Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit / malware infection - iun6002.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 sc0ttyd

sc0ttyd

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 30 June 2010 - 07:10 AM

Hi Guys,

I have been experiencing some issues with my Win7 Ultimate 32bit laptop, specifically windows updates were not working (Trustedinstaller.exe was hogging an entire core, constantly).

I was going to to a repair install but decided to scan using a BitDefender boot CD first - which detected a file, C:\Windows\iun6002.exe, as malware, and removedit. I ran ComboFix, which detected rootkit activity - I have attached the combofix log.

Prior to this, I have had Kaspersky IS running as long as I have had the laptop, but it was not running for the past 10 days due to an issue upgrading it.

Does the combofix log indicate anything else I should be concerned about? Is iun6002.exe sufficiently bad that I should format and reiinstall?

I use my laptop for banking, business, etc. Any help would be greatly appreciated.

CODE
ComboFix 10-06-29.03 - Scott 30/06/2010  12:26:15.1.2 - x86

Microsoft Windows 7 Ultimate   6.1.7600.0.1252.44.1033.18.3071.2425 [GMT 1:00]

Running from: G:\ComboFix.exe

.



(((((((((((((((((((((((((   Files Created from 2010-05-28 to 2010-06-30  )))))))))))))))))))))))))))))))

.



2010-06-30 11:37 . 2010-06-30 11:42    --------    d-----w-    c:\users\Scott\AppData\Local\temp

2010-06-30 11:37 . 2010-06-30 11:37    --------    d-----w-    c:\users\Default\AppData\Local\temp

2010-06-30 11:37 . 2010-06-30 11:37    --------    d-----w-    c:\users\Scott.LENOVO-SL500-75\AppData\Local\temp

2010-06-30 11:37 . 2010-06-30 11:37    --------    d-----w-    c:\users\__sbs_netsetup__\AppData\Local\temp

2010-06-29 15:28 . 2010-06-29 15:28    --------    d-----w-    c:\windows\CheckSur

2010-06-29 13:34 . 2010-06-29 13:34    274    ----a-w-    c:\users\Scott\AppData\Roaming\WinFF\ff100629143417.bat

2010-06-29 13:28 . 2010-06-29 13:34    --------    d-----w-    c:\users\Scott\AppData\Roaming\WinFF

2010-06-29 13:28 . 2010-06-29 13:28    --------    d-----w-    c:\program files\WinFF

2010-06-27 12:03 . 2010-06-27 12:03    --------    d-----w-    c:\users\Scott\AppData\Local\HTC

2010-06-27 12:03 . 2010-06-27 12:03    --------    d-----w-    c:\programdata\HTC

2010-06-27 12:03 . 2010-06-27 12:03    --------    d-----w-    c:\programdata\Teleca

2010-06-27 12:02 . 2010-06-27 12:02    --------    d-----w-    c:\program files\Spirent Communications

2010-06-27 12:02 . 2010-06-27 12:03    --------    d-----w-    c:\program files\HTC

2010-06-26 00:33 . 2010-06-26 00:34    --------    d-----w-    c:\users\Scott\AppData\Roaming\vlc

2010-06-25 17:46 . 2010-06-25 17:46    3536    ------w-    C:\bootsqm.dat

2010-06-25 16:33 . 2010-06-25 16:37    --------    d-----w-    c:\users\Scott\AppData\Roaming\Teleca

2010-06-25 16:32 . 2010-06-27 12:03    --------    d-----w-    c:\program files\Common Files\Teleca Shared

2010-06-23 12:48 . 2009-02-18 13:53    112504    ----a-w-    c:\windows\system32\ArMonitor.dll

2010-06-23 12:45 . 2010-06-23 12:48    --------    d-----w-    c:\program files\ARX

2010-06-22 16:50 . 2010-06-22 16:50    --------    d---a-w-    C:\Kaspersky Rescue Disk 10.0

2010-06-22 07:52 . 2010-06-22 07:52    --------    d-----w-    c:\program files\iPod

2010-06-22 07:52 . 2010-06-22 07:52    --------    d-----w-    c:\program files\iTunes

2010-06-22 07:49 . 2010-06-22 07:49    --------    d-----w-    c:\program files\Bonjour

2010-06-22 07:45 . 2010-06-22 07:45    72504    ----a-w-    c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-18 11:37 . 2010-06-18 11:37    --------    d-----w-    c:\program files\Secunia

