Please Help! Immunet Detects Stealth Item When No Other Scan Will?

[David Da Silva]

Hello! I've just ran a rootkit scan with Immunet and it has detected this as a stealth item on my system: fsm_service_var_1.js.data

 

on the history it says it FAILED to quarantine this item.

 

detection name: W32.Generic.Hidden.Rootkit

 

file path:

C:\ProgramData\Trusteer\Rapport\store\user\events_stats_var_1.js.data

 

 

could you please tell me if this a false positive or something more sinister?

 

I do have trusteer rapport installed as advised and supplied by my bank as an "essential" tool for the security of online banking facility....????

 

The Hijackthis log file says:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:38:35, on 24/06/2013

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v10.0 (10.00.9200.16611)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe

C:\Windows\PLFSetI.exe

C:\Users\ace\Local Settings\Apps\F.lux\flux.exe

C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe

C:\Program Files (x86)\Intel\Intel Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\Launch Manager\LManager.exe

C:\Program Files (x86)\Launch Manager\LMworker.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\OpenDNS\DNSCrypt\OpenDNSInterface.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Users\ace\Downloads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: LastPass Vault - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll

O4 - HKLM\..\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel Rapid Storage Technology\IAStorIcon.exe

O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [immunet Protect] "C:\Program Files\Immunet\3.0.8\iptray.exe"

O4 - HKCU\..\Run: [F.lux] "C:\Users\ace\Local Settings\Apps\F.lux\flux.exe" /noshow

O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [sPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft....?LinkID=122915" /build:7601 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [sPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft....?LinkID=122915" /build:7601 (User 'Default user')

O4 - Startup: Dropbox.lnk = ace\AppData\Roaming\Dropbox\bin\Dropbox.exe

O4 - Global Startup: Install LastPass FF RunOnce.lnk = C:\Program Files (x86)\Common Files\lpuninstall.exe

O4 - Global Startup: Install LastPass IE RunOnce.lnk = C:\Program Files (x86)\Common Files\lpuninstall.exe

O4 - Global Startup: OpenDNSCrypt.lnk = ?

O4 - Global Startup: SoftEther VPN Client Manager Startup.lnk = C:\Program Files\SoftEther VPN Client\vpncmgr_x64.exe

O8 - Extra context menu item: LastPass - file://C:\Users\ace\AppData\LocalLow\LastPass\context.html?cmd=lastpass

O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\ace\AppData\LocalLow\LastPass\context.html?cmd=fillforms

O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll

O9 - Extra 'Tools' menuitem: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O17 - HKLM\System\CCS\Services\Tcpip\..\{81D904FD-849B-409C-80D5-7275CA03EE00}: NameServer = 127.0.0.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{833D50A7-961C-4543-B623-7490136D17BB}: NameServer = 127.0.0.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{89B2DE0C-E69E-4D3C-A7EB-326FE6F00E39}: NameServer = 127.0.0.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1A4E8C6-D337-42DA-83B0-777B67999ED4}: NameServer = 127.0.0.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{F78D22F5-D53E-4444-95B9-45883344CC8D}: NameServer = 127.0.0.1

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: OpenDNSCrypt (DNSCrypt) - Unknown owner - C:\Program Files (x86)\OpenDNS\DNSCrypt\OpenDNSCryptService.exe

O23 - Service: Dritek WMI Service (DsiWMIService) - Dritek System Inc. - C:\Program Files (x86)\Launch Manager\dsiwmis.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Intel Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Rapid Storage Technology\IAStorDataMgrSvc.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Intel Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Management Engine Components\LMS\LMS.exe

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: OpenVPN Service (OpenVPNService) - The OpenVPN Project - C:\Program Files\OpenVPN\bin\openvpnserv.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe

O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe

O23 - Service: SoftEther VPN Client (SEVPNCLIENT) - SoftEther Project at University of Tsukuba, Japan. - C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: Intel Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Management Engine Components\UNS\UNS.exe

O23 - Service: Updater Service - Acer Group - C:\Program Files\Acer\Acer Updater\UpdaterService.exe

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe

O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

--

End of file - 11748 bytes

 

 

 

hope this enough info, and look fwd to hearing from you.

 

Thank you in advance for the help and this forum.

 

Regards

 

David Silva

[Pedersen]

Hello Silva. I can see by the name of the path that it lies in a folder named Trusteer. If you have Trusteer Rapport installed on your computer then this is a false positive and i recommend you to submit it as so

[David Da Silva]

Thanks Pederson, its reassuring to hear that ! I will post this as a false positive and hopefully help other users that might have the same problem.

Thanks also for quick response, and for the software!!!!

All the best!

 

Silva

[ritchie58]

Trusteer is a somewhat new internet security firm that caters to the on-line banking industry. Their Rapport software adds an added layer of protection while conducting on-line banking operations from your PC. I would concur with Pedersen that what you are seeing is a False Positive. I also checked Virustotal and found nothing malicious with their software. More info on Trusteer Rapport can be found at this link. http://www.trusteer....nd-mac-security

 

Cheers, Ritchie...