Hey guys, I've been battling this issue for a few days and eventually resorted to a factory restore on my Samsung N120 netbook running Windows XP but even that hasn't fixed the problem. So here I am, looking for help to finally free my computer of whatever has infected it.
I've looked at the FAQ's and here is my DDS log...
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Boro at 19:31:27.98 on 11/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1507 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k yksvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Boro\My Documents\Downloads\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BatteryLifeExtender] c:\program files\samsung\batterylifeextender\BatteryLifeExtender.exe /2
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\boro\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1302470911287
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\boro\applic~1\mozilla\firefox\profiles\tj61wuhw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\documents and settings\boro\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-3-24 4300]
R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\srs labs\wowxt and tsxt driver\SRS_PostInstaller2.exe [2009-2-19 74992]
R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2009-3-24 14336]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-3-24 238464]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2009-2-19 25560]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe --> c:\progra~1\mcafee\sitead~1\mcsacore.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-24 1684736]
.
=============== Created Last 30 ================
.
2011-04-11 17:22:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-11 17:22:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-10 22:10:04 -------- d-----w- c:\docume~1\boro\applic~1\KompoZer
2011-04-10 22:03:55 -------- d-----w- c:\docume~1\boro\applic~1\CoreFTP
2011-04-10 22:03:28 -------- d-----w- c:\program files\CoreFTP
2011-04-10 21:51:54 -------- d-sh--w- c:\documents and settings\boro\PrivacIE
2011-04-10 21:51:22 -------- d-sh--w- c:\documents and settings\boro\IETldCache
2011-04-10 21:47:41 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-10 21:46:55 -------- dc-h--w- c:\windows\ie8
2011-04-10 21:33:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-10 21:33:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-10 21:32:05 885024 ----a-w- c:\program files\JavaSetup6u24.exe
2011-04-10 21:23:01 -------- d-----w- c:\docume~1\boro\locals~1\applic~1\Temp
2011-04-10 21:22:58 -------- d-----w- c:\docume~1\boro\locals~1\applic~1\Google
2011-04-10 21:22:44 568704 ----a-w- c:\program files\ChromeSetup.exe
2011-04-10 21:16:28 -------- d-----w- c:\docume~1\boro\locals~1\applic~1\Identities
2011-04-10 21:09:26 -------- d-----w- c:\program files\Marvell
2011-04-10 21:07:53 -------- d-----w- c:\docume~1\boro\applic~1\MSNInstaller
2011-04-10 21:04:36 -------- d-----w- c:\windows\system32\LogFiles
2011-04-10 20:39:55 -------- d-sh--w- c:\documents and settings\boro\UserData
2011-04-10 20:34:52 -------- d-----w- c:\documents and settings\boro\Bluetooth Software
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS543216L9A300 rev.FB2OC4CC -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89B26439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89b2c7d0]; MOV EAX, [0x89b2c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E1397] -> \Device\Harddisk0\DR0[0x89BA6AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E1397] -> \Device\00000060[0x89BFD1E8]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E1397] -> [0x89BA7D98]
\Driver\atapi[0x89BFB240] -> IRP_MJ_CREATE -> 0x89B26439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, SP; MOV DI, 0x600; MOV CX, 0x100; CLD ; REP MOVSW ; JMP FAR 0x60:0x1b; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS543216L9A300_________________FB2OC4CC#39303430313142463238303043564c4534304144#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89B2627F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:33:30.95 ===============
Attached attach zip file