2010-06-18 11:30 . 2010-06-18 11:30    --------    d-----w-    C:\KAV

2010-06-06 15:39 . 2010-06-06 15:39    --------    d-----w-    C:\Xobni

2010-06-06 14:01 . 2010-06-06 14:01    --------    d-----w-    c:\users\Scott\AppData\Local\Opera

2010-06-06 14:01 . 2010-06-21 15:53    --------    d-----w-    c:\program files\Opera

2010-06-05 09:43 . 2009-10-10 02:57    12800    ----a-w-    c:\windows\system32\drivers\sffp_sd.sys

2010-06-05 09:43 . 2009-10-10 02:31    84992    ----a-w-    c:\windows\system32\drivers\sdbus.sys

2010-06-05 09:41 . 2009-09-26 05:58    194488    ----a-w-    c:\windows\system32\drivers\fvevol.sys

2010-06-05 09:41 . 2010-03-04 07:33    740864    ----a-w-    c:\windows\system32\inetcomm.dll

2010-06-05 09:40 . 2009-12-11 07:44    133720    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys

2010-06-05 09:40 . 2009-12-11 07:38    1037312    ----a-w-    c:\windows\system32\lsasrv.dll

2010-06-05 09:40 . 2010-06-05 09:41    --------    d-----w-    C:\ou

2010-06-05 09:39 . 2010-04-23 07:13    2048    ----a-w-    c:\windows\system32\tzres.dll

2010-06-04 11:12 . 2010-06-04 11:12    70984    ----a-w-    c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe

2010-06-04 11:12 . 2010-06-01 10:44    3907584    ----a-w-    c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

2010-06-04 11:12 . 2010-01-25 10:58    462848    ----a-w-    c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll

2010-06-04 11:12 . 2010-01-15 13:25    864256    ----a-w-    c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll

2010-06-04 11:12 . 2010-01-15 13:25    315392    ----a-w-    c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll

2010-06-04 11:12 . 2010-01-15 13:25    372736    ----a-w-    c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe

2010-06-02 15:52 . 2010-06-02 15:52    --------    d-----w-    c:\users\Scott\AppData\Roaming\Siemens

2010-06-02 15:26 . 2010-06-02 15:31    --------    d-----w-    c:\program files\Licensing



.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-30 11:40 . 2010-02-09 15:53    4194304    ----a-w-    c:\windows\ServiceProfiles\NetworkService\msmqlog.bin

2010-06-29 19:07 . 2009-11-25 18:05    --------    d-----w-    c:\programdata\Kaspersky Lab

2010-06-29 19:07 . 2009-11-25 17:47    --------    d-----w-    c:\program files\Kaspersky Lab

2010-06-29 09:00 . 2010-04-25 03:00    --------    d-----w-    c:\programdata\Skype

2010-06-28 10:16 . 2010-04-25 03:00    --------    d-----w-    c:\users\Scott\AppData\Roaming\Skype

2010-06-25 17:06 . 2010-06-25 17:06    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf

2010-06-25 16:36 . 2010-06-25 16:36    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_androidusb_01009.Wdf

2010-06-23 12:46 . 2009-10-30 00:19    --------    d--h--w-    c:\program files\InstallShield Installation Information

2010-06-22 07:52 . 2009-10-29 22:57    --------    d-----w-    c:\program files\Common Files\Apple

2010-06-12 00:50 . 2010-04-25 03:03    --------    d-----w-    c:\users\Scott\AppData\Roaming\skypePM

2010-06-06 13:28 . 2009-10-30 00:14    --------    d-----w-    c:\program files\Microsoft Silverlight

2010-06-06 13:27 . 2009-07-14 02:37    --------    d-----w-    c:\program files\Windows Mail

2010-06-05 09:43 . 2009-10-29 22:13    --------    d-----w-    c:\programdata\Microsoft Help

2010-06-02 15:56 . 2009-10-28 20:58    86136    ----a-w-    c:\users\Scott\AppData\Local\GDIPFONTCACHEV1.DAT

2010-05-28 11:04 . 2010-05-28 11:04    14896    ----a-w-    c:\windows\system32\drivers\psi_mf.sys

2010-05-24 19:01 . 2010-05-24 19:00    --------    d-----w-    c:\program files\Celestron

2010-05-24 18:51 . 2009-10-29 22:44    --------    d-----w-    c:\users\Scott\AppData\Roaming\Azureus

