Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

EMET can't download, conime.exe in startup can't stop,


  • Please log in to reply

#1
thisstinks

thisstinks

    Member

  • Member
  • PipPip
  • 13 posts
I worked with RKinner who was a superhero getting me through whatever my daughter brought home from college and got on my laptop. Yet even with the 'all clear' signal things never seemed quite right, but there was nothing wrong specifically. Boot up was fast, login as user was slow but not much different than the day I bought this computer.

A week or so ago I came back to GTG and saw the EMET tool on the front page, good idea I thought. Tried to download, chrome says "download.microsoft.com" is unavailable. Maybe its overlaoded, tried again a couple of days later, same.
Ran Avast full scan
Ran Avast Bootscan
disabled Avast
Ran reg and safe mode MS MRT
Ran safe mode Malwarebytes current update
Ran safe mode Prevx v3.0.5.220 at friend in NGIC-NOC recommendation
Ran safe mode Webroot Secure Anywhere v8.0.2.27 same friend recommendation

Nothing

Just out of curiosity ran CCCleaner as admin (did NOT run cleaner) and looked at Startup and see this:

Yes HKLM:Run Autorun Eater Old McDonald's Farm C:\Program Files (x86)\Autorun Eater\oldmcdonald.exe (Installed when working with RKinner)
Yes HKLM:Run avast AVAST Software "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui (Installed when working with RKinner, replaced MSE)
Yes HKLM:Run Carbonite Backup Carbonite, Inc. C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe (Legit, my backups)
Yes HKLM:Run Conime %windir%\system32\conime.exe (????????)
Yes HKLM:Run EKStatusMonitor Eastman Kodak Company C:\PROGRAM FILES (X86)\KODAK\AIO\STATUSMONITOR\EKStatusMonitor.exe (Legit, my wireless printer)

Disabled Conime in msconfig, did not start the next reboot but did the 2nd reboot
Disabled Conime in CCCleaner came back on second reboot
Deleted in CCCleaner, came back
Went into safe mode deleted in Regedit, reboot into safe mode ran barrage of AV/Anti-malware

Found nothing,Conime was not in startup for a few days but like Jack Nicholson in the Shining, it's back.

Don't know what it is or what it does but I am now (only in last 3 days) getting emails with photo (supposedly) attachments from Chinese people (supposedly)


The only added thing is we do have a new tenant (4 months) in a unit next door that is a Chinese citizen. Our wireless is is WPA2 AES (CCMP) so I hope it is not vulnerable to him, and I have no reason to suspect him but he is a University Professor and smarter than I am for sure so I wanted to mention. Maybe he is stealing bandwidth or trying to get free internet, maybe it's a virus or maybe I am in the twilight zone but I just don't feel right yet.

I don't want to post a bunch of meaningless logs and OTL was removed when I did the cleanup with RKinner, but I will include this from running Silentrunners.vbs today (this is incomplete and I only posted where it said things might be awry.


"Silent Runners.vbs", revision 64, http://www.silentrunners.org/
Operating System: Microsoft Windows 7 Home Premium Service Pack 1 (64-bit)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ {++}
Carbonite Backup = C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [Carbonite, Inc.]
Autorun Eater = C:\Program Files (x86)\Autorun Eater\oldmcdonald.exe [Old McDonald's Farm]
EKStatusMonitor = C:\PROGRAM FILES (X86)\KODAK\AIO\STATUSMONITOR\EKStatusMonitor.exe [Eastman Kodak Company]
Conime = %windir%\system32\conime.exe [file not found]

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = ComFile


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

NoDrives = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

NoDrives = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

ConsentPromptBehaviorAdmin = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
Wallpaper = C:\Users\Historic Inn\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg




Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]
000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]
000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000005\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
000000000006\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = &Research
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Adobe Acrobat Update Service, AdobeARMservice, "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [Adobe Systems Incorporated]
Carbonite Mirror Image Backup Service, Carbonite-Mirror-Image-Svc, "C:\Program Files\Carbonite\Carbonite Mirror Image\CarboniteMirrorImage.exe" [Carbonite]
CarboniteService, CarboniteService, "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [Carbonite, Inc. (www.carbonite.com)]
Kodak AiO Network Discovery Service, Kodak AiO Network Discovery Service, C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [Eastman Kodak Company]
Kodak AiO Status Monitor Service, Kodak AiO Status Monitor Service, "C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe" [Eastman Kodak Company]
Net Driver HPZ12, Net Driver HPZ12, C:\Windows\System32\svchost.exe -k HPZ12 {C:\Windows\system32\HPZinw12.dll [Hewlett-Packard]}
Pml Driver HPZ12, Pml Driver HPZ12, C:\Windows\System32\svchost.exe -k HPZ12 {C:\Windows\system32\HPZipm12.dll [Hewlett-Packard]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
KODAK All-in-One Printer\Driver = EKAiO2MON.dll [Eastman Kodak Company]
PCL hpz3lwn7\Driver = hpz3lwn7.dll [Hewlett-Packard Company]


---------- (launch time: 2012-10-04 11:51:33)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.



To all at GTG thanks for all you do. I am smarter than the average bear, but I may not be as smart as the next door neighbor.




HP Pavillion G7
6 gb ram
W7 Home Prem 64-bit
Windows Update say nothing to install
Chrome
IE9 is disabled in windows programs but is on the laptop
  • 0

Advertisements


#2
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Hello thisstinks,

Not yet seeing any mystery here. Malware cannot be transmitted in the ways you mention. And I think that Autorun Eater uninstalls normally through the control panel uninstall.

Conime.exe is related to language functions. I have it on one of my systems for, I think, Japanese/Chinese characters, but other programs use it (I am pretty sure). So rarely, and less recently, was that file name used as a malware file, many, including me, fell for that back then and deleted the legit file.


I also find that many MS sites do not support non-IE browsers, so try that tool download using IE. I hope the post you picked that up from post you mentioned a caution on knowing how to use that.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP