A week or so ago I came back to GTG and saw the EMET tool on the front page, good idea I thought. Tried to download, chrome says "download.microsoft.com" is unavailable. Maybe its overlaoded, tried again a couple of days later, same.
Ran Avast full scan
Ran Avast Bootscan
disabled Avast
Ran reg and safe mode MS MRT
Ran safe mode Malwarebytes current update
Ran safe mode Prevx v3.0.5.220 at friend in NGIC-NOC recommendation
Ran safe mode Webroot Secure Anywhere v8.0.2.27 same friend recommendation
Nothing
Just out of curiosity ran CCCleaner as admin (did NOT run cleaner) and looked at Startup and see this:
Yes HKLM:Run Autorun Eater Old McDonald's Farm C:\Program Files (x86)\Autorun Eater\oldmcdonald.exe (Installed when working with RKinner)
Yes HKLM:Run avast AVAST Software "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui (Installed when working with RKinner, replaced MSE)
Yes HKLM:Run Carbonite Backup Carbonite, Inc. C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe (Legit, my backups)
Yes HKLM:Run Conime %windir%\system32\conime.exe (????????)
Yes HKLM:Run EKStatusMonitor Eastman Kodak Company C:\PROGRAM FILES (X86)\KODAK\AIO\STATUSMONITOR\EKStatusMonitor.exe (Legit, my wireless printer)
Disabled Conime in msconfig, did not start the next reboot but did the 2nd reboot
Disabled Conime in CCCleaner came back on second reboot
Deleted in CCCleaner, came back
Went into safe mode deleted in Regedit, reboot into safe mode ran barrage of AV/Anti-malware
Found nothing,Conime was not in startup for a few days but like Jack Nicholson in the Shining, it's back.
Don't know what it is or what it does but I am now (only in last 3 days) getting emails with photo (supposedly) attachments from Chinese people (supposedly)
The only added thing is we do have a new tenant (4 months) in a unit next door that is a Chinese citizen. Our wireless is is WPA2 AES (CCMP) so I hope it is not vulnerable to him, and I have no reason to suspect him but he is a University Professor and smarter than I am for sure so I wanted to mention. Maybe he is stealing bandwidth or trying to get free internet, maybe it's a virus or maybe I am in the twilight zone but I just don't feel right yet.
I don't want to post a bunch of meaningless logs and OTL was removed when I did the cleanup with RKinner, but I will include this from running Silentrunners.vbs today (this is incomplete and I only posted where it said things might be awry.
"Silent Runners.vbs", revision 64, http://www.silentrunners.org/
Operating System: Microsoft Windows 7 Home Premium Service Pack 1 (64-bit)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ {++}
Carbonite Backup = C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [Carbonite, Inc.]
Autorun Eater = C:\Program Files (x86)\Autorun Eater\oldmcdonald.exe [Old McDonald's Farm]
EKStatusMonitor = C:\PROGRAM FILES (X86)\KODAK\AIO\STATUSMONITOR\EKStatusMonitor.exe [Eastman Kodak Company]
Conime = %windir%\system32\conime.exe [file not found]
<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = ComFile
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDrives = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDrives = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
ConsentPromptBehaviorAdmin = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
Wallpaper = C:\Users\Historic Inn\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]
000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]
000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000005\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
000000000006\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 10
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = &Research
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Adobe Acrobat Update Service, AdobeARMservice, "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [Adobe Systems Incorporated]
Carbonite Mirror Image Backup Service, Carbonite-Mirror-Image-Svc, "C:\Program Files\Carbonite\Carbonite Mirror Image\CarboniteMirrorImage.exe" [Carbonite]
CarboniteService, CarboniteService, "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [Carbonite, Inc. (www.carbonite.com)]
Kodak AiO Network Discovery Service, Kodak AiO Network Discovery Service, C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [Eastman Kodak Company]
Kodak AiO Status Monitor Service, Kodak AiO Status Monitor Service, "C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe" [Eastman Kodak Company]
Net Driver HPZ12, Net Driver HPZ12, C:\Windows\System32\svchost.exe -k HPZ12 {C:\Windows\system32\HPZinw12.dll [Hewlett-Packard]}
Pml Driver HPZ12, Pml Driver HPZ12, C:\Windows\System32\svchost.exe -k HPZ12 {C:\Windows\system32\HPZipm12.dll [Hewlett-Packard]}
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
KODAK All-in-One Printer\Driver = EKAiO2MON.dll [Eastman Kodak Company]
PCL hpz3lwn7\Driver = hpz3lwn7.dll [Hewlett-Packard Company]
---------- (launch time: 2012-10-04 11:51:33)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
To all at GTG thanks for all you do. I am smarter than the average bear, but I may not be as smart as the next door neighbor.
HP Pavillion G7
6 gb ram
W7 Home Prem 64-bit
Windows Update say nothing to install
Chrome
IE9 is disabled in windows programs but is on the laptop