I'm infected too...

[calculuswoman]

.

DDS (Ver_2011-06-23.01) - FAT32x86

Internet Explorer: 8.0.6001.18702

Run by Betty at 20:31:45 on 2011-08-23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.234 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

SVCHOST.EXE

SVCHOST.EXE

C:\WINDOWS\system32\spoolsv.exe

SVCHOST.EXE

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Betty\Application Data\HP SimpleSave Application\uUACTokenSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\Energy Management\utility.exe

C:\Program Files\Lenovo\Energy Management\Energy Management.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Betty\Application Data\HP SimpleSave Application\StartHelper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\REGSVR32.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://lenovo.live.com/

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.primarygames.com/langarts/fowlwords/index.htm"

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe

mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [compmgm] %APPDATA%\compmgm.exe

StartupFolder: c:\docume~1\betty\startm~1\programs\startup\hpsimp~1.lnk - c:\documents and settings\betty\application data\hp simplesave application\StartHelper.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v47/scrabblecubes/scrabblecubes.cab

DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} - hxxp://www.worldwinner.com/games/v54/zengems/zengems.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} - hxxp://www.worldwinner.com/games/v47/skillgam/skillgam.cab

DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab

DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab

DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - hxxp://www.worldwinner.com/games/v48/brickout/brickout.cab

DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab

DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} - hxxp://www.worldwinner.com/games/v47/solitairerush/solitairerush.cab

DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} - hxxp://www.worldwinner.com/games/v56/trivialpursuit/trivialpursuit.cab

DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab

DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab

DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab

DPF: {61900274-3323-4446-BDCD-91548D32AF1B} - hxxp://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab

DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - hxxp://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab

DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v50/jeopardy/jeopardy.cab

DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - hxxp://www.worldwinner.com/games/v41/freecell/freecell.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab

DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - hxxp://www.worldwinner.com/games/v57/cubis/cubis.cab

DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab

DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v49/luxor/luxor.cab

DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab

DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - hxxp://www.worldwinner.com/games/v41/hangman/hangman.cab

DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab

DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://www.worldwinner.com/games/v42/tilecity/tilecity.cab

DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab

DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} - hxxp://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab

DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} - hxxp://www.worldwinner.com/games/v50/chess/chess.cab

DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab

DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v43/paint/paint.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games-uk.pogo.com/Online2/pogo/chuzzle_popcap/popcaploader_v10.cab

DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v53/wwspades/wwspades.cab

DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} - hxxp://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{48256F84-9EE4-465E-BE54-2CA2C6306051} : DhcpNameServer = 192.168.1.1

Notify: igfxcui - igfxdev.dll

Hosts: 80.79.117.220 search.yahoo.com

Hosts: 80.79.117.220 www.bing.com

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R1 MpKslb7391a30;MpKslb7391a30;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b188b281-a08f-41ec-b1d9-a1db8606cdcb}\MpKslb7391a30.sys [2011-8-23 28752]

R2 BackupService;BackupService;c:\documents and settings\betty\application data\hp simplesave application\uUACTokenSvc.exe [2011-6-24 83512]

R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\lenovo\onekey app\system repair\UpdateMonitor.exe [2009-2-20 430080]

R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2009-2-20 48192]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-2-20 9472]

R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2010-5-26 74752]

R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2010-5-26 6144]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-2-19 157696]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-2-20 81192]

.

=============== Created Last 30 ================

.

2011-08-24 00:26:25 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b188b281-a08f-41ec-b1d9-a1db8606cdcb}\MpKslb7391a30.sys

2011-08-23 06:25:40 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2011-08-23 06:25:09 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b188b281-a08f-41ec-b1d9-a1db8606cdcb}\mpengine.dll

2011-08-22 18:50:25 -------- d-----w- c:\program files\PowerSchool

2011-08-22 04:57:20 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-22 04:52:28 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-22 04:47:08 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-22 04:34:37 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-08-22 04:34:37 215920 ----a-w- c:\windows\system32\muweb.dll

2011-08-22 04:34:37 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-08-22 04:31:46 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-08-22 04:31:46 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-22 04:30:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-22 01:22:38 -------- d-sh--w- C:\FOUND.018

2011-08-21 12:09:05 -------- d-----w- c:\program files\Microsoft Security Client

2011-08-21 11:55:42 -------- d-sh--w- C:\FOUND.017

2011-08-21 08:29:30 -------- d-----w- c:\documents and settings\all users\application data\eL01602GhDaK01602

2011-08-21 03:36:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(3)

2011-08-21 03:34:40 -------- d-sh--w- C:\FOUND.016

2011-08-21 02:21:30 -------- d-----w- c:\documents and settings\all users\application data\eI01602NhNfK01602

2011-08-21 02:21:03 -------- d-----w- C:\Adobe

2011-08-21 02:19:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2011-08-20 23:42:18 -------- d-sh--w- C:\FOUND.015

2011-07-26 15:02:22 -------- d-----w- c:\documents and settings\all users\application data\PopCap

.

==================== Find3M ====================

.

2011-07-15 13:29:32 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:14 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02:06 1858944 ----a-w- c:\windows\system32\win32k.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD1600BEVT-22ZCT0 rev.11.01A11 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8620C4C0]<<

_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x862138a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x86213730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86589AB8]

3 CLASSPNP[0xF761DFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86351150]

\Driver\atapi[0x8638F5C8] -> IRP_MJ_CREATE -> 0x8620C4C0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8620C2E0

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 20:33:36.82 ===============

More information....

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7035

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/23/2011 9:19:20 PM

mbam-log-2011-08-23 (21-19-19).txt

Scan type: Quick scan

Objects scanned: 1

Time elapsed: 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

ark.zip

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!