Hi, There.
I have a machine that keeps getting passwords on it compromised.
This is the hijackthis log.
Anyone here see anything out of order that I've missed? I don't use this tool much.
Thanks.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:42:28 PM, on 9/24/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Skype\Phone\Skype.ex
e
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\AIM\aim.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2
.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.
exe
C:\Program Files (x86)\Ask.com\Updater\Upda
ter.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\SMART Technologies\SMART Product Drivers\SMARTBoardService.
exe
C:\Program Files (x86)\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.e
xe
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\ImgBurn\ImgBurn.exe
C:\Program Files (x86)\ImgBurn\ImgBurn.exe
C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Reader.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.e
xe
C:\Users\Ben\Downloads\Hij
ackThis.ex
e
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.
htm
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Toolbar,LinksFold
erName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
06D7942484
F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0
BBC1D38A37
E} - C:\PROGRA~2\MICROS~4\Offic
e12\GR469A
~1.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
164760863C
6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F
1F7851A449
7} - C:\Program Files (x86)\Skype\Toolbars\Inter
net Explorer\skypeieplugin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4
243D812744
0} - C:\Program Files (x86)\Ask.com\GenericAskTo
olbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
C25C1C588A
9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv
.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4
243D812744
0} - C:\Program Files (x86)\Ask.com\GenericAskTo
olbar.dll
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
O4 - HKLM\..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2
.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\Sw
itchBoard.
exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceMana
ger\CS5Ser
viceManage
r.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe
" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.
exe"
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Upda
ter.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SMART Board Service] C:\Program Files (x86)\SMART Technologies\SMART Product Drivers\SMARTBoardService.
exe
O4 - HKLM\..\Run: [SMART SNMP Agent] C:\Program Files (x86)\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe
-e
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMoni
tor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.ex
e" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
" /background
O4 - HKCU\..\Run: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [cdloader] "C:\Users\Ben\AppData\Roam
ing\mjusbs
p\cdloader
2.exe" MAGICJACK
O4 - HKCU\..\Run: [EADM] "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - Startup: CurseClientStartup.ccip
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4
\Office12\
EXCEL.EXE/
3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
663EE0C6C4
9} - C:\PROGRA~2\MICROS~4\Offic
e12\ONBttn
IE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
663EE0C6C4
9} - C:\PROGRA~2\MICROS~4\Offic
e12\ONBttn
IE.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-A
EC46303B9E
5} - C:\Program Files (x86)\Skype\Toolbars\Inter
net Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-A
EC46303B9E
5} - C:\Program Files (x86)\Skype\Toolbars\Inter
net Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
C9C571A826
3} - C:\PROGRA~2\MICROS~4\Offic
e12\REFIEB
AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
8CAB36FD2A
2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
8CAB36FD2A
2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
4455354000
0} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T
cpip\..\{2
9DFE988-C9
37-49D5-A8
EA-07A7623
D110F}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CCS\Services\T
cpip\..\{8
AA0DE7A-1B
28-4015-AE
C3-7B5F663
379A9}: NameServer = 8.8.8.8,8.8.8.4
O17 - HKLM\System\CCS\Services\T
cpip\..\{F
F09F720-B7
09-4A86-A4
6A-00A842C
B6AA2}: NameServer = 216.187.125.130 216.187.125.131
O17 - HKLM\System\CS1\Services\T
cpip\..\{2
9DFE988-C9
37-49D5-A8
EA-07A7623
D110F}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CS2\Services\T
cpip\..\{2
9DFE988-C9
37-49D5-A8
EA-07A7623
D110F}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3
CB6248B04C
D} - C:\PROGRA~2\MICROS~4\Offic
e12\GRA32A
~1.DLL
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-0
7617B9B86A
8} - C:\Program Files (x86)\Skype\Toolbars\Inter
net Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
830C7DD7F5
D} - C:\PROGRA~2\COMMON~1\Skype
\SKYPE4~1.
DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-8
3F89B8E632
4} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProto
colHandler
.dll
O23 - Service: @%SystemRoot%\system32\Alg
.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.ex
e (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceS
ervice.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.ex
e
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponde
r.exe
O23 - Service: @%SystemRoot%\system32\efs
svc.dll,-1
00 (EFS) - Unknown owner - C:\Windows\System32\lsass.
exe (file missing)
O23 - Service: @%systemroot%\system32\fxs
resm.dll,-
118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc
.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\Google
Update.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\Google
Update.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.
exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.e
xe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.
exe (file missing)
O23 - Service: @%SystemRoot%\System32\net
logon.dll,
-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.
exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc
.exe (file missing)
O23 - Service: @%systemroot%\system32\psb
ase.dll,-3
00 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.
exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Loc
ator.exe,-
2 (RpcLocator) - Unknown owner - C:\Windows\system32\locato
r.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sam
srv.dll,-1
(SamSs) - Unknown owner - C:\Windows\system32\lsass.
exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snm
ptrap.exe,
-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptr
ap.exe (file missing)
O23 - Service: @%systemroot%\system32\spo
olsv.exe,-
1 (Spooler) - Unknown owner - C:\Windows\System32\spools
v.exe (file missing)
O23 - Service: @%SystemRoot%\system32\spp
svc.exe,-1
01 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc
.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.e
xe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\Sw
itchBoard.
exe
O23 - Service: @%SystemRoot%\system32\ui0
detect.exe
,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Det
ect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vau
ltsvc.dll,
-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.
exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds
.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.ex
e (file missing)
O23 - Service: @%systemroot%\system32\vss
vc.exe,-10
2 (VSS) - Unknown owner - C:\Windows\system32\vssvc.
exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat
\WatUX.exe
,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\Wa
tAdminSvc.
exe (file missing)
O23 - Service: @%systemroot%\system32\wbe
ngine.exe,
-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengi
ne.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbe
m\wmiapsrv
.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\W
miApSrv.ex
e (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 12131 bytes
Http://www.MalwareBytes.org
I don't see anything obvious in the hjt log...
Aside from the ask toolbar, which I don't like.... Usually bundle ware ....
And this is questionable. If you know what it is, then you might have it installed intentionally...
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe