Everything that I'm not fairly sure is legit has already been removed. Personally, I think the spyware is somehow hijacking a legit windows process or something - perhaps wmiprvse.exe (Although my research tells me that it's a legit Windows service, I don't recall ever seeing it active)Logfile of HijackThis v1.99.1
Scan saved at 9:27:36 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\nvraidservice.exe (
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Utopia\Angel\Angel.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.128.73.12 tdzk.com
O1 - Hosts: 216.128.73.12 www.tdzk.com
O1 - Hosts: 216.128.73.12 forums.tdzk.com
O1 - Hosts: 216.128.73.12 tdzk.net
O1 - Hosts: 216.128.73.12 www.tdzk.net
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC"
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe " /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit"
O4 - HKLM\..\Run: [NVRaidService] "C:\WINDOWS\System32\nvraidservice.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AE42884-766F-4D53-B92D-5EBC2A14706B}: NameServer = 127.0.0.1,4.2.2.2,4.2.2.5
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
Persistent Spyware Infection
Moderator: Thanas
Persistent Spyware Infection
Anyways, I got my computer infected with spyware, which managed to install even more spyware. I had several anti-spyware programs running at the time, so luckily the damage was limited, and I've succeeded in isolating and removing most of the spyware. However, somehow, I still get random webpages opening up, which tells me that I still have traces of spywhere in my system. I've been checking Startup items, removing things that don't belong, etc, but still haven't been able to narrow down the problem. I've included a HijackMe log for Ein or whoever knows more about spyware than me...
BoTM, MM, HAB, JL
I think I've found the problem. The problem is that I can't see it - I have Windows Explorer displaying hidden files and system files, but it's still not there. But I know it exists - are there any programs out there I can use to display the program, and more importantly, remove it?
BoTM, MM, HAB, JL
Try RootkitRevealer?Exonerate wrote:I think I've found the problem. The problem is that I can't see it - I have Windows Explorer displaying hidden files and system files, but it's still not there. But I know it exists - are there any programs out there I can use to display the program, and more importantly, remove it?
"preemptive killing of cops might not be such a bad idea from a personal saftey[sic] standpoint..." --Keevan Colton
"There's a word for bias you can't see: Yours." -- William Saletan
"There's a word for bias you can't see: Yours." -- William Saletan