2010-05-24 18:49 . 2010-05-24 18:49    --------    d-----w-    c:\program files\MetaGuide

2010-05-24 18:07 . 2010-05-24 18:07    --------    d-----w-    c:\program files\Common Files\ASCOM

2010-05-24 18:07 . 2010-05-24 18:07    --------    d-----w-    c:\program files\ASCOM

2010-05-24 17:59 . 2010-05-24 17:11    --------    d-----w-    c:\program files\Ciel

2010-05-18 15:35 . 2010-05-18 15:35    91424    ----a-w-    c:\windows\system32\dnssd.dll

2010-05-18 15:35 . 2010-05-18 15:35    107808    ----a-w-    c:\windows\system32\dns-sd.exe

2010-05-14 13:28 . 2010-05-14 13:28    --------    d-----w-    c:\users\Scott\AppData\Roaming\Pacta Software

2010-05-13 16:01 . 2009-11-19 14:50    --------    d-----w-    c:\users\Scott\AppData\Roaming\FileZilla

2010-05-13 15:10 . 2010-05-13 14:00    --------    d-----w-    c:\program files\ThinkVantage Fingerprint Software

2010-05-13 14:25 . 2009-10-28 21:28    --------    d-----w-    c:\program files\ThinkPad

2010-05-13 14:00 . 2010-05-13 14:00    --------    d-----w-    c:\program files\Common Files\SPBA

2010-05-13 09:59 . 2010-05-13 09:59    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf

2010-05-13 09:59 . 2010-05-13 09:59    --------    d-----w-    c:\program files\Synaptics

2010-05-13 09:07 . 2010-05-13 09:07    --------    d-----w-    c:\users\Scott\AppData\Roaming\Priacta

2010-05-13 09:04 . 2010-05-13 09:04    --------    d-----w-    c:\program files\Priacta

2010-05-13 07:37 . 2010-04-05 17:54    --------    d-----w-    c:\program files\Google

2010-05-12 15:39 . 2010-05-12 15:38    --------    d-----w-    c:\program files\Xobni

2010-05-10 22:20 . 2010-04-14 14:11    175    ----a-w-    c:\users\Scott\AppData\Roaming\Azureus\restart.bat

2010-05-10 22:19 . 2009-10-29 22:44    --------    d-----w-    c:\program files\Vuze

2010-05-10 22:02 . 2009-10-29 22:41    --------    d-----w-    c:\users\Scott\AppData\Roaming\Dropbox

2010-05-10 21:42 . 2010-05-10 21:42    --------    d-----w-    c:\users\Scott\AppData\Roaming\Auslogics

2010-05-10 21:42 . 2010-05-10 21:42    --------    d-----w-    c:\program files\Auslogics

2010-05-10 20:29 . 2010-01-04 14:04    --------    d-----w-    c:\program files\1&1

2010-04-25 03:03 . 2010-04-25 03:03    56    ---ha-w-    c:\programdata\ezsidmv.dat

2010-04-22 23:17 . 2010-04-22 23:17    244784    ----a-w-    c:\windows\system32\drivers\SynTP.sys

2010-04-22 23:16 . 2010-04-22 23:16    120104    ----a-w-    c:\windows\system32\SynTPCo4.dll

2010-04-22 23:16 . 2010-04-22 23:16    165160    ----a-w-    c:\windows\system32\SynTPAPI.dll

2010-04-22 23:16 . 2010-04-22 23:16    210216    ----a-w-    c:\windows\system32\SynCtrl.dll

2010-04-22 23:16 . 2010-04-22 23:16    173352    ----a-w-    c:\windows\system32\SynCOM.dll

2010-04-19 19:47 . 2010-04-19 19:47    3062048    ----a-w-    c:\windows\system32\usbaaplrc.dll

2010-04-19 19:47 . 2010-04-19 19:47    41984    ----a-w-    c:\windows\system32\drivers\usbaapl.sys

2010-04-15 00:56 . 2010-04-15 00:56    286720    ------w-    c:\windows\Setup1.exe

2010-04-15 00:56 . 2010-04-15 00:56    73216    ----a-w-    c:\windows\ST6UNST.EXE

2010-04-12 16:29 . 2010-04-20 14:05    411368    ----a-w-    c:\windows\system32\deployJava1.dll

2009-06-10 21:26 . 2009-07-14 02:04    9633792    --sha-r-    c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42    396800    --sha-w-    c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.



