Luxio

Conime.exe

11 posts in this topic

Hi -

Today, I scanned my pc with mbam. It detected conime.exe as infected;

C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Not sure if it is really infected or it is an infection, though.

Here is the log, if needed:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4940

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/25/2010 2:36:14 PM
mbam-log-2010-10-25 (14-36-14).txt

Scan type: Quick scan
Objects scanned: 181941
Time elapsed: 11 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Our testing would have picked this up if it were a FP so there may be something else going on here. Please zip and attach a copy of conime.exe to your next post.

Share this post


Link to post
Share on other sites

Hello nosirrah,

I didn't know where to find the copy, so I restored the file from the quarantine, copied it to my desktop by renaming it to .old before zipping. Hope I was doing it right

When I scanned the selected file (c:\windows\system32\conime.exe) with mbam again, it wasn't detected as infected. I then ran a quick scan on the system (while the restored conime.exe was still onboard), and again no detection. kinda odd?

Anyway, herein I attach the zipped conime.exe.old for your attention. Let me know if you need anything else. Btw, is it safe to leave the restored conime.exe under system32 folder there? (I've renamed it to .old too now).

conime.exe.zip

Share this post


Link to post
Share on other sites

If there is nothing detected I don't have anything to investigate.

Share this post


Link to post
Share on other sites

Hi Bruce,

Out of curiosity, this morning, I restored the registry key (which I didn't restore in the earlier scan) then ran a scan with the " /developer", and mbam again detected the file and the registry key.

I post the log here and attach the file conime.old.zip .

Btw, once I restored the file and renamed it to .old, it seems to me that file regenerates itself with the original name conime.exe , some kind of WFP restore?

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4940

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/28/2010 9:51:01 AM
mbam-log-2010-10-28 (09-51-01).txt

Scan type: Quick scan
Objects scanned: 181669
Time elapsed: 11 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully. [F6B3EC9599FB162A3600CDFC105E118B]

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully. [F6B3EC9599FB162A3600CDFC105E118B]

anything else you need?

conime.zip

Share this post


Link to post
Share on other sites

conime.exe <- is there any reason you would have this set to run every boot?

Share this post


Link to post
Share on other sites

Hi Bruce,

Sorry for the late reply. I was having quite a busy weekend.

----------------------

conime.exe <- is there any reason you would have this set to run every boot?

I don't remember setting it to run every boot. In fact, I do not know how to set it to. :D

Share this post


Link to post
Share on other sites

We have located some evidence that this can sometimes be a legit boot process so leaving things as is should be fine.

The detection should also no longer be taking place.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.