Strange "conime.exe" Ghost File?

A looked into my start up programs menu recently while I was attempting to speed up my boot process. I noticed that at some point in the last two weeks or so, a new entry for a system32/conime.exe file has been inserted.

My research online suggests it's probably just an MS system file; but could also be malware in disguise. Problem is, when I navigate to the directory it's not actually there (even though I've checked and there are several conime.exe registry entries as well). Just to be safe, I scanned me entire System32 file and all its contents with both Malwarebytes and BitDefender (with zero infected results).

So is this something that should concern me and why do I have a Start Up entry for a file that doesn't exists in that directory?

Thnx

 

You would probably be better served by posting this to the Malware thread. From what I have read, this could be a virus, or a normal system file . . . so your guess is as good as mine. I've personally never seen it running on Vista or Windows 7 computers I have used.

If you have any suspicion at all I suggest consulting them. The malware folks are experts and can make sure you have a clean system (malware whispers their names in awe and fear).

 

I researched it a bit and also learned that it can be a legitimate Windows file, but it's not a file that gets autolaunched at boot time. In regards to this specific file, that behavior would be suggestive of malware. BTW, which flavor of Windows are you running on this machine? I have Win 7 (installed June of this year) and could find no file named conime.exe, nor any reference to it in the registry.

On your system, how is conime.exe being launched (start-up item, scheduled task, Windows/application service)?
Which program did you use to identify the new autolaunch entry?

First thing I'd do is to find out whether the file is even on my system by doing a full system search for the file rather than just looking in %WinDir%. Nothing I read suggested that the malware version of this file hides itself, so if it's on your system you should be able to locate it with a simple search. If you do find it somewhere on your system then you can scan it online using the free cloud based AV scanner at VirusTotal.com. This scanner allows you to actually upload the suspect file and have it scanned by 50+ AV scanners. If, on the other hand, you don't find conime.exe on your system then you probably have only some registry entries that reference it (not sure if that can be construed as a rootkit, or remnants thereof).

One more thing. Open Task Manager to see if conime.exe is actually running on your system (regardless of whether you can find it via file search). If you can't find the file on your disks, and it's not identified as a running process or service, then you probably have the left over registry entries that once referenced the file and nothing more. In that case there's no reason to keep the registry entries that reference it. If you don't want to mess with the registry then you can simply disable the startup entry that's attempting to launch conime.exe. However, if that particular startup item re-enables itself without your input, then you likely do have a malware problem of some sort.

If this doesn't solve your problem then you should do as Spad suggests. The following link is a good place to start if you're thinking about posting to the malware forum:

http://forums.majorgeeks.com/showthread.php?t=35407

 

Thanks for all the help advice. After some additional work and research here on my own, here is the new info I've come away with since last we spoke:

1) To answer the earlier question; a "conime" file does not load at start up nor is it listed in the Task Manager as a running program (I know as I Googled and identified each and everyone that was loaded). Also, the entry in the msconfig menu lists it at the following location: %windir%\system32\conime.exe and SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

2) I can confirm that the "conime.exe" file DOES NOT exist on my system anywhere. After unhidding all my hidden system files and then running a search in My Computer for the word "conime"...it returned no results what so ever (not to mention that I already navigated to the System32 folder and was unable to find it).

3) I have recently completed deep system scans of my entire hard drive (IE: all of Windows 7 not just the System32 folder) using SpyBot, Malwarebytes, SUPERAntiSpyware and BitDefender. Not a single malicious file was detected.

4) I went ahead and deleted any registry entry that contained the word "conime" in regedit, which also resulted in it being removed from the Start Up tab of msconfig.

5) I also forgot to mention one VERY important fact. I run 100% of my internet usage through a Sandbox. I NEVER go online without it and have it set to automatically delete upon close. Also, I don't download ANY file that is not from a trusted source. Period.

While I'll certainly continue and post this into the malware forum if anyone thinks it's still necessary; I don't want to bog them down over nothing (as I know they walk you through a long process in order to knock malware out). I just don't want to waste their time If we can get a good idea this is nothing just based on this info first.

Thanks and any insight is much appreciated (but I feel pretty confidence I'm clean here).

 

Thanks for the thorough response. It sounds to me that the problem, if it ever was a problem (I'm not convinced) is now fixed. I'd keep a lookout for it over the next few days to see if it pops up again in your list of startup apps/services. However, given that you've wiped your system clean of any reference to conime.exe, I wouldn't post anything to the malware forum. I too am confident that your system is clean. Nice job with the sandboxing. I do the same any time I venture away from the handful of forums that I frequent.

You Googled every item in your startup list??? Wow, now that's impressive. Maybe a little obsessive... but impressive nonetheless

Good luck, and please post any new developments (hopefully none) in this thread.