Conime.exe

Luxio · October 25, 2010

Hi -

Today, I scanned my pc with mbam. It detected conime.exe as infected;

C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Not sure if it is really infected or it is an infection, though.

Here is the log, if needed:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4940

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/25/2010 2:36:14 PM
mbam-log-2010-10-25 (14-36-14).txt

Scan type: Quick scan
Objects scanned: 181941
Time elapsed: 11 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

nosirrah · October 25, 2010

Our testing would have picked this up if it were a FP so there may be something else going on here. Please zip and attach a copy of conime.exe to your next post.

Luxio · October 26, 2010

Hello nosirrah,

I didn't know where to find the copy, so I restored the file from the quarantine, copied it to my desktop by renaming it to .old before zipping. Hope I was doing it right

When I scanned the selected file (c:\windows\system32\conime.exe) with mbam again, it wasn't detected as infected. I then ran a quick scan on the system (while the restored conime.exe was still onboard), and again no detection. kinda odd?

Anyway, herein I attach the zipped conime.exe.old for your attention. Let me know if you need anything else. Btw, is it safe to leave the restored conime.exe under system32 folder there? (I've renamed it to .old too now).

conime.exe.zip

nosirrah · October 26, 2010

This file is clean, are you still getting this detection?

If you are please get us a developers scan log:

http://forums.malwarebytes.org/index.php?showtopic=3228

Luxio · October 27, 2010

This file is clean, are you still getting this detection?
If you are please get us a developers scan log:
http://forums.malwarebytes.org/index.php?showtopic=3228

Running the scan with "mbam.exe /developer" does not detect the file as infected. Even a usual scan now doesn't either.

Any idea?

nosirrah · October 27, 2010

If there is nothing detected I don't have anything to investigate.

Luxio · October 28, 2010

Hi Bruce,

Out of curiosity, this morning, I restored the registry key (which I didn't restore in the earlier scan) then ran a scan with the " /developer", and mbam again detected the file and the registry key.

I post the log here and attach the file conime.old.zip .

Btw, once I restored the file and renamed it to .old, it seems to me that file regenerates itself with the original name conime.exe , some kind of WFP restore?

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4940

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/28/2010 9:51:01 AM
mbam-log-2010-10-28 (09-51-01).txt

Scan type: Quick scan
Objects scanned: 181669
Time elapsed: 11 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully. [F6B3EC9599FB162A3600CDFC105E118B]

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully. [F6B3EC9599FB162A3600CDFC105E118B]

anything else you need?

conime.zip

nosirrah · October 28, 2010

conime.exe <- is there any reason you would have this set to run every boot?

Luxio · November 1, 2010

Hi Bruce,

Sorry for the late reply. I was having quite a busy weekend.

----------------------

conime.exe <- is there any reason you would have this set to run every boot?

I don't remember setting it to run every boot. In fact, I do not know how to set it to.

nosirrah · November 5, 2010

We have located some evidence that this can sometimes be a legit boot process so leaving things as is should be fine.

The detection should also no longer be taking place.

Luxio · November 8, 2010

Thank you for the confirmation, Bruce.

Conime.exe

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information