(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ASuite.exe"="c:\program files\Aastra\Office Suite\Suite.exe" [2009-11-20 2671432]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TpShocks"="TpShocks.exe" [2009-07-08 337184]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-22 1725736]

"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2010-04-02 55048]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"DisableCAD"= 1 (0x1)



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)



[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2010-04-02 14:46    100104    ----a-w-    c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer1"=wdmaud.drv



[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Freenet Tray.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Freenet Tray.lnk

backup=c:\windows\pss\Freenet Tray.lnk.CommonStartup

backupExtension=.CommonStartup



[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Pandion.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Pandion.lnk

backup=c:\windows\pss\Pandion.lnk.CommonStartup

backupExtension=.CommonStartup



[HKLM\~\startupfolder\C:^Users^Scott^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnk.Startup

backupExtension=.Startup



[HKLM\~\startupfolder\C:^Users^Scott^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnk.Startup

backupExtension=.Startup



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]

2009-11-19 22:12    623960    ----a-w-    c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-06-15 15:33    141624    ----a-w-    c:\program files\iTunes\iTunesHelper.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2009-08-15 10:52    13797920    ----a-w-    c:\windows\System32\nvcpl.dll



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-17 20:53    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]

2009-07-08 12:31    614400    ----a-w-    c:\windows\Samsung\PanelMgr\SSMMgr.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trog Bar]

2010-03-04 20:43    10538720    ----a-w-    c:\program files\Priacta\Trog Bar\Trog Bar.exe



R2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe [2009-10-07 129856]

R2 DLPortIO;DriverLINX Port I/O Driver; [x]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 136176]

R2 PICOPP;Pico Technology Ltd USB Driver (picopp.sys);c:\windows\system32\Drivers\picopp.sys [2009-08-20 86416]

R3 camdrv41;Philips SPC 900NC PC Camera;c:\windows\system32\DRIVERS\camdrv41.sys [2007-04-23 1347584]

R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.3.23615.0.sys [x]

R3 e36gbus;F3607gw Mobile Broadband Device driver (Win7);c:\windows\system32\DRIVERS\e36gbus.sys [2009-06-30 285056]

R3 e36gmdfl;F3607gw Mobile Broadband Data Modem Filter (Win7);c:\windows\system32\DRIVERS\e36gmdfl.sys [2009-06-30 14848]

R3 e36gmdm;F3607gw Mobile Broadband Data Modem Driver (Win7);c:\windows\system32\DRIVERS\e36gmdm.sys [2009-06-30 374272]

R3 e36gmgmt;F3607gw Mobile Broadband Device Management Drivers (Win7);c:\windows\system32\DRIVERS\e36gmgmt.sys [2009-06-30 357376]

R3 e36wgps;Mobile Broadband GPS Port;c:\windows\system32\DRIVERS\e36wgps.sys [2009-07-10 82984]

R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]

R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2010-02-14 103040]

R3 LFKAS;Service of LFKA;c:\program files\Lenovo\ATK Hotkey\LFKAS.exe [2008-03-19 208896]

R3 ndfs;ndfs;c:\program files\Netdrive\ndfs.sys [x]

R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

R3 optousb;OPTO ELECTRONICS optousb;c:\windows\system32\DRIVERS\optousb.sys [2010-03-24 22016]

R3 optovcm;OPTO ELECTRONICS optovcm;c:\windows\system32\DRIVERS\optovcm.sys [2010-03-24 28160]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-27 1343400]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe [2009-10-07 752984]

R3 WwanUsbServ;Ericsson WWAN Wireless Module Device Driver;c:\windows\system32\DRIVERS\WwanUsbMp.sys [2009-07-29 213032]

R4 OipUpdateService;OIP Update Service;c:\program files\Aastra\UpdateSvc\OipUpdateService.exe [2008-01-24 196608]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]

S1 KProcessHacker;KProcessHacker;c:\program files\Process Hacker\kprocesshacker.sys [2009-12-29 59904]

S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2010-03-25 123856]

S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2010-03-25 41680]

S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 klnagent;Kaspersky Lab Network Agent;c:\program files\Kaspersky Lab\NetworkAgent 8\klnagent.exe [2009-09-18 138792]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-02-22 42000]

S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]

S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-07-17 5120]

S2 WMCoreService;Mobile Broadband Core Service;c:\program files\Mobile Broadband Drivers\WMCore\mini_WMCore.exe servicemode [x]

S2 WTGService;WTGService;c:\program files\InternetEverywhere\WTGService.exe [2009-09-09 308688]

S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2010-04-14 55016]

S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]

S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-05-28 14896]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-04 277536]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2010-03-25 99728]

S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2010-03-25 110608]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]



.

