Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with VBS/Jenxcus!lnk - Help removing


  • This topic is locked This topic is locked
3 replies to this topic

#1 Arkaon

Arkaon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 06 March 2014 - 10:03 PM

Hello,

 

I recently had a friend use my computer to try and recover some data on a thumdrive while I was at work. I came home to 100's of logs in MSE about this trojan that was stopped and not allowed to spread to a thumb drive. I believe something malicious was installed on my computer when this person was downloading recover "tools". 

 

LOG:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16518  BrowserJavaVersion: 10.21.2
Run by Arkaon at 20:56:19 on 2014-03-06
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.16330.11349 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
C:\Windows\system32\taskeng.exe
H:\Fan Xpert 2\AI Suite II\AsRoutineController.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe
C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe
C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.08\AsusFanControlService.exe
C:\Users\Arkaon\AppData\Local\Viber\Viber.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Users\Arkaon\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\System32\WScript.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Logitech Gaming Software\Applets\LCDPictureViewer.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDMovieViewer.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDClock.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDYT.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDMedia.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDPop3.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDWebCam.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDRSS.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Users\Arkaon\AppData\Local\Temp\nj_.exe
C:\Windows\system32\SearchIndexer.exe
H:\Fan Xpert 2\AI Suite II\AI Suite II.exe
H:\Fan Xpert 2\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
H:\Doge\Dogecoin\dogecoin-qt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\LastPass\nplastpass.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Arkaon\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
D:\Installed Programs\Utilities\Skype\Phone\Skype.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.yahoo.com?type=714647&fr=spigot-yhp-ie
mWinlogon: Userinit = userinit.exe,
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Installed Programs\Microsoft Office 2010\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - D:\Installed Programs\Utilities\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\Installed Programs\Microsoft Office 2010\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [AdobeBridge] <no file>
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [BCSSync] "D:\Installed Programs\Microsoft Office 2010\Office14\BCSSync.exe" /DelayServices
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
mRun: [njq8IsHere.vbs] C:\Windows\System32\wscript.exe /b "C:\Users\Arkaon\AppData\Local\Temp\njq8IsHere.vbs"
StartupFolder: C:\Users\Arkaon\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Arkaon\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Arkaon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njq8IsHere.vbs
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - D:\INSTAL~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - D:\INSTAL~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - D:\Installed Programs\Microsoft Office 2010\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - D:\Installed Programs\Microsoft Office 2010\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - D:\Installed Programs\Utilities\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{943A4449-D79E-4E74-A96F-2715C5249168} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - D:\Installed Programs\Utilities\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - D:\Installed Programs\Microsoft Office 2010\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - D:\Installed Programs\Utilities\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [njq8IsHere.vbs] C:\Windows\System32\wscript.exe /b "C:\Users\Arkaon\AppData\Local\Temp\njq8IsHere.vbs"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - D:\Installed Programs\Utilities\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - D:\Installed Programs\Utilities\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Arkaon\AppData\Roaming\Mozilla\Firefox\Profiles\7lx84zhf.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com?type=714647&fr=spigot-yhp-ff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=714647&p=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\2.3.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass64.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\Arkaon\AppData\Local\Citrix\Plugins\104\npappdetector.dll
FF - plugin: C:\Users\Arkaon\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: C:\Users\Arkaon\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Arkaon\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Arkaon\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_44.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - plugin: D:\INSTAL~1\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: D:\INSTAL~1\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: H:\Programs 2\VLC\npvlc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-5-20 19264]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-12-6 239616]
R2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [2014-2-16 920736]
R2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [2014-2-16 951936]
R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [2014-2-16 149120]
R2 AsusFanControlService;AsusFanControlService;C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.08\AsusFanControlService.exe [2014-2-16 324608]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-5-20 13592]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-5-20 166720]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-1-20 134944]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-8-14 3291008]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-5-20 365376]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2012-8-20 138568]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2012-8-20 416072]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-9-24 94208]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2012-12-18 232880]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2012-12-18 1448368]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2012-12-18 97712]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\System32\drivers\ha20x22k.sys [2012-12-18 1617328]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-5-20 357184]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-5-20 789824]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LGPBTDD;LGPBTDD.sys Display Driver;C:\Windows\System32\drivers\LGPBTDD.sys [2009-7-1 30728]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-5-20 726160]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 SkypeUpdate;Skype Updater;D:\Installed Programs\Utilities\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2013-5-20 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2013-5-20 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2013-5-20 79360]
