Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: iun6002.exe malware - is it gone?


08 Feb 2013   #1

Windows 7 Home Premium 64bit
 
 
iun6002.exe malware - is it gone?

Hi there,

The other day I had some networking problems, services such as the Network List Service were failing to start etc. Then after I ran some commands to fix this, Windows Firewall was disabled and couldn't started.

I ran ComboFix (I admit, I have only now just seen the warning to only run it after being given expert advice) and it deleted one file (but also did some stuff in the registry I think, relating to TCPIP). After this, Windows Firewall works again.

That file was iun6002.exe. At the time I didn't think anything of (after all, my network connection was back!) it but I decided to do some further digging today because these two strange events has occurred:

1. Two programs that were ' Click Once Application Manifests' (You know, download a 800Kb file and it'll download the rest later on and store it in AppData) had been un-installed / all that was left was the standard application manifest icon. These were 'Wunderlist 2' and 'rdio'. I have since re-installed them.

2. My installation of Office 2013 Consumer Preview was completely gone. The icons are un-clickable and almost everything in the Office 15 folder was been deleted.

So I read up about iun6002.exe and how malware disguises itself as this .exe especially in the location of C:\Windows and that's where mine was found. I read that it's a pretty nasty spyware tool. Not content with it sitting in ComboFix's quarantine folder with .vir added to the end of it, I ran these scanners:

Windows Defender Spyware Removal (The Windows 7 out-of-the-box one) [CLEAN]
Rogue Killer [No suspicious processes, but some registry suspicions, 2 Wunderlist related, 1 Asus-Xonar audio driver related and two Microsoft looking ones]
Sophos Virus Removal Tool (IN PROGRESS) [Say's it's found 2 threats so far, hmm]

So my question to you after this hopefully understandable explanation is: Am I free from the iun6002.exe spyware? Or is it still on my PC, doing bad things? Any way to check for this? The proccess is definitely not running.

Cheers.

My System SpecsSystem Spec
.

08 Feb 2013   #2

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote   Quote: Originally Posted by Sheza View Post
So my question to you after this hopefully understandable explanation is: Am I free from the iun6002.exe spyware? Or is it still on my PC, doing bad things? Any way to check for this? The proccess is definitely not running.
There's no way to know with 100% certainty if your machine is malware free. No anti-malware product is 100% effective 100% of the time (if there was such a thing we'd all be using it.) But the more scans you run that come back "no malware found" the greater the probability that your computer is malware free. Here are a few more free on demand scanners you could try.

Windows Defender Offline (different than the Windows Defender you ran, and this tool must be created on a known malware free computer.)

Malwarebytes

ESET Online Scanner

SuperAntispyware

Kaspersky TDSSKiller (link is under Step 1: How to disinfect...)

Many people recommend that once a computer becomes infected, the best solution is to do a clean reinstall of the operating system and all other installed programs. If you built your computer yourself (you don't have any system specs listed) you could use this tutorial:

Clean Install Windows 7

If you have a store bought computer that had Windows 7 installed by the computer manufacturer, then one of the Forum experts prepared this tutorial that shows how to do a clean reinstall of a factory OEM computer:

Clean Reinstall - Factory OEM Windows 7
My System SpecsSystem Spec
08 Feb 2013   #3

Windows 7 Home Premium 64bit
 
 

Alas, I think I may do just that. (Did run Malwarebytes at the first sign of trouble, it didn't find anything, hmpf!)

I'm used to re-installing Windows - last time I did it was Christmas Day to celebrate some new hardware going in haha.

The only thing I get worried about is when Windows Install says there's 'no readable partition' or something, which is fixed by removing my secondary hard drive and installing with just 1. It doesn't seem to make any sense to me why it does that though...

Thanks for your help
My System SpecsSystem Spec
.


08 Feb 2013   #4

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote   Quote: Originally Posted by Sheza View Post
The only thing I get worried about is when Windows Install says there's 'no readable partition' or something, which is fixed by removing my secondary hard drive and installing with just 1. It doesn't seem to make any sense to me why it does that though...
Chalk it up to "confusion" (for lack of a more technical explanation.) Choosing between multiple hard drives seems to make all versions of Windows take a couple of steps back and go ... huh?
My System SpecsSystem Spec
08 Feb 2013   #5

Windows 7 Home Premium
 
 

Sheza,

Let's do some 'soul searching' for iun6002.exe...

>>> Show hidden files

Next, please download SystemLook:
64-bit:
http://jpshortstuff.247fixes.com/SystemLook_x64.exe
Save to your Desktop.
Right-click on SystemLook.exe, and select: Run As Administrator

Copy the content inside the following quote box into the main textfield (do not copy the word "quote"):
Quote:
:filefind
iun6002.exe

:regfind
iun6002.exe
Click the Look button to start the scan.

When finished, a notepad window opens with the results of the scan.

Please post the SystemLook.txt (found on the Desktop) in your reply.
My System SpecsSystem Spec
09 Feb 2013   #6

Windows 7 Home Premium 64bit
 
 

Hey there,

Firstly - thanks for your help! In should note that I know what this program is and can only assume it's because it installs with Setup Factory. The program was installed way before anything started to go wrong.

Code:
SystemLook 30.07.11 by jpshortstuff
Log created at 11:52 on 09/02/2013 by Sheza
Administrator - Elevation successful

========== filefind ==========

Searching for "iun6002.exe"
No files found.

========== regfind ==========

Searching for "iun6002.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WYSIWYG_Web_Builder_8]
"UninstallString"="C:\Windows\iun6002.exe "C:\Program Files (x86)\WYSIWYG Web Builder 8\irunin.ini""

-= EOF =-
My System SpecsSystem Spec
09 Feb 2013   #7

Windows 7 Home Premium
 
 

That file should be OK.


However, if you like, you can also upload the file to VirusTotal for a security check: http://www.virustotal.com/


Select: Choose File, and a prompt opens for you to locate the file.

Then, click the Scan it! button.


If the file is listed as already analyzed, click on: Reanalyse file now.


When done, please post the http:// link to the scan results.
My System SpecsSystem Spec
09 Feb 2013   #8

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64 Ubuntu 12.04 LTS Tri-Boot
 
 

As well as VirusTotal, you could also try these:

Online Scanners - Scan Suspicious Files on your PC
My System SpecsSystem Spec
10 Feb 2013   #9

Windows 7 Home Premium 64bit
 
 

Quick question... how can I upload a file if there's no file?

The only iun6002.exe that I have is located in ComboFix's quarantine.
My System SpecsSystem Spec
10 Feb 2013   #10

Windows 7 Home Premium
 
 

See if you can get the C:\QooBox\ComboFix-quarantined-files.txt and attach it here.
My System SpecsSystem Spec
Reply

 iun6002.exe malware - is it gone?




Thread Tools



Similar help and support threads for2: iun6002.exe malware - is it gone?
Thread Forum
malware System Security
Malware-splosion: 2013 Will be Malware's Biggest Year Ever Security News
need help getting rid of malware System Security
Malware Removal Guide 2011: How to Get Rid of All The Latest Malware Security Basics
is this malware please help General Discussion
malware? System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 10:24 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33