Contents of the 'Scheduled Tasks' folder



2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 17:54]



2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 17:54]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://companyweb

uInternet Settings,ProxyServer = hxxp://10.101.101.9:3128

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\

FF - component: c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\extensions\TechnicianConsole@logmeinrescue.com\platform\WINNT\components\RescueComponent.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

FF - plugin: c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\ki46c0wj.default\extensions\TechnicianConsole@logmeinrescue.com\platform\WINNT\plugins\npRescue.dll

FF - plugin: c:\users\Scott\AppData\Roaming\Mozilla\plugins\npatgpc.dll

FF - plugin: c:\windows\system32\Wat\npWatWeb.dll



---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

txtfile="c:\program files\PSPad editor\PSPad.exe" "%1"

.

- - - - ORPHANS REMOVED - - - -



HKLM-Run-Syslog - (no file)

MSConfigStartUp-1&1 EasyLogin - c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe

MSConfigStartUp-WebDriveTray - c:\program files\WebDrive\webdrive.exe

AddRemove-XN120 PCPro6.13 - c:\windows\iun6002.exe







**************************************************************************



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net



device: opened successfully

user: MBR read successfully

called modules: >>UNKNOWN [0x83055000]<< >>UNKNOWN [0x8B7AF000]<< >>UNKNOWN [0x8B79E000]<< >>UNKNOWN [0x8B21D000]<< >>UNKNOWN [0x8301E000]<< >>UNKNOWN [0x8B349000]<< >>UNKNOWN [0x8B376000]<< >>UNKNOWN [0x8B36C000]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

IoDeviceObjectType -> DumpProcedure -> 0xd46a624f

user & kernel MBR OK



**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------



[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,e7,72,d0,00,9c,e6,4c,80,fd,74,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,e7,72,d0,00,9c,e6,4c,80,fd,74,\



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'lsass.exe'(572)

c:\windows\system32\ARstore.dll



- - - - - - - > 'Explorer.exe'(4516)

c:\program files\Stardock\Fences\FencesMenu.dll

c:\program files\stardock\fences\DesktopDock.dll

c:\windows\system32\ARstore.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\nvvsvc.exe

c:\windows\system32\WUDFHost.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE

c:\windows\system32\nvvsvc.exe

c:\program files\ARX\ARX CryptoKit\utils\arcltsrv.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Licensing\License Agent\bin\cla.exe

c:\windows\system32\mqsvc.exe

c:\program files\ThinkVantage Fingerprint Software\upeksvr.exe

c:\windows\system32\taskhost.exe

c:\program files\Secunia\PSI\psi.exe

c:\windows\system32\conhost.exe

c:\windows\System32\TpShocks.exe

c:\program files\ThinkVantage Fingerprint Software\ctlcntrv.exe

c:\program files\Synaptics\SynTP\SynTPHelper.exe

c:\program files\Synaptics\SynTP\SynTPLpr.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Common Files\Teleca Shared\logger.exe

c:\program files\Common Files\Teleca Shared\CapabilityManager.exe

c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe

c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe

c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\sppsvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Mobile Broadband Drivers\WMCore\mini_WMCore.exe

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Completion time: 2010-06-30  12:47:59 - machine was rebooted

ComboFix-quarantined-files.txt  2010-06-30 11:47



Pre-Run: 18,776,014,848 bytes free

Post-Run: 17,995,071,488 bytes free



- - End Of File - - 7EDC310F477EA3C5BFE300C52F15F5B6


After a bit more googling it looks like iun6002.exe can be legitimate and cause false positives - it is part of an installer / uninstaller packager. By the fact that after it's removal it shows up as an orphan in combofix ("AddRemove-XN120 PCPro6.13 - c:\windows\iun6002.exe"), and XN120 PCPro is a legitimate app that I have had for ages (and was installed when Kaspersky was running), and that iun6002.exe does not show up as a recent file, I am hoping that it is legitimate.

This still leaves the rootkit activity issue, why would combofix flag this?

Merged posts. ~ OB

Edited by Orange Blossom, 30 June 2010 - 09:36 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:15 AM

Posted 04 July 2010 - 01:57 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:15 AM

Posted 09 July 2010 - 12:20 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users