S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2012-12-18 232880]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2012-12-18 1448368]
S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2012-12-18 97712]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-2-13 111616]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-5-20 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-5-20 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-5-20 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-5-20 1255736]
.
=============== Created Last 30 ================
.
2014-03-07 02:37:14 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{84ABBE91-B7DB-4BE8-BE4F-DA46E6949720}\offreg.dll
2014-03-07 00:38:37 1031560 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D0E2AD47-4037-4641-AF8B-9C69EB899105}\gapaengine.dll
2014-03-07 00:38:27 10536864 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{84ABBE91-B7DB-4BE8-BE4F-DA46E6949720}\mpengine.dll
2014-03-05 18:26:42 58352 ----a-w- C:\Users\Arkaon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njq8IsHere.vbs
2014-03-05 18:26:41 -------- d-----w- C:\Program Files (x86)\LionSea SoftWare
2014-03-05 07:49:45 10536864 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-03-01 21:19:11 -------- d-----w- C:\Users\Arkaon\AppData\Local\Skype
2014-02-28 04:50:19 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{407B43CA-0D86-45D8-A64D-530BFA30FBFA}\gapaengine.dll
2014-02-24 19:12:43 -------- d-----w- C:\ProgramData\Justin Milone
2014-02-16 07:02:37 -------- d-----w- C:\ProgramData\FanXpert2
2014-02-16 06:58:02 184320 ----a-w- C:\Windows\SysWow64\drivers\UpdateHelper.dll
2014-02-16 06:57:19 -------- d-----w- C:\ProgramData\ASUS
2014-02-16 06:57:14 929844 ------w- C:\Windows\SysWow64\drivers\MFDLL\MFC42D.DLL
2014-02-16 06:57:14 385100 ------w- C:\Windows\SysWow64\drivers\MFDLL\MSVCRTD.DLL
2014-02-16 06:57:14 343040 ------w- C:\Windows\SysWow64\drivers\MFDLL\msvcrt.dll
2014-02-16 06:57:14 28672 ----a-w- C:\Windows\SysWow64\AsIO.dll
2014-02-16 06:57:14 13440 ----a-w- C:\Windows\SysWow64\drivers\AsIO.sys
2014-02-16 06:57:14 11832 ------w- C:\Windows\SysWow64\drivers\AsInsHelp64.sys
2014-02-16 06:57:14 1028096 ------w- C:\Windows\SysWow64\drivers\MFDLL\MFC42.DLL
2014-02-16 06:57:14 10216 ------w- C:\Windows\SysWow64\drivers\AsInsHelp32.sys
2014-02-16 06:57:14 -------- d-----w- C:\Windows\SysWow64\drivers\MFDLL
2014-02-16 06:56:57 -------- d-----w- C:\Program Files (x86)\ASUS
2014-02-16 06:55:50 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2014-02-16 06:55:50 614532 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2014-02-16 06:55:50 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2014-02-16 06:55:50 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2014-02-16 06:55:50 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2014-02-15 21:39:48 -------- d--h--w- C:\Program Files (x86)\Common Files\EAInstaller
2014-02-13 09:03:01 548864 ----a-w- C:\Windows\System32\vbscript.dll
2014-02-13 09:03:01 454656 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-02-12 13:26:57 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2014-02-12 13:26:57 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2014-02-12 13:26:57 1882112 ----a-w- C:\Windows\System32\msxml3.dll
2014-02-12 13:26:57 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll
2014-02-12 13:26:53 3928064 ----a-w- C:\Windows\System32\d2d1.dll
2014-02-12 13:26:53 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll
2014-02-12 13:26:53 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2014-02-12 13:26:53 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2014-02-11 21:01:47 -------- d-----w- C:\Users\Arkaon\AMD APP SDK
2014-02-11 21:01:47 -------- d-----w- C:\Program Files (x86)\AMD APP SDK
2014-02-11 21:01:02 -------- d-----w- C:\ProgramData\Downloaded Installations
2014-02-11 20:52:41 -------- d-----w- C:\Program Files (x86)\AMD AVT
2014-02-11 20:51:22 -------- d-----w- C:\Program Files\AMD
2014-02-11 18:48:51 -------- d-----w- C:\Users\Arkaon\AppData\Local\EdgeOfReality
.
==================== Find3M  ====================
.
2014-02-06 20:05:43 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-06 20:05:43 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-02-06 11:30:46 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-02-06 11:30:12 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-02-06 11:07:39 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-02-06 11:06:47 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-02-06 10:49:03 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-02-06 10:48:45 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-02-06 10:48:11 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-02-06 10:20:26 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-02-06 10:11:37 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-02-06 10:01:36 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-02-06 10:00:46 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-02-06 09:50:32 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-02-06 09:47:22 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-02-06 09:46:27 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-02-06 09:25:36 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-02-06 09:24:52 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-02-06 09:09:30 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-02-06 08:41:35 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
2013-12-23 21:12:37 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
.
============= FINISH: 20:56:29.74 ===============
 


BC AdBot (Login to Remove)

 


m

#2 Arkaon

Arkaon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 06 March 2014 - 10:07 PM

Thank you to whoever deleted the other half dozen copies of this post that ended up on here. For some reason I hit submit and nothing changed, and chrome did not indicate that anything had loaded, so I hit submit a few more times..apparently they all submitted. (/sigh) It's been a rough night.



#3 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 PM

Posted 07 March 2014 - 03:49 AM

Hello,
 

I believe something malicious was installed on my computer when this person was downloading recover "tools".

I rather think that the thumbdrive of your friend is infected with a worm and it spread on your computer! You may tell your friend that he shouldn't try to recover the data with recovery tools but just disinfect the drive (and that the data might just be hidden with "hidden" and "system" file attributes).

But let's take care of your computer. Don't plug in any flash drive until we're done. They will get infected too otherwise. If there already have been flash drives connected during this time then let them there or plug them in again and tell me what drive letters they have been assigned (e.g. E:\ or F:\..)

Please run a FRST scan:


Please download Farbar Recovery Scan Tool and save it to your Desktop.

  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 PM

Posted 19 March 2014 - 12:12 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users