suspected rootkit issue.

[drmax]

1st of all, I had previously restored my pc to an earlier date, "after" using HJT to fix several items. I now try to go back and reverse restore, and it will not open. My original problem was trying to get malwarebytes to update. Every attempt would crash IE or firefox. Here is my log...

DDS (Ver_09-03-16.01) - NTFSx86
Run by Greg James at 20:26:19.32 on Sat 04/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} -
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - Winamp Toolbar Loader
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - scriptproxy
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} -
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [<NO NAME>]
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\\nTune.exe" clear
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
dRunOnce: [RunNarrator] Narrator.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &Winamp Search
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212549584410
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregja~1\applic~1\mozilla\firefox\profiles\cu0dzbwb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - prefs.js: keyword.URL - hxxp://www.speedbit.com/search/searchresults.asp?src=default&q=
FF - component: c:\documents and settings\greg james\application data\mozilla\firefox\profiles\cu0dzbwb.default\extensions\{dd43485f-44cc-4452-a6c6-69356a7e33da}\platform\winnt_x86-msvc\components\ahWinUtils_32.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13
============= SERVICES / DRIVERS ===============


============== File Associations ===============

scrfile="%1" /S "%3"

=============== Created Last 30 ================

2009-04-11 20:20 <DIR> --d----- c:\program files\Free Window Registry Repair
2009-04-11 19:24 3,642,784 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-04-11 19:24 <DIR> --d----- c:\windows\LastGood.Tmp
2009-04-11 04:56 0 a------- c:\documents and settings\greg james\settings.dat
2009-04-07 19:37 <DIR> --d----- c:\program files\Trend Micro
2009-04-07 19:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-07 19:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 19:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-07 18:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-07 12:58 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-04-07 12:58 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-04-07 12:57 1,981,984 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-07 12:57 327,712 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-07 12:57 17,612 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-07 12:57 2,200 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-07 12:57 <DIR> --d----- c:\program files\Kaspersky Lab
2009-04-07 12:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-04-07 12:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-04-07 12:27 <DIR> --d----- c:\program files\AVG
2009-04-07 12:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-07 11:38 63 a------- c:\windows\system\SysSD.dll
2009-04-06 14:48 <DIR> --d----- c:\documents and settings\greg james\.housecall6.6
2009-04-03 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-03 19:36 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-03 19:36 <DIR> --d----- c:\docume~1\gregja~1\applic~1\SUPERAntiSpyware.com
2009-03-30 09:58 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-29 09:28 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-27 09:31 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-27 09:31 208,744 a------- c:\windows\system32\muweb.dll
2009-03-27 09:31 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-27 07:09 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-27 07:08 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-27 07:08 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-27 07:08 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-27 07:08 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-27 07:08 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-27 07:08 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-27 07:08 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-27 07:08 <DIR> --d----- C:\cf0a183d79d4d26d731276b692044400
2009-03-27 06:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-27 06:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-27 00:43 <DIR> --d----- c:\docume~1\gregja~1\applic~1\Malwarebytes
2009-03-27 00:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-26 23:07 <DIR> --d----- c:\windows\system32\scripting
2009-03-26 23:07 <DIR> --d----- c:\windows\system32\en
2009-03-26 23:07 <DIR> --d----- c:\windows\system32\bits
2009-03-26 23:07 <DIR> --d----- c:\windows\l2schemas
2009-03-26 20:49 <DIR> --d----- c:\docume~1\gregja~1\applic~1\HouseCall 6.6
2009-03-24 09:42 13,030 -------- C:\PDOXUSRS.NET
2009-03-24 09:42 210,032 a------- c:\windows\system32\DBCLIENT.DLL
2009-03-24 09:42 183,808 a------- c:\windows\system32\BDEADMIN.CPL
2009-03-24 09:42 <DIR> --d----- c:\program files\common files\Borland Shared
2009-03-24 09:41 <DIR> --d----- c:\program files\Phone Dialer Plus
2009-03-22 08:51 <DIR> --d----- c:\program files\NCH Software
2009-03-22 08:35 <DIR> --d----- c:\program files\Yahoo!

==================== Find3M ====================

2009-04-10 05:11 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-04-10 05:11 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-04-07 13:07 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-03-26 23:11 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-11-14 08:04 87,608 -c------ c:\docume~1\gregja~1\applic~1\inst.exe
2008-11-14 08:04 47,360 -c------ c:\docume~1\gregja~1\applic~1\pcouffin.sys
2008-08-28 23:48 812 ac------ c:\program files\INSTALL.LOG

============= FINISH: 20:26:38.20 ===============

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[drmax]

chemist, my HD had to be reformatted, yesterday. Would have this ultimately cured my issue?
I do not do online banking. Only used paypal, once in awhile.
Let me know what you think.

Oh, and should avast and malware bytes caught this?
I was using ARES, and files were download to a completely different hard drive. not sure what to make of it. i would imagine this is where i got it.

[chemist]

Thanks for letting us know. Yes, I could have fixed your machine.

MBAM only has real-time protection if you have the purchased version.

Was avast! up to date? avast! will only catch something if it is already in their database.

[drmax]

Quote:

Originally Posted by chemist

Thanks for letting us know. Yes, I could have fixed your machine.

MBAM only has real-time protection if you have the purchased version.

Was avast! up to date? avast! will only catch something if it is already in their database.

not sure, but the damn thing would not boot properly. I finally got a screen saying windows shutting down as not to hurt pc. thx, and I will more careful in the future. It was time for a cleansing anyway. DM

[chemist]

You're welcome, DM! Here are some pointers on staying clean.

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• How to Prevent Malware by miekiemoes

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

------------------------------------------------------