010 (purchased a new Kodak digital camera).
I rebooted the computer again to complete the Power Eraser scan. The G-Zapper was auto-checked to correct the problem. Removal Results indicated that removal failed.
The problem is still present. Do you have any other suggestions? Thanks again for your help!
I presume that the conhost.exe is legit. When I reviewed the action of opening the Command Prompt (in the Windows Task Manager: Processes, there was a brief flash of the cmd.exe followed by conhost.exe which quickly disappeared. I have used Norton 360 for two years (and before that, Zone Alarm). I'm careful about downloads and usually run a virus scan before opening. I followed the recommendations of Yogesh as noted in the forum. The problem is still present with the cmd.exe/conhost.exe issue. Frustrating...
Few things to try out: 1. Click Start > Run, and type C:\WINDOWS\system32\cmd.exe Let us know if the Window stays open or not. 2. Click Start > Run, and type cmd /k netstat Let us know if the Window stays open or not.
3. Check if you have the following registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
Yogesh, I tried suggestions 1 & 2. Both attempts resulted in a quick flash of "C:\windows\system32>" which promptly disappeared from the monitor screen. I learned a long time ago not to fool with the Registry. However, using "regedit", I did drill down....carefully... through the folders beginning with HKEY_LOCAL_MACHINE to Software\Microsoft\Command Processor. At this point I opened the Command Processor folder which presented 5 "folders" : (Default), Completion, DefaultColor, EnableExtensions, and Path CompletionChar. I was unable to locate any registry entries that have the usual format, specifically: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
Hugh, I'm running Windows 7, 32 bit version with SP1. I think I located the problem. I use Spybot Search and Destroy which quarantined "WIn32.Sober" with 4 subfiles of conhost.exe (C:\Windows\System32\conhost.exe). I plan to use the recommendations noted on Microsoft Security Advisory (912920) to try to remove the worm.
Yogesh, I think I located the problem. I use Spybot Search and Destroy which quarantined "WIn32.Sober" with 4 subfiles of conhost.exe (C:\Windows\System32\conhost.exe). I plan to use the recommendations noted on Microsoft Security Advisory (912920) to try to remove the worm.
Hugh, I'm running Windows 7, 32 bit version with SP1. I think I located the problem. I use Spybot Search and Destroy which quarantined "WIn32.Sober" with 4 subfiles of conhost.exe (C:\Windows\System32\conhost.exe). I plan to use the recommendations noted on Microsoft Security Advisory (912920) to try to remove the worm.
Sorry not to get back sooner -- I'll let others deal with specific advice since I'm not using N360 but if that Spybot is the run in the background version then you should not have it there with other security software like you have N 360 since tehy can interfere with each other and so make mistakes.
Yogesh, I finally solved the issue. SpyBot had located and isolated Win32.Sober but was unable to remove it. Norton Power Eraser Tool did not identify the worm. I also tried Norton W32.Sober Removal Tool, but was unable to solve the problem. I located the MS Malicious Software Removal Tool and ran it. It took a few hours to run and, being late at night, I went to bed. When I returned to the computer, Win32.Sober was gone. A fresh Desktop was on the screen, so I presume that the program did a restart. So far no problems. As a matter of note the Win32 .Sober worm was identified by SpyBot about a year ago. Nothing in my logs indicated that it was active over the past 12 months....but who knows. Thanks for your help. Bill
I finally solved the issue. SpyBot had located and isolated Win32.Sober but was unable to remove it. Norton Power Eraser Tool did not identify the worm. I also tried Norton W32.Sober Removal Tool, but was unable to solve the problem. I located the MS Malicious Software Removal Tool and ran it. It took a few hours to run and, ande, being late at night, I went to bed. When I returned to the computer, Win32.Sober was gone. A fresh Desktop was on the screen, so I presume that the program did a restart. So far no problems. As a matter of note the Win32 .Sober worm was identified by SpyBot about a year ago. Nothing in my logs indicated that it was active over the past 12 months....but who knows. Thanks for everybody's help.
Ok what to have was a FakeAValert of some sort, that would be to do with the W32.Sober fake detection but making the user think they have the Worm, even though the Worm is years old.
Secondly that is why you had a desktop / wallpaper change, once the infection was removed the desktop when back to the original settings. That is also why Command Prompt and possibly regedit, Task manager were blocked, so would shut down.
As I thought originally the PC is infected. but there was no logging to know what.
If there was a problem with Norton and the Windows legit files, a lot of people would appear over the last few weeks, saying Norton is blocking CMD..................................