Is conime.exe a genuine Windows file ... ?

[gmail2]

I have a user who couldn't access any secure sites - kept giving back a DNS error even though I knew there was no problem with DNS. I had a look at the processes and there was one called conime.exe - once I ended the task it solved the problem. I searched it on the web and every website says it's a Trojan (BFGhost). However, I've had a look on several PC's and they all have the conime file in C:\windows\system32 also and the file size, modification date and version number is identital to the "infected" computer. Also, the task appears each time you restart the PC althought I've looked at msconfig and can't figure out where it's coming from.

I decided to rename the file to conime.exe.bak and the PC still SEEMS to work fine - however, when I checked the event viewer it said that it coudln't find the user's profile and was logging on with a temp profile. When I check users' profiles in system properties there's 2 there for this user now - backup and temp.

So escentially what I want to know is what is this file. Is it ligit, or did this user get the Trojan and have it replaced by another file or ... ? I'm really at a loss here - can anybody help?

 

[erikhertzel]

Take a look here at the legit files for the conime.exe

http://www.programchecker.com/File.aspx?Id=90

So, it could be legit and it may not be. On the PC that is causing issues....you may want to do the following:

Download hijack this from the link below and do a scan and post the results.

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

You may also want to visit Webroot Spysweeper and hit it with that too:

http://www.webroot.com/consumer/downloads/

This is a trial, but will fully function for what you need to do.

Update it and then do a sweep.

Also do the following:

http://housecall.trendmicro.com/

Hope this helps,

Erik

 

[pechenegs]

This file is flagged as a backdoor trojan by many websites.

http://www.liutilities.com/products/wintaskspro/processlibrary/conime/

Go here to upload that file for analysis!At virustotal, go to the top right of the page and paste the full path of that file, I imagine it is c;\windows\system32\conime.exe. Then click send and waut for the results and post them back here!

http://www.virustotal.com/flash/index_en.html

Also downlaod and run these tools!




* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.


*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET




* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop


* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.




reboot to normal mode and run a few online scans!



Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!



post another hijack this log, the ewido and